DNFP 2019

2019 DECLARATION OF NON-FINANCIAL PERFORMANCE OF THE DESCOURS & CABAUD GROUP 29 THE GENERAL DATA PROTECTION REGULATION (GDPR): The entry into force of the General Data Protection Regulation requires the implementation of organisational, technical and procedural resources, to ensure compliance and ongoing compliance, for companies. > Risk factors and their consequences: The risks in the event of non-compliance are primarily financial, as non-observance can be punishable by administrative and financial penalties of up to 20 million euros or 4% of the Group's turnover. Beyond this, the impact on the Group's image is liable to lead to a loss of confidence detrimental to the company's business. > The means of control: The Executive Board has a long-term commitment vis-à-vis the European Regulation. The DPO, notified to the CNIL (French Data Protection Authority), is responsible for overseeing the compliance and ongoing compliance programme at European level. The DPO is the guarantor of compliance with the GDPR for any new project. The focus of attention relates mainly, but not only, to: • providing information to people regarding data processing (including websites and cookies management) • the management of requests relating to individuals’ rights • personal data protection • the management of data processing records > Key performance indicators: Our aim is to handle all requests relating to individuals’ rights within the time limits. Any deviation from the 100% target is a source of improvement in the process for handling requests. As part of its external growth policy, one of the challenges for the company is to ensure that newly acquired European subsidiaries comply with the GDPR. This requires particular due diligence when they are integrated. Our aim is 100% compliance of all our European subsidiaries. % of requests to exercise rights handled within the time limits % of compliance of European subsidiaries 98% 96% Target: 100% Target: 100%