Our actions to mitigate negative impacts to supply chain workers described above are applicable across our operations and the metrics used for tracking are considered appropriate. We have therefore not adopted or plan to adopt specific targets in this regard.

Our actions to mitigate negative impacts to supply chain workers described above are applicable across our operations and the metrics used for tracking are considered appropriate. We have therefore not adopted or plan to adopt specific targets in this regard.

Our baseline audit program conducted by our Group Internal Audit function provides internal assurance around the application and effectiveness of key elements of our vetting and contracting requirements. Further, we track LTIF (Lost Time Injury Frequency) for our subcontractors as the key indicator for the effectiveness of our actions to mitigate potential negative health & safety impact to supply chain workers. LTIF is the frequency of incidents relative to the activity level measured as worked hours by subcontractors.

We have not adopted policies specifically related to our end-users, but capture the interests of end-users as part of our data ethics, data protection and information security policies.

Our Data Ethics Policy provides the overarching framework for how we work with and manage data. It is aligned with the Charter of Fundamental Rights of the European Union and includes principles on the areas of self-determination, human dignity, responsibility, equality and fairness, progressiveness, diversity and inclusion and accountability. Further, it sets parameters around our use of AI systems. The policy applies to all ISS employees as well as suppliers and business partners that have access to data on behalf of or in collaboration with ISS. Implementation of the policy is the joint responsibility of our Group Data Privacy & Legal Compliance function and our Global IT, Digitalisation & Services function.

We collect and process personal data in accordance with our Group Data Protection Policy. It adheres globally to the principles of the EU General Data Protection Regulation, and additional higher standards, if required by local law and sets requirements around data protection principles, transfer of personal data, data breach, training & awareness and control & assurance. The Group Data Protection Policy is owned by our Group Legal function and our Group Data Protection Manager.

Where our Data Protection Policy establishes procedures for how we work with and manage personal data, our Group Information Security Policy aims at upholding the integrity of our IT ecosystem and among others prevent unauthorised access to personal data. It does so through an information security management system aligned with the ISO27001:2022 standard and is supported by documented procedures around organisational controls, employee controls, physical controls and technological controls.

Our human rights policy commitments do not particularly focus on data privacy related to our end-users. Please refer to S1-1 for a description of these commitments.

Our human rights policy commitments do not particularly focus on data privacy related to our end-users. Please refer to S1-1 for a description of these commitments.

Our human rights policy commitments do not particularly focus on data privacy related to our end-users. Please refer to S1-1 for a description of these commitments.

Our human rights policy commitments do not particularly focus on data privacy related to our end-users. Please refer to S1-1 for a description of these commitments.

Our human rights policy commitments do not particularly focus on data privacy related to our end-users. Please refer to S1-1 for a description of these commitments.

Our human rights policy commitments do not particularly focus on data privacy related to our end-users. Please refer to S1-1 for a description of these commitments.