01 Introduction and strategy 02 Measuring and managing sustainability 03 Climate change related disclosure 04 Strengthening our foundation 05 Our universal principles Through privacy reviews, every operating entity, global line and regional office is required to undergo a rigorous examination of the design, implementation and effectiveness of their local privacy program and related process and controls. Frequency of these reviews is determined based on risk but are undertaken no less than once every five years. As of the end of 2022, we have conducted 16 privacy reviews including a joint review with Information Security. For comparison, 14 and 11 reviews were undertaken in 2021 and 2020 respectively. Privacy deficiencies and audit findings are tracked in a global database and, if necessary, escalated to top management to ensure timely remediation. Privacy risk management We identify and manage privacy risks at the operational process level to ensure they are measured, monitored and mitigated across our core businesses. PIAs of processes that use personal data – such as customer health data and employee data – enable the early identification of risks and ensure they are managed appropriately. We are also committed to ensuring that adequate and effective controls are in place to address data privacy risks associated with the processing of personal data by external suppliers on behalf of Allianz. Following the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (‘Schrems II’) decision, we have undertaken case-by-case Transfer Impact Assessments (TIAs) for processes that transfer personal data from the European Economic Area (EEA) to suppliers in third countries. In 2022, we designed a TIAs template in our privacy management platform. The TIAs template will be rolled out to all our operating entities in the EEA to ensure such assessments are conducted in a consistent, semi-automated way. This does not replace existing compliance requirements under the APS to conduct PIAs. Rather, the TIAs template is a tool to supplement existing data privacy compliance efforts and help operating entities ensure an adequate level of data protection is maintained when personal data is transferred. Employee training Our employees play a critical role in upholding our commitment to protect personal data. To ensure they have the knowledge to properly use and safeguard personal data, we continue to develop our robust privacy training program. This includes annual online trainings and awareness activities for all employees, as well as tailored trainings for employees with privacy management responsibilities and for our Privacy Champions. All employees are required to complete annual privacy training which covers the Allianz Privacy Framework requirements in detail and ensures a solid foundational understanding of core privacy concepts and the proper handling of personal data. Ongoing awareness activities (panels and events) and communication campaigns (bi-monthly newsletter, intranet videos and articles) provide guidance on ad hoc topics like how to securely work and be privacy compliant in a hybrid environment. For Privacy Experts, five-day Privacy Expert Training is focused on providing Data Protection Professionals and Data Protection Officers with the practical knowledge to effectively conduct their day-to-day activities. For Privacy Champions, two-day Privacy Champion Training is focused on the practical knowledge and exercises of the Privacy Champion role to ensure data protection compliance within the business. 04.1.3 Data ethics Our aim is to maintain stakeholder trust and position Allianz as a leader in conducting data-driven business in a trustworthy and ethical manner. This includes elevating data ethics and selected data and analytics-related topics in the governance and decision-making processes of Allianz Group. We strive for a responsible use of Artificial Intelligence (AI) in our business activities based on a strong AI Governance framework. This includes ensuring a human centric approach in our usage of AI systems. Ensuring compliance with current and upcoming regulations and embedding best practices in anticipation of regulatory change are also high priorities in fulfilling our data ethics commitments. At EU level, relevant legislation includes the GPDR and the upcoming AI Act which could significantly broaden the scope of regulation. Working in a cross-functional manner – especially between Group Privacy and Group Data Analytics – to ensure compliant, technically feasible implementation of regulatory requirements enables both Privacy and Ethics by Design. 04.1 Cybersecurity Allianz Group Sustainability Report 2022 122