04.1 Cybersecurity 01 Introduction and strategy 02 Measuring and managing sustainability 03 Climate change related disclosure 04 Strengthening our foundation 05 Our universal principles Our 2022 focus was on further automating data privacy within our organization, enhancing the Privacy Monitoring and Assurance Program (PMAP) and continuing to embed privacy through our network of the privacy champions. Key actions in 2022 included: • Annual reviews implemented to ensure Record of Processing Activities (RoPA) and Privacy Impact Assessments (PIAs) are accurate and kept up-to-date. • To increase the automation and efficiency of processes, 90 percent of operating entities are now onboarded to the privacy management platform and we increased the number of privacy reviews by 14 percent compared with 2021. • More than 2,000 privacy champions have been appointed across Allianz as the first line of defense. Privacy Champions act as the communications channel between the business functions and data privacy and support the business function with privacy related topics and data protection compliance. They undergo regular training and have a deep understanding of their functional area and use of personal data by their function. Strengthening our global privacy framework The Allianz Privacy Standard (APS) is our global standard for data privacy and the foundation of our the Allianz Privacy Framework. The APS is the highest policy document in the Allianz Privacy Framework. It defines rules and principles for collecting and processing personal data. The standard sets out ten privacy principles that all employees must respect wherever they are in the world: 1. Due care. 2. Data quality (purpose limitation, data minimization and storage limitation). 3. Lawful basis (personal data is only processed if we have a lawful basis to do so). 4. Transparency and openness towards employees and customers on where personal data is stored and used. 5. Relationships with data processors (ensure organizations that process personal data on our behalf adhere to our privacy requirements). 6. Personal data is adequately protected when it is transferred. 7. Security and confidentiality (appropriate technical and organizational security safeguards are in place to protect personal data). 8. Personal data breaches are reported in a timely manner. 9. Privacy by design and default. 10. Cooperation with data protection authorities. In addition to the APS, our data protection authority has approved our Binding Corporate Rules (BCRs). These BCRs allow Allianz Group companies to lawfully transfer personal data from within the European Economic Area to other jurisdictions, where it is required for business purposes. We also publish a privacy notice which explains who we are, how we collect, share and use personal data, and how individuals can exercise their privacy rights. Our group-wide privacy program continues to mature as we aim to provide services digitally through our Digital by Default approach. The program includes embedding robust privacy controls – such as PIAs and data ethics assessments – monitoring activities by creating a privacy-focused culture and the Allianz Digital Privacy Guidelines. This builds on the Allianz Privacy Framework which provides: • a global standard for data privacy (the APS); • a Privacy Impact Assessment and risk management process; • integration with Information Security core functions; • data privacy and protection monitoring activities; and • training for employees on the appropriate processing of personal data belonging to customers, employees and other stakeholders. In committing to the highest standards of data protection, we believe the maintenance of a state-of-the-art privacy program needs to be supported by diligent and continuous monitoring and assurance activities. We monitor privacy governance activities and processes across our operating entities through a process which includes site visits, reviews of program documents, interviews and expert challenge calls. Allianz Group Sustainability Report 2022 121