We have not adopted policies specifically related to our end-users, but capture the interests of end-users as part of our data ethics, data protection and information security policies.

Our Data Ethics Policy provides the overarching framework for how we work with and manage data. It is aligned with the Charter of Fundamental Rights of the European Union and includes principles on the areas of self-determination, human dignity, responsibility, equality and fairness, progressiveness, diversity and inclusion and accountability. Further, it sets parameters around our use of AI systems. The policy applies to all ISS employees as well as suppliers and business partners that have access to data on behalf of or in collaboration with ISS. Implementation of the policy is the joint responsibility of our Group Data Privacy & Legal Compliance function and our Global IT, Digitalisation & Services function.

We collect and process personal data in accordance with our Group Data Protection Policy. It adheres globally to the principles of the EU General Data Protection Regulation, and additional higher standards, if required by local law and sets requirements around data protection principles, transfer of personal data, data breach, training & awareness and control & assurance. The Group Data Protection Policy is owned by our Group Legal function and our Group Data Protection Manager.

Where our Data Protection Policy establishes procedures for how we work with and manage personal data, our Group Information Security Policy aims at upholding the integrity of our IT ecosystem and among others prevent unauthorised access to personal data. It does so through an information security management system aligned with the ISO27001:2022 standard and is supported by documented procedures around organisational controls, employee controls, physical controls and technological controls.

Our Group Data Protection Policy described above establishes a firm process for handling incidents of data breaches, which is the key enabler for us to provide remediation for negative impacts to end-users.

Just as for value chain workers our whistleblower channel is available to end-users for raising concerns though we would consider it a more natural and straight forward approach for end-users to raise concerns via their employer (our customer). During 2024 we have not received data privacy concerns from end-users via our whistleblower channel. For details on our whistleblower channel and Speak Up Policy, see S1-3 and G1-1. Our Speak Up Policy is publicly available to end-users at www.issworld.com.