HERMÈS - 2018 Registration document

3

Corporate Governance

Ethics – Compliance

3.2.3.1.7 Training system intended for executives and employees most at risk The training system is described in section 3.2.4.4 below. 3.2.3.1.8 Disciplinary measures to sanction violations of the anti-corruption code of conduct The sanctions system is described in section 3.2.4.2 below. 3.2.3.1.9 Internal monitoring and assessment system Internal and external audits of the Group’s companies and métiers as well as of itsmain suppliers andpartners are conducted regularly relating to the application of the Group’s procedures. Among other areas, these audits cover the fight against corruption, combatting money laundering, the protection of personal data, respect for the environment, respect for human rights and fundamental freedoms, and employee hygiene, health and safety. Themethodology of these controls and audits is described in section 1.9 "Risk factors" (see pages 36 et seq. ). Vigilance In accordance with French Law 2017-399 of 27 March 2017, the Hermès Group has drawn up its own reasonable vigilance plan designed to identify risks and prevent serious harm in respect of human rights and fundamental freedoms, health and safety of persons and the environ- ment, resulting from its activities and the activities of subcontractors and suppliers. The risk mapping to identify, analyse and prioritise risks, procedures for the regular monitoring of subsidiaries, subcontractors and suppliers, appropriate measures to mitigate the risks identified or prevent serious violations; and the system for monitoring the measures implemented and assessing their effectiveness, are described in the section 2.6 “Suppliers and partners” (see pages 111 et seq. ). The whistleblowing mechanism for reporting violations is described in section 3.2.4.1 Professional whistleblowing system below. 3.2.3.2 Hermès is particularly sensitive to personal data protection and respect for privacy. All employees must ensure that they process the personal data to which they have access in accordance with rules set out by the Group and pursuant to applicable laws and regulations. The Group procedures specifically state that it is compulsory: s s to collect and process personal data solely for a specific, lawful and legitimate occupational purpose determined by HermèsGroup and to restrict data collected to what is strictly relevant, fair and not exces- sive with regard to this purpose; 3.2.3.3 Personal data protection and respect for privacy

s s to be transparent about how these data are processed. As regards customers for example, the Confidentiality Policy is publicly avai- lable and can be found on the Group's digital platforms (websites, mobile applications) and must also be provided to any person who so requests at a point of sale; s s to ensure that personal data are protected and secured by an appro- priate means, in compliance with the standards established by the Group and by the applicable laws and regulations. The objective in particular is to consider any relationship with customers as strictly confidential and to only use and disclose their personal data with their express consent and/or in compliance with the Group's rules and the applicable laws and regulations. The objective is also to report, as soon as possible, any security incident relating to data in accordance with the rules established by the Group; s s to respect the rights of the persons whose data are processed by responding to their requests as soon as possible with the help of the contact points identified by the Group and the Data Protection Officer, if necessary; s s to keep the data of the concerned persons for an adequate period with regard to the purposes for which they are collected, in com- pliance with the applicable laws and regulations. The Hermès Group has adopted Binding Corporate Rules (BCR) for managing the personal data of its customers. These stringent BCRs have been validated since 2012 by the European authorities in charge of the protection of personal data, and have since been integrated by all Group companies dealing with customer data. They ensure an adequate level of protection for customers’ personal data when transferred within the Group. In addition, to meet the requirements of the European Union’s General Data Protection Regulation (GDPR) no. 2016/679 of 27 April 2016, actionswere taken, inparticular, to identify personal dataprocessingwit- hin the Group, to increase transparency in terms of the way in which the Hermès Group processes its customers' personal data and to educate and train personal data processing teams in data protection principles and practices. The personal data protection systems are under the responsibility of the Executive Vice-President of Governance and Organisational Development, member of the Group’s Executive Committee. Audits are conducted by the Audit and Risk Management Department to ensuretheproperapplicationofdataprotectionpoliciesandprocedures.

220

2018 REGISTRATION DOCUMENT HERMÈS INTERNATIONAL