Sustainability Report - FY 2023

Social and societal information Data protection

7.9.3 Data protection The Group collects and processes personal data for two main purposes:  on the one hand, as an employer, to comply with its legal obligations and to implement skills development policies (see section 7.5 of this Universal Registration Document);  on the other hand, in the context of its activities, for the marketing of its products and services. As such, the Group is subject to international regulations such as regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 General Data Protection regulation (GDPR), as well as the local legislation applicable in the countries in which it operates, including the Data Protection Act 2018 for Great Britain (non-exhaustive list). In order to respect the right to the protection of personal data and privacy, the Group has set up an organisation reporting to the Group General Counsel & Group Compliance Officer, composed of:  the Group Data Protection Officer, in charge of advising and supporting the Company in order to ensure the compliance of processing, and to disseminate the culture and rules relating to the protection of personal data to all employees;  the team of Legal Counsel, in charge of ensuring that the applicable legislation on the protection of personal data is properly taken into account in contracts; and  a specialised consulting firm, providing support on various subjects and in particular on the consideration of local regulations outside Europe. The objectives of this organisation are to:  establish policies and procedures relating to the protection of personal data;  provide operational staff with analysis and decision making tools, as well as standard contractual clauses;  ensure the presence and compliance of clauses relating to the confidentiality of personal data in contracts, whether with suppliers, customers or service providers of the Group;  ensure the minimisation of the data collected and the principle of “Privacy by Design” from the design stage of a system involving the processing of personal data;

 respond to requests from any person wishing to exercise their rights of access, rectification, opposition, or deletion of data, whether an employee or a third party;  design and deliver the employee awareness programme; and  ensure regulatory monitoring. At the end of 2023, the Group published its Data Classification Policy to define the structure that can be used to categorise and classify data from information assets within Exclusive Networks. The objective of this policy is to assist data holders, business holders, IT custodians, contractors and third parties in the analysis of information assets in order to identify the level of security necessary to protect the data within the Group’s information system, for which it is responsible. During 2023, the Group organised a Cyber Security Awareness Month during which employees were offered mandatory training on the protection of personal data (see above). All Group employees will be asked in 2024 to comply with and sign the classification policy to ensure a clear understanding of their role and responsibility in terms of data protection. In addition to the Group’s risk management procedure, this policy brings it closer to its objective of completing its ISMS in the first quarter of 2024. New Device Management Strategy Mobile devices, such as mobile phones, tablets and computers, have become an integral part of the means of accessing information. To contribute to the security of the Group’s information and data, a strategy has been developed and specific security controls have been established. The New Device Management Strategy is intended to establish a framework for the secure management of personal, semi-managed or fully managed devices within the Group. Its goal is to harmonise information security, compliance, and management control across all end-user devices to ensure a positive, secure, and seamless experience. With this new approach, the Group significantly reduces the risk of data breaches, break-ins by malware and the spread of malware.

59

Exclusive Networks SA

2023 Sustainability Report