Vodafone 2026 Annual Report

50 Vodafone Group Plc Annual Report 2026

Strategic report

Governance

Financials

Other information

Maintaining Trust continued

Data privacy Strategy

We want to enable our customers to get the most out of our products and services. To provide these services, we need to use our customers’ personal information. We aim to protect our customers’ data and only to use it for a stated and specific purpose. We only process employee personal data to support core employment activities such as workforce administration, payroll, benefits and to meet our legal regulatory obligations. We are always open about what data we collect, and why we collect it. Our privacy programme governs how we collect, use and manage personal data to ensure we respect the confidentiality of communications and any choices made regarding the use of their data. Each local market publishes a privacy statement to provide clear, transparent and relevant information on how we collect and use personal data, what choices are available regarding its use and how individuals can exercise their rights. Our product specific privacy notices include details relating to a particular product. These statements and notices are available to individuals online, for example in the MyVodafone app and in our retail stores. We provide our customers with access to their data through online and physical channels. These channels can be used to request deletion of data that is no longer necessary, or for correcting outdated or incorrect data, or for data portability. Our customer privacy statements and other customer-facing documents provide comprehensive information on how these rights can be exercised and how to raise complaints or contact the relevant data protection authority. Our frontline retail and customer support staff are trained to respond to customer requests. Click to read more about our privacy policies vodafone.com/privacy

The General Counsel and Company Secretary, a member of the Executive Committee, oversees the global privacy programme. The Global Privacy Officer reports to the Global Director of Compliance and Business Integrity, an independent second line function responsible for monitoring Group compliance. The Global Privacy Officer is responsible for monitoring the global privacy programme compliance across all markets and provides regular reports to the General Counsel and Company Secretary, and an annual update to the Audit and Risk Committee on the adequacy of our privacy programme. Whilst each employee is responsible for protecting personal data they are trusted with, accountability for compliance sits with each operating company. A member of the local executive committee oversees the local implementation of our privacy programme. Each operating company also has a dedicated privacy officer, legal advisers and other privacy specialists. Local privacy officers report to the Global Privacy Officer throughout the year on the adequacy of privacy risk management for their respective operating company. The privacy leadership team approves new standards and guidelines and monitors the implementation of global privacy plans. Operating companies also maintain the necessary forums that bring together senior management from relevant business functions and support functions to provide local oversight. We are committed to the responsible handling of personal data across our customers, workforce and broader stakeholder ecosystem. Our privacy programme is based on the following principles: accountability, fairness and lawfulness, choice and access, security safeguards, privacy by design, openness and honesty, responsible data management, and balance.

Our global data privacy programme seeks to manage our customers’ personal data in a way that respects their rights and supports them making informed decisions regarding the use of the personal data. We regularly engage with industry and policymakers to help shape data privacy standards. Click to watch our privacy experts summarise our approach to data privacy vodafone.com/videos As data volumes continue to grow and regulatory and customer scrutiny increases, it is important to be clear on the privacy risks we face, as well as how our policies and programmes can mitigate these. We categorise data privacy risk into three main areas: Collection: collection of personal data without permissions, or excessive collection of data; Access and use: use of personal data for unauthorised purposes, excessive data retention, or poor data quality; and Sharing: unauthorised disclosure of personal data, including supplier non-compliance with the law or our own policies. To help us identify and manage the increasing privacy risk landscape we regularly evaluate our business strategy, new technologies, products and services as well as government policies and regulation. We also evaluate operational controls to determine improvements to mitigate risk. Our privacy management standards are based on the European Union General Data Protection Regulation (‘GDPR’) and this is applied across Vodafone markets both inside and outside the European Economic Area. Our standards establish a common framework within which local data protection and privacy laws are respected and sets a baseline for those markets where there are no equivalent legal requirements.

Millions of people communicate and share information over our networks, supporting them to connect, innovate and prosper. Customers place their trust in us to protect their data, and maintaining this trust is critical. We believe that everyone has a right to data privacy wherever they live in the world, and our commitment to our customers’ privacy goes beyond legal compliance. As a result, our privacy programme applies globally, irrespective of whether there are local data protection or privacy laws.