Deutsche Bank Governance and operations Non-Financial Report 2022 Data protection Data protection – Completing review of vendor contract portfolio to comply with Schrems II – No personal data breaches with material impact to individuals observed GRI 3-3 Data protection is required by law and is also an important social value as clients, employees and other stakeholders expect that the personal data they entrusted to the bank is treated with the highest care. Deutsche Bank is therefore committed to protecting personal data, complying with the General Data Protection Regulation and similar laws, and meeting the related demands of clients, employees, business partners, and regulators. Governance GRI 2-13/23/24/25, 3-3 Group Data Privacy is a specialized, independent control function at Deutsche Bank for advising on and monitoring the collection, processing, and use of personal data by the bank’s business divisions and infrastructure functions. Group Data Privacy is supported by local Data Protection Officers in the countries where Deutsche Bank conducts business and the Chief Data Privacy Officer has a direct functional reporting line to the Management Board member responsible for the Chief Administrative Office. The bank’s data protection policies and procedures define data protection principles and compliance requirements in the organization, such as personal data breach reporting, access rights requests, consent and information requirements. Where legally required, privacy notices are directly provided to Deutsche Bank clients and employees by business divisions and infrastructure functions or made available on their respective public websites including the website *). These notices provide an overview of how specific privacy notices. Examples for the Corporate Bank can be found here ( Deutsche Bank processes personal data and the rights of individuals whose personal data is being processed, under data protection law. Based on Deutsche Bank’s Group-wide Non-Financial Risk Management framework, Group Data Privacy has established minimum control standards which the business divisions and infrastructure functions must adhere to. These include the permissibility review of new activities that involve processing of personal data in the bank, for example when processing personal data using artificial intelligence. Data privacy/protection controls are integrated in Group-wide governance processes like new product approval or vendor risk management as appropriate. In addition, Group Data Privacy closely collaborates with the Technology, Data and Innovation function and the Information Security function (Chief Security Office) to implement specific data protection principles, e.g., aiming to ensure the security of personal data via encryption of emails according to their classification or access rights controls. Details on information security can be found in the corresponding chapter of this report. In 2022, Group Data Privacy further strengthened the minimum control standards and worked together with the business divisions and infrastructure functions as part of a Group-wide initiative led by Non-Financial Risk Management to document and further improve the key controls that must be in place to mitigate data protection risk in the bank, e.g., to consult Group Data Privacy also for new internal processes and client products not in scope of Group-wide governance processes. Moreover, monitoring and testing the effectiveness of Deutsche Bank’s implementation of applicable data protection requirements was continued and no major deficiencies were identified. The results were considered by Group Data Privacy in the bank’s Group-wide annual risk and control assessment to review and challenge the business divisions’ and infrastructure functions’ own assessment of their data protection risk exposure and control effectiveness. Furthermore, Group Data Privacy also assesses emerging data protection laws and regulations on an ongoing basis and, if necessary, adjusts its policies and procedures as well as the minimum control standards. The same applies to technical developments and new digital business models. Training and awareness GRI 2-24, 3-3, 404-2, FS4 Employee training on the implications of data protection/privacy laws for the bank’s day-to-day business is a key factor in ensuring adequate data protection in all operating processes. Deutsche Bank requires mandatory data protection training for all employees including eligible contractor staff. This training encompasses the content of the data protection and privacy policy, the key requirements to ensure compliance with applicable legal rules for handling personal data and what steps must be taken in the event of a personal data breach. For Deutsche Bank employees, failure to complete this training and late completion can result in disciplinary consequences. The bank continually assesses its data protection training offering to strengthen data protection culture and updates the training as necessary. Within 2022, an eLearning completion rate of 99,96% was achieved for the mandatory data protection training. 91