i Table of contents 246

Vodafone 2025 Annual Report

46 Vodafone Group Plc Annual Report 2025

Strategic report

Governance

Financials

Other information

Our approach continued

Privacy, Security, and Resilience Millions of people communicate and share information over our networks, supporting them to connect, innovate and prosper. Customers trust us with their data and maintaining this trust is critical. Our security and resilience strategy is centred around three key pillars: data privacy, cybersecurity, and asset resilience. Our global privacy programme seeks to manage our customers’ personal data in a way that respects their rights and ensures they can make informed decisions regarding the use of the personal data. We regularly engage with industry and policymakers to help shape privacy standards. Under our cyber security pillar, we continuously monitor and defend our systems against evolving threats. Our security framework follows industry good practices, focusing on risk management, real-time threat detection, and incident response rates to keep our customers and services safe. Furthermore, as a provider of critical infrastructure, we invest in securing our network, including mobile towers, data centres, and subsea cables. To enhance resilience of our physical assets, we deploy backup power solutions and strengthen our systems against potential disruptions, aiming to ensure uninterrupted connectivity.

Data privacy We believe that everyone has a right to privacy wherever they live in the world, and our commitment to our customers’ privacy goes beyond legal compliance. As a result, our privacy programme applies globally, irrespective of whether there are local data protection or privacy laws.  Click to watch our privacy experts summarise our approach to data privacy investors.vodafone.com/videos Privacy risks and impacts As data volumes continue to grow and regulatory and customer scrutiny increases, it is important to be clear on the privacy risks we face, as well as how our policies and programmes can mitigate these. We categorise data privacy risk into three main areas: – Collection : collection of personal data without permissions, or excessive collection of data; – Access and use : use of personal data for unauthorised purposes, excessive data retention, or poor data quality; and – Sharing : unauthorised disclosure of personal data, including supplier non-compliance with the law or our own policies. To help us identify and manage the increasing privacy risk landscape we regularly evaluate our business strategy, new technologies, products and services as well as government policies and regulation. We also evaluate operational controls to determine improvements to mitigate risk.

Policies Our privacy management policy is based on the European Union General Data Protection Regulation (‘GDPR’) and this is applied across Vodafone markets both inside and outside the European Economic Area. Our privacy management policy establishes a framework within which local data protection and privacy laws are respected and sets a baseline for those markets where there are no equivalent legal requirements. Using customer data We want to enable our customers to get the most out of our products and services. To provide these services, we need to use our customers’ personal information. We aim to protect our customers’ data and only to use it for a stated and specific purpose. We are always open about what customer data we collect, and why we collect it. Our privacy programme governs how we collect, use and manage our customers’ personal data to ensure we respect the confidentiality of their communications and any choices that they have made regarding the use of their data. Our privacy programme is based on the following principles: accountability, fairness and lawfulness, choice and access, security safeguards, privacy by design, openness and honesty, responsible data management, and balance. Each local market publishes a privacy statement to provide clear, transparent and relevant information on how we collect and use personal data, what choices are available regarding its use and how customers can exercise their rights. Our product specific privacy notices include details relating to a particular product. These statements and notices are available to customers online, in the MyVodafone app and in our retail stores. We provide our customers with access to their data through online and physical channels. These channels can be used to request deletion of data that is no longer necessary, or for correcting outdated or incorrect data, or for data portability.

Our customer privacy statements and other customer-facing documents provide comprehensive information on how these rights can be exercised and how to raise complaints or contact the relevant data protection authority. Our frontline retail and customer support staff are trained to respond to customer requests.  Click to read more about our privacy policies vodafone.com/privacy Governance The General Counsel and Company Secretary, a member of the Executive Committee, oversees the global privacy programme. The Group Privacy Officer reports to the Global Compliance and Business Integrity Director, an independent second line function responsible for monitoring Group compliance. The Group Privacy Officer is responsible for monitoring the Group privacy programme compliance across markets and provides regular reports to the General Counsel and Company Secretary, and an annual update to the Audit and Risk Committee on the adequacy of our Privacy programme. During the year, the Group Privacy Officer conducted regular compliance reviews to ensure markets were adhering to the Group’s policies and procedures. This included oversight of our privacy programme. Whilst each employee is responsible for protecting personal data they are trusted with, accountability for compliance sits with each operating company. A member of the local executive committee oversees the local implementation of our privacy programme. Each operating company also has a dedicated privacy officer, privacy legal counsel and other privacy specialists. Local privacy officers report to the Group Privacy Officer throughout the year on the adequacy of privacy risk management for their market.

Powered by