SOMFY - Annual Financial Report 2020

03 NON-FINANCIAL STATEMENT

3. Initiatives

Security Essentials for Executives: 46 people completed the – module, representing 82% of the people registered (scope: Executive Committee and L-1). In 2021, following the arrival of a new CISO, several measures will be implemented in order to further improve awareness around the issue of IT security, with in particular the roll-out of a comprehensive 360° programme, User Awareness and Training, in collaboration with the Communications and Human Resources Departments.

Following an audit carried out in 2018, the Group has a Data Protection Officer (DPO) responsible for monitoring data protection and the roll-out of the roadmap. Key projects covered the management of the rights of individuals in relation to GDPR, the management and notification of personal data breaches, the development of data flow mapping, the completion of processing registers within European Union (EU) entities, data governance within the Group, and training employees and raising their awareness. To support and optimise this compliance upgrade, a network of GDPR officers – Privacy Champions – was set up and an overall committee, the GDPR Steering Committee, meets each month. Somfy’s European employees (excluding production) completed mandatory e-learning training (“GDPR Assignment”). This training is also obligatory for all new arrivals at Somfy and is accessible to all. The procedure for managing GDPR incidents introduced in the ASK solution, to trace and manage GDPR incidents as soon as they are reported, is currently undergoing being revised so that it can be integrated into the overall IT incident management system. The DPO team, attached to the Legal Department and currently made up of the DPO and a Privacy project coordinator, is involved in monitoring and providing day-to-day support to the business functions to ensure projects developed within the Group are compliant: new cookie banner following recommendations by the European supervisory authorities in 2020, integration of privacy by design into impacted projects, inventories and review of data protection contracts following the invalidation of the privacy shield (Schrems II judgement of the European Court of Justice), completion of impact analyses, occasional support of non-EU BU on data protection issues such as the revision of the privacy policy in the United States following the entry into force of the CCPA. Lastly, specific measures, such as organisational or technical audits, as well as penetration tests, are implemented regularly by independent and accredited third parties on different scopes of the information system (infrastructure, applications, hardware) to identify potential vulnerabilities within them and to set out the related remedial actions. 4. Results and KPIs E-learning awareness training regarding the protection of personal data was launched in early 2019, with the aim of gradually rolling it out across the entire target population (employees of the Group’s European entities (excluding manual workers and temporary staff) up to the end of 2020. In 2020, 395 out of 485 targeted employees successfully completed the “GDPR Assignment” training (100% of the training course with a minimum of 80% correct answers in the quiz), representing a training rate of 81%. Between 2019 and 2020, in total 3,210 employees completed the training, with a success rate of 84.50%. Lastly, two other e-learning modules related to information security were rolled out in 2020: Multi-Factor Authentication: 2,442 people completed the – module, representing almost 49% of the people registered (all people in the Group with a computer);

III. RESPONSIBLE PURCHASING AND SUPPLY CHAIN TRANSPARENCY

1. Description of the risk

The performance of the extended Supply Chain is one of Somfy’s strengths and forms an integral part of the Group’s value proposition. In this regard, its smooth operation and transparency are essential. The downstream part, towards the customer, is mainly organised by the company itself in order to best serve the multi-channel approach. The upstream part is heavily subcontracted given that the Group’s industrial activity exclusively involves assembly operations. The components of its products are all purchased. Relationships with suppliers and subcontracting are therefore important for Somfy. It is its practice to ensure the entire value chain is involved in its commitment to corporate social responsibility. In fact, specific attention is paid by upstream partners to the consideration of Somfy’s requirements and is the subject of explicit commitments and regular performance reviews. 2. Policies This policy is reflected in the new contractual framework with a view to deploying the Group’s CSR commitments in the upstream supply chain and as soon as new partners are added: human rights, employment, the environment, fair practices and combating corruption, conflict minerals and hazardous substances. 3. Initiatives In order to fulfil its commitments, Somfy oversees a supplier related risk management approach through mapping that classifies risks from 1-low risk to 4-high risk. To support this approach, a Responsible Purchasing coordination function has been created to structure and consolidate the initiatives. Furthermore, in France, Somfy is a member of the organisation Thésame, where it jointly finances a programme called PEAK which develops collaborative and innovative approaches in relation to the procurement function within a sector. Somfy has jointly financed three dissertations on the subject. 4. Results and KPIs The indicators monitored by Somfy regarding relationships with subcontracting and suppliers are: the percentage of purchases made locally, meaning within – 500 km of the assembly site. In 2020, 40% of purchases fulfilled this criterion, a stable figure in relation to 2019 within an uncertain health and economic environment, limiting opportunities for the development of new partners. This indicator is calculated for seven production and distribution

61

SOMFY – ANNUAL FINANCIAL REPORT 2020