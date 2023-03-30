Consolidated Non-Financial Report

Consolidated Non-Financial Report 1) of Telekom Austria Aktien-gesellschaft in accordance with section 267a of the Austrian Company Code (UGB) on environmental, social and employee matters, human rights and combating corruption and bribery

Telekom Austria AG, listed on the Vienna Stock Exchange, is a leading provider of digital services and communications solutions in Central and Eastern Europe with around 27 million customers in seven countries: Austria, Belarus, Bulgaria, Croatia, North Macedonia, Serbia and Slovenia. All equity investments have operated under the A1 brand since 2021. Through A1 Digital International GmbH (hereinafter referred to as A1 Digital), Telekom Austria AG offers industry-specific solutions for business clients on its core markets and in Germany and Switzerland. Information on business operations and the companies included can be found in the 2022 Group Management Report and Consolidated Financial Statements.

The Management Board deﬁnes the sustainability strategy in close coordination with Group ESG on the one hand and in an ongoing dialog with the Supervisory Board on the other. Group ESG deﬁnes and initiates Group-wide guidelines and policies such as the Green Electricity Policy, the Human Rights Policy, the Media Ethics Policy, the Conﬂict Mineral Policy, the Diversity, Equity & Inclusion Policy or the Sustainable Packaging Policy. The national companies are also closely involved. This is also illustrated by the inclusion of ESG targets in management remuneration since 2020. Steering meetings that discuss and report on the implementation of the Group-wide ESG strategy with local ESG oﬃcers are held at monthly intervals.

Information on business operations and the companies included in consolidation can be found in the 2022 Group Management Report and Consolidated Financial Statements. Sustainability aspects play a major role in the activities of Telekom Austria AG and its subsidiaries, referred to below as the A1 Group. The company is aware of its social responsibility, and attaches great importance to sustainably increasing its enterprise value while taking the relevant economic, ecological and social aspects into account. This goal is supported by the Group's commitment to the Austrian Corporate Governance Code and the application of all the requirements of the internal control system, the Code of Conduct, the compliance guide-lines and Group-wide integrated sustainability management. Compliance with the principles of the UN Global Compact and respect for human rights ensure that these strategies and goals are sustainably implemented and achieved by all business units.

Rigor is ensured by close connections to corporate strategy. A materiality analysis was also conducted with the help of various interest groups to identify central sustainability issues and their material impact. The materiality analysis is performed regularly (every two to three years) - most recently in the 2022 reporting year, and in 2019 before that. The issues covered in this report were determined based on the results of this materiality analysis.

Social, legal and regulatory changes are taken into account in ESG action areas as well, such as the impact of the COVID-19 pandemic on the world of work and the service portfolio, or the legal developments in the field of data privacy and the constant evolution of the Code of Conduct.

The Group ESG (Environmental, Social & Corporate Governance) unit is assigned directly to the CEO of the A1 Group. This unit is responsible for the sustainability agendas.

The red circles represent the issues relevant to the A1 Group, which are reported on in the non-ﬁnancial report. The size of the circles reﬂects their relevance for the company. An issue's materiality is based on its impact on the environment, society and the economy, and on how relevant it is to the A1 Group's stakeholders. Thus, the issues most important to the A1 Group are those that have the biggest impact and those that are most relevant to stakeholders. As an additional dimension, the issues were assessed with regard to their business relevance for the A1 Group.

This allows an integrated perspective that takes into account the issues' sustainability context and their economic signiﬁcance for the company.

1. Information on the issues derived for A1 Group from the 2022 materiality analysis

In order to identify the relevant issues, research was performed into the potential impact and risks in terms of environmental, social and employee matters. The issues were also compared against those from the materiality analysis published in 2019 and an industry analysis was performed. These issues have been analyzed, condensed and ultimately compiled into 28 relevant issues over several rounds of inter-nal discussion. They have continuously evolved over time and, besides pre-existing issues like data protection and infor-mation security, also include new topics such as sustainable products and services. This ongoing development not only reflects the constantly changing challenges stemming from risks to the environment, social issues and employees, but also gives all internal and external stakeholders who take part in the survey the chance to express these changes in their assessments.

For the first time, an online survey was conducted in all of the Group's markets - with the exception of Belarus. This includes internal and external stakeholder groups in Austria, Bulgaria, Croatia, Slovenia, Serbia and North Macedonia. The issues were assessed by internal and external stakeholders in the online survey. A1 Group stakeholders from the fields of the media, politics and special interest groups, research, science and education, business, associations and NGOs as well as employees were invited to take part. A workshop was held with selected internal and external experts to evaluate the impact. The online survey was sent to the A1 Group's management to assess its business relevance. In total, more than 2,000 internal and external stakeholders and managers of the A1 Group took part in the online survey.

The highest rated topics were allocated to the Austrian Sus-tainability and Diversity Improvement Act (NaDiVeG) areas of social matters, employee matters, environmental matters, respect for human rights, combating corruption and bribery and, as an additional matter, business operations. Given the content overlap, the topics of "Cybercrime" and "Access to information and education" have been combined to form a sin-gle topic cluster that is discussed jointly under social matters. Moreover, "Training employees in digital competences" has been combined with "Skill transformation in the labor market", and can be found with the disclosures on "Diversity, inclusion and equity", as well as "New Ways of Work" and "Employee involvement and well-being" under employee matters. Within environmental matters, the issues "Resource optimization and dematerialization" and "Sustainable products and services" were also combined given their similarities, and supplemented by "Climate change and carbon footprint of own operating business". "Compliance" was likewise identiﬁed as a material issue. The A1 Group has combined it with "Anti-corruption" to form the "Combating corruption and bribery" cluster. The "Business activities" cluster, similarly formed because of over-laps, contains the key issues of "Data protection and informa-tion security", "High-performance and future-proof networks","Sustainable supply chains", "Innovation and improvement of public services through digitalization" as well as "New business models among our customers through digitalization". These latter two issues were combined into one cluster.

Topics derived from the materiality analysis

▸ Business operations matters: Data protection and infor-mation security, High-performance and future-proof net-works, New business models among our customers through digitalization & Innovation and improvement of public services through digitalization, Sustainable supply chains

▸ Environmental matters: Climate change and carbon foot-print of own operating business, Resource optimization and dematerialization & Sustainable products and services

▸ Social matters: Cybercrime & access to information and education

▸ Employee matters: New Ways of Work, Training employees in digital competences & Skill transformation in the labor market, Employee involvement and well-being, Diversity, inclusion and equity

Respect for human rights

▸ Combating corruption and bribery: Anti-corruption & compliance

2. Material business operations matters

Data protection and information security

Concept

Data protection

Compliance with high data protection standards is a funda-mental requirement for the A1 Group and serves to safeguard customers' trust in the Group. The A1 Group strictly adheres to the current legal framework in the ﬁeld of data protection and information security. Personal data are processed in accor-dance with the EU General Data Protection Regulation (GDPR), national data protection laws and the speciﬁc provisions of national telecommunications legislation. In the event of a bre-ach of personal data protection, the data protection authorities are notiﬁed in line with statutory requirements and the data subjects are informed.

The data of the A1 Group's customers, employees, sharehol-ders, suppliers and sales partners are shared with third parties only if there is a legal basis. Any requests for the transmission of data received from the courts, public prosecutors, the police or other authorities are analyzed to ensure their legality. Data are shared only in compliance with legal and regulatory requirements in response to a lawful inquiry. Data subjects will be informed of this, if appropriate, in accordance with the statutory provisions.

In addition to the statutory requirements, all subsidiaries of the A1 Group are required to comply with the information security standards created for this purpose and other country-speciﬁc guidelines on data security. All A1 Group network operators already satisfy the ISO 27001 standard, except Serbia.

The management systems are regularly evaluated. For example, ISO certiﬁcation is reviewed annually. Adjustments are also made as necessary throughout the year.

The data privacy governance approved by the Management Board of the A1 Group provides for the harmonization of the obligations binding for the subsidiaries of the Group. This is based on an analysis of local data governance legislation.

The Management Board or management team of the individual subsidiaries is responsible for the processing of personal data in line with data protection requirements. At A1 Austria, the Data Privacy unit, together with the Legal department, assists management in complying with its obligations under data protection law. Moreover, data protection oﬃcers have been appointed at all subsidiaries.

In Austria, both the Management Board and employees are advised and instructed by the data protection oﬃcers of their duties in relation to data protection regulations and compli-ance with them. Every division must appoint a data protection coordinator to ensure the operational implementation of data protection requirements. This coordinator is the point of contact for all issues in connection with data protection and information security in the division, and reports any vulnerabili-ties or breaches to the Data Privacy and Security units.

Data protection and information security are key principles in the Code of Conduct of the A1 Group. The protection of privacy, and thus respecting the human rights of customers, emp-loyees, shareholders, suppliers and sales partners are guiding principles enshrined in it. The Group's contractual partners are required to comply with the principles governed by the Code of Conduct and, thus, to comply with data protection. Furthermore, in their role under data protection law as contract processors, suppliers are contractually required to fulﬁll the A1 Group's requirements for data protection and information security in the processing of personal data.

Data protection and information security are essential within the company as well. All employees of the A1 Group are requi- red to preserve trade and business secrets. Such conﬁdential information must be stored securely and can only be disclosed internally to persons who require such information for their professional work (need-to-know principle).

Information security

The network operators of the A1 Group form part of the critical infrastructure in all countries. The Group is aware of the special responsibility that this entails. The company is therefore involved in initiatives to continuously improve security beyond the extent required by law.

The network operators of the A1 Group work with the respecti-ve authorities to continuously improve cybersecurity. Relevant security information is shared through the A1 CERT (Computer Emergency Response Team), which is also a member of the national CERT association ATC (Austrian Trust Circle). Security expertise is shared within the A1 Group and at conferences domestically and abroad.

The A1 Austria's Security division has also handled the security governance for the A1 Group as a whole since 2021. Security requirements are being harmonized throughout the Group so that services, such as cloud services or new working models (working from home, remote working, agile teams, remote operation & support, etc.), can still be developed reliably and securely and can be used in live operations.

The function of Chief Security Officer (CISO) was created in the A1 Group to coordinate security policies and technologies within the A1 Group.

Key performance indicator

To raise awareness and provide training on data protection and information security, there are company-wide online training and more advanced sessions for the individual divisions and data protection coordinators. Moreover, internal communica-tion media and events provide information on current develop-ments. Throughout the Group, around 14,934 (2021: 9,500) e-learning modules in total were completed and 2,239 (2021: 1,900) participants registered for workshops on data protec-tion and information security in 2022.

Implementation/results 2022

A1 Austria's data protection strategy was revised and appro-ved by members of the local management team. On the basis of the data protection management system, the data protec-tion maturity model was applied and targets for the roadmap through to 2025 were deﬁned.

A key area in 2022 was the "Schrems II" task force: In the "Data Transfer to Third Countries" working group, the following do-cuments were jointly created that are intended for Group-wide application (standard solution): the data protection question-naire of the A1 Group, the A1 Group transfer impact assess-ment, external and internal contract processing agreements and letters on compliance requirements. In order to satisfy all statutory requirements relating to Schrems II and the intern-ational transfer of personal data, suppliers for which Schrems II is relevant were asked to produce a self-assessment on the basis of the data protection questionnaire of the A1 Group. The feedback was analyzed and suppliers were informed of the new standard contractual clauses in the compliance requirements letter. All relevant suppliers were identiﬁed throughout the Group and the results were made available within the operatio-nal countries. The corresponding documentation is stored in the electronic procurement tool Ivalua.

In 2022, the A1 Group therefore took further measures to safeguard the security of customer data. This year, the Group experienced a decline in distributed denial of service (DDoS) attacks that aim to deliberately overload network servers. Around 100 DDoS attacks per day are registered in A1's back-bone. Investment by the A1 Group in automatic DDoS defense allows these DDoS attacks to be successfully counteracted. So that A1 business customers can successfully defend against DDoS attacks, A1 offers DDoS automatic protection in all countries of the A1 Group.

