Vodafone 2026 Annual Report

Maintaining Trust continued 51

Vodafone Group Plc Annual Report 2026

Strategic report

Governance

Financials

Other information

We aim to avoid any data breach or data misuse resulting in material impacts. We have a strong culture of data privacy, and our assurance and monitoring activities are designed to identify potential issues before they materialise. However, our German operations were the subject of administrative fines imposed by the German data protection authority and announced in June 2025. The regulator identified deficiencies relating to the oversight of certain external sales partner agencies and weaknesses in customer authentication processes for online and telephone services. These matters were identified during regulatory reviews commencing in 2021, and remediation measures had already been initiated by Vodafone prior to the conclusion of the enforcement proceedings. As a result of the regulator’s findings, fines of €15 million and €30 million were imposed, which have been accepted and paid in full. We also incurred fines in Greece, Türkiye and Romania totalling less than €1 million in connection with local data protection and regulatory compliance matters, reflecting differing regulatory frameworks and enforcement practices across markets. Looking Forward As a privacy‑centric organisation, we continuously monitor legal and regulatory developments, alongside evolving customer expectations, to ensure our privacy programme delivers the strongest possible outcomes. We plan to focus is on leveraging our global processes to embed privacy through technology‑enabled solutions and dynamic, scalable ways of working. For example, we are undertaking a review of our global control environment with the aim of optimising key controls and generating meaningful, measurable benefits for our employees, customers and wider stakeholder community.

Our approach to responsible artificial intelligence (‘AI’) Our AI governance approach demonstrates our approach to engage with AI in an ethical and responsible manner for the benefit of customers, employees, and society. The AI Governance Board is a senior steering group that defines strategy and policy for AI and monitors its execution. The board is chaired by the Vodafone Chief Technology Officer and is attended by the CEO of Vodafone Business, Group Commercial Functions Director, Chief HR Officer, and the General Counsel and Company Secretary. We have implemented key processes such as internal risk assessments, created role specific training and formalised policies. We have implemented a set of technical responsible AI guardrails to our internal AI development platforms making sure that there is a set of controls mitigating known risk domains for a wide variety of AI applications. We have also contributed to the development and launch of the GSMA Responsible AI Maturity Roadmap and is a standing member of the GSMA Responsible AI working group. We have also signed up to the AI Pact, an initiative set up by European Commission through the European AI Office. This Year We aim to achieve a 90% completion rate on both generic (DWR) and specific (high risk role) trainings for all target groups across our global footprint. In FY26, 97% of assigned employees completed DWR or more specific privacy training. We held a global privacy governance forum to highlight key achievements across markets and to discuss the future of the privacy programme with a key focus on strategic optimisation. We are committed to improvement of compliance by our customer operations teams through enhancement of customer authentication mechanisms and enforcing consent where appropriate in our customer communications.

Our robust, multi-channel permission management approach has been deployed across our channels (MyVodafone app, website, call centres and retail stores) since 2018. This approach allows our customers to control how we use their data for marketing and other purposes at any time and the permissions are synchronised across our channels. For example, customers can: Opt in for the processing of special categories of data; Choose what data we collect through the MyVodafone app and how it is used; Opt out from marketing across different channels (call, SMS, notifications), or opt-in to the use of their communications metadata for marketing purposes or for receiving third-party marketing messages; and Opt out from the use of anonymised network and location data (‘Vodafone Analytics’). We have an experienced team of privacy specialists dedicated to ensuring compliance with data protection laws and our policies in the countries where we operate. Our privacy controls frameworks are subject to periodic review and risk based evaluation to identify and implement areas for improvement. We have a clear process for managing privacy risks across the data life cycle, and teams from across Vodafone ensure end-to-end coverage. Dedicated security teams are tasked with applying appropriate technical and organisational information security measures to protect personal data against unauthorised access, disclosure, loss or use during transit and at rest. Read more about cyber security on pages 52 to 56

All products, services and processes are subject to privacy impact assessments as part of their development and throughout their life cycle. We maintain personal data processing records, supplier privacy compliance, data breach management and individual rights processes, and internal and international data transfer compliance frameworks, as well as training and awareness programmes. We require every employee, and contractors, to complete our Doing What’s Right (‘DWR’) privacy training within six weeks of joining. In addition, they need to complete refresher courses in line with our annual learning intervention cycle. We also have targeted training for high-risk teams with a key role in personal data processing. In our supply chain, privacy and security requirements form a key part of our supplier management processes. All suppliers go through a thorough onboarding process to verify their adherence to these requirements, with appropriate data protection measures and continuous monitoring agreed. We have dedicated standards and monitoring (covering both internal process implementation effectiveness and reference external cases) to prevent, identify, contain, and report incidents with lessons learnt to all internal and external stakeholders as necessary. The effectiveness of control implementation is subject to quarterly reporting and second line assurance, as well as internal audit. Control implementation is also reviewed by local market CEOs, the Group Risk and Compliance Committee and the Audit and Risk Committee. Any findings are subject to remedial actions by the responsible control operator, and their completion is monitored.