Deutsche Bank Governance and operations Non-Financial Report 2022 Data protection New regulatory developments in data protection are continuously monitored and information is shared about them with the local Data Protection Officers to assess their relevance and potential consequences for the bank. If a need for adjustments to processes and products is identified, implementation actions are agreed with the business divisions and infrastructure functions. In addition, awareness of employees on data protection is fostered by internal online events and intranet posts. For example, in 2022 Group Data Privacy organized several regional webinars to raise more awareness on the importance of data protection and privacy, on handling of personal data, where to get support for data protection matters in the bank, what are individual’s rights, best practices for organizations to protect personal data, principles and trends in data protection and privacy and what can be the consequences of poor data protection practices. Key topics in 2022 Deutsche Bank ran a project to comply with the recommendations from the European Data Protection Board and the new EU Standard Contractual Clauses following the Schrems II ruling by the EU Court of Justice. This included the amendment of relevant existing contracts with vendors. Group Data Privacy also continued to assess new data protection legislation in the countries where Deutsche Bank does business. In 2022, the Thai Personal Data Protection Act entered into force and proposals for a Personal Data Protection Act in Sri Lanka and Indonesia were ratified by parliaments and will enter into force in 2023 respectively 2024. In addition, Group Data Privacy is closely monitoring the proposed amendment to the British Data Protection Act and the development of an EU-U.S. Data Privacy Framework. Where necessary, the bank is taking steps to ensure compliance. As part of the ongoing cloud transformation project with Google Cloud, Deutsche Bank implemented an application onboarding framework which includes specific data protection controls. No personal data breaches of material impact to individuals observed GRI 418-1 In 2022, Deutsche Bank again did not observe any personal data breaches of material impact to individuals. The bank’s reporting processes and pathways from the business divisions and infrastructure functions to Group Data Privacy aim to ensure that potential personal data breaches can be assessed and handled in a timely manner. They are described in a global data protection procedure. Should a personal data breach occur, Deutsche Bank as part of its global security incident management process takes coordinated follow-up actions. Group Data Privacy as a stakeholder in this process advises on the necessary regulatory actions and, if required, informs the affected individuals and notifies the relevant data protection authorities. 92