ESG Integration Framework 04.4.4 Data protection and human rights use of social media. According to the Universal Declaration of Human Rights and to In response to the increasing regulatory initiatives and public several other international treaties, data privacy is a fundamental debates on ethics and artificial intelligence (“AI”) worldwide, we human right. As such, Allianz takes data privacy and protection have set up the Allianz Data Ethics Project including experts from risks very seriously, and it is enforcing robust security and privacy various functions and Allianz Group companies. Aiming to further controls to give its customers comfort that their personal data is strengthen the internal governance framework for AI, in 2020 we safe and secure. At Allianz SE, data privacy matters are managed developed an AI Practical Guidance for our data science/analytics by the Group Privacy function which is also responsible for the departments, extended our risk assessment activities to include Allianz Privacy Standard and compliance with different regulatory ethical assessments. developments. For further details, please see the Group Sustainability Report at The Allianz Privacy Standard defines rules and principles for www.allianz.com/sustainability. collecting and processing personal data. Established in 2018, it sets out six privacy principles Allianz expects all its employees to 04.5 Remedy and grievance mechanism respect due care, purpose specification, reasonable limitation, transparency and openness, choice and consent, and privacy by Allianz aims to identify, prevent, or mitigate adverse human rights design. Allianz also publishes a Privacy Notice, which clearly states impacts linked to its business activities and operations. In concrete what information we collect and why. terms, Allianz seeks to: Equally important is the security of the personal data Allianz handles. • Apply its responsibilities across all its business activities As part of its robust Information Security Framework, Allianz entities • Engage in continuous dialogue with stakeholders to ensure on- globally apply strict security processes, standards, and tools. The going improvement framework also defines minimum requirements that are based on • Develop grievance mechanisms for all stakeholders in relevant the ISO 27001 Standard for information security management. This countries and business units standard specifies various requirements for three fields: vulnerability • Regularly assess human rights risks and perform human rights assessment along the software development value chain (including due diligence penetration tests and security audits), systems monitoring via multi- • Remedy any adverse human rights impacts for which Allianz is level security systems, and effective IT security management and responsible for business continuity management. • Track performance about human rights impacts and remedies. Allianz keeps abreast of regulatory and industry developments and Internal and external stakeholders are given the opportunity to raise aims to reflect these in its operational and governance processes allegations of human rights violations involving Allianz through our and procedures. For example, in response to the changes in the EU Group-level complaint system. Human rights-related complaints General Data Protection Regulation (GDPR) that came into force will then be investigated and addressed by Group Compliance, in in May 2018, the Allianz Privacy Renewal Program (APRP) was certain cases supported by the Global Sustainability function. initiated – a major effort to align Allianz’s privacy practices with the Details about the grievance mechanism process or to file a human requirements of the GDPR. rights-related grievance please see our human rights page at Additionally, Allianz addresses new data privacy developments in www.allianz.com/en/sustainability/articles/human-rights.html different jurisdictions where Allianz does business. This includes for example, responding to judicial and regulatory statements on the 43 GDPR, including concerns about cross-border data transfers and the