The respective Management Board of a company is responsible for living up to data protection
requirements. At A1 Austria, the Data Privacy unit and in the other A1 companies the Data Protection
Officer assist the management hand in hand with the Legal department.

A Data Protection Officer has duties in accordance with national legislation, including but not limited to notifying and advising the management and employees with regard to their duties under data protection provisions and monitoring their compliance.

The A1 Group via its subsidiaries demonstrates continuous efforts to promote and follow the best data privacy practices. A1 companies are subject to privacy risk assessments or audits on the companies’ technologies and practices affecting user data, such as ISO audits, internal data protection controls in accordance with local regulations, etc., and thus conduct such controls and audits on a regular basis.

In the Code of Conduct, w hich applies to the entire A1 Group, data protection and information security are a key principle for the actions of employees. The protection of privacy, and thus respecting the human rights of customers, employees, shareholders, suppliers and sales partners, is a guiding principle anchored in the Code of Conduct of the A1 Group.

The Group’s contractual partners are required to comply with the principles governed by the Code of Conduct of the A1 Group and to respect human rights and data protection. The Code of Conduct is an integral component of the relationship with contractual partners and is further enhanced with respective agreements regulating data protection areas.

Regular assessments are performed to ensure the best possible protection of rights and liberties as well as respect for human rights. This applies in connection with whistleblowing, for example, thereby ensuring the confidentiality of information and any personal data while also avoiding any negative consequences for the informant.

The A1 Group has adopted a Group Data Governance Policy, which is approved by the Management Board of the Group. It is the combined result of requirements and interpretations regarding the successful EU-wide implementation of the GDPR, as well as various other regulations related to data protection.

The Group Data Governance Policy is binding with regard to the processing of personal data for all A1 companies. This document provides for the harmonization of the obligations binding for A1 companies. The Group Data Governance Policy provides A1 Group with a self-regulatory tool. When A1 companies act as either data controllers or data processors, it serves as proof of compliance. This applies in particular to the identification of risks associated with the processing, the assessment of the cause, nature, likelihood and severity of the risks. Corresponding measures are to be reviewed regularly and updated based on new information.

The proper adoption by A1 Group companies of the contents and best practices set out in the Group Data Governance Policy (and in the accompanying manual) supports the fulfillment of the implementation requirements and demonstrates compliance with the GDPR.

In addition, in accordance with the objectives of the Group Data Governance Policy (awareness, individual responsibility, structure and minimizing risks), the A1 Group implements corresponding changes to the Group Data Privacy Governance Manual in a good faith effort to reflect the respective regulations.

All data subjects (including employees, customers, etc.) are duly notified, via the privacy notice of each A1 Group company published on their web site, regarding the details about the processing of their personal data and the possibility of addressing any data privacy questions, concerns or requests concerning the assertion of the respective data subject’s rights to the respective company.

Each A1 Group company has implemented data protection policies that regulate the processing of personal data in accordance with the law and the technical and organizational measures for protection of personal data.

Furthermore, taking into consideration local regulatory obligations, A1 companies are obliged to impose such technical and organizational measures on third parties (contractors) that process personal data (acting as data processors) by executing Data Processing Agreements. This ensures that third parties that process personal data on behalf of A1 Group companies pursuant to the given instructions follow the stringent technical, organizational and contractual safeguards for the protection of the personal data.