Sustainability Report 2022

PRISA published a new Privacy Policy in 2022 to articulate and develop its commitment to the protection of personal data in its daily operations. Privacy protection and data security Personal data is a valuable asset, hence the need for robust cybersecurity measures to prevent security breaches that might compromise this data. Since the General Data Protection Regulation (RGPD) came into force in 2016, PRISA has worked tirelessly on the improvement and development of its processes for the control and safeguarding of personal data , as well as consumer rights with regard to the potential use of such data. The changes to regulations have also provided an impetus for Group companies in Latin America to review their own procedures for compliance with local data protection regulations. In line with these efforts and as part of PRISA's commitment in this area, in 2022, the Group has taken important steps forward in privacy management, the correct processing of personal data and towards improving information security. PRISA has defined a Group Privacy Policy which articulates the unyielding commitment of company management with regard to the protection of personal data and reiterates its commitment to regulatory compliance and the development of an ethical culture and integrity in business. Since 2019, PRISA has had a Security Master Plan in place with the objective of generating continuous improvement in the level of maturity of cybersecurity-risk management in all of the Group's operations. The level of maturity is measured using the ISO/IEC 27002:2013 control standard. The Plan covered the years 2020-2022 and during this period around 50 initiatives to improve cybersecurity management were deployed. Notable among these is the development of a Security Regulatory Body within the group. In addition, there have been periodic evaluations of the level of maturity of cybersecurity protection, with positive results. This was also the case in the most recent evaluation carried out by an external audit in December 2022. In December 2022, the Logical Security Office service was renewed. The first task of this Office will be the review of the Security Master Plan to generate a new plan for the 2023-2025 period. Meanwhile, Santillana has developed a set of Corporate Regulations for the Protection of Personal Data to provide a standard of principles and obligations in personal data protection common to all companies in the countries in which it operates. PRISA Media has developed a data protection training program aimed at the employees in charge of processing personal data. Management of complaints and queries The Data Protection Officer (DPO) is responsible for receiving and managing all initial complaints and queries from users and people whose personal data is processed by the companies of the Group. They can contact this service by emailing dpo@ prisa.com or by writing to a postal address provided for this purpose. PRISA Media has a specific email: privacidad@prisa.com. In 2022, PRISA Media received 9 user complaints and 3 from the Spanish Data Protection Agency – two fewer complaints than in 2021 – with regard to the exercise of data protection rights or the processing of personal data. All have been properly managed. Santillana had no privacy related complaints. Compliance and business ethics PRISA is committed to regulatory and legal compliance and to compliance with its own Code of Ethics in all those markets and regions where it operates. The objectives of the Group’s legal compliance model , based on the Code of Ethics, include promoting the ethical behavior of all employees when engaged in carrying out the company's activity. The Code encompasses a range of principles and rules of conduct that govern the actions of both the companies that form part of the Group as well as its professionals. These are, above all, general ethical principles on matters such as respect for human rights and civil liberties, professional development, equal opportunities, non- discrimination and respect for people, health and safety at work, as well as environmental protection. This Code is available in Spanish and English on the PRISA corporate website (www.prisa.com) and is included in the welcome pack given to all new employees. In 2022, and in order to promote an ethical corporate culture, work was carried out on a responsible leadership project as a tool for changing behavior through training and awareness. One result was a Top-Ten list with the characteristics of PRISA leaders . Leading by example, PRISA’s leaders will be expected to help to promote an ethical culture. The project has been approved by the Appointments, Remuneration and Corporate Governance Committee. Using the Code of Ethics as a starting point, a range of policies are developed that constitute an essential element of the Group’s compliance model. The Code also helps establish the guidelines for action of the Group and its members in a wide range of different contexts. Thus, in 2022, with the aim of streamlining and unifying regulatory development, the Zero Standard, or Norma Cero , was created. This establishes a set of criteria for the production and approval of rules, using a common nomenclature and setting deadlines for their updating. Numerous policies and procedures have been revised and updated, including, of relevance to this section, the Anti-Corruption Policy , the Competition Policy and the Gifts Policy . A new Data Protection Policy and a Code of Ethics and Conduct applicable to the company's suppliers have also been approved. In matters of conflicts of interest , the Regulations of the Board of Directors, the Company's Code of Ethics and the Internal Code of Conduct in Matters Related to Securities Markets set out the general guiding principles for action to be observed in this regard. The Group has developed a responsible leadership project , designed to promote ethics in professional practice, and which includes a Top-Ten list outlining the characteristics of a PRISA leader. 2022 also saw the launch of the new intranet "PRISANET'' , serving the Company, PRISA Media and its subsidiaries in Spain. This provides access to all the regulations applicable to employees. To facilitate access, a distinction has been made between general and specific standards. All employees should be familiar with the former. The Chief Compliance Officer (CCO) oversees regulatory compliance functions across the Group. This Officer has autonomous powers of PRISA Sustainability Report 2022 39 38 Committed governance