```html Magna Data Privacy and Protection Policy
MAGNA INTERNATIONAL INC. │ DATA PRIVACY AND PROTECTION POLICY

Data Privacy and Protection Policy

Issued: May 25, 2018
Revised: December 4, 2024

Purpose

Magna is firmly committed to protecting the privacy of all stakeholders in accordance with applicable law. As part of this commitment, Magna has established a data privacy and protection program aimed at upholding high standards in the processing of personal data.

Scope

This policy applies to all Magna entities, employees, controlled joint ventures, and operations globally, as well as any individual whose personal data is processed by Magna within countries of scope.

Definitions

Controller

A person or entity that determines the purposes and means of processing personal data.

Personal Data

Any information relating to an identified or identifiable natural person.

Sensitive Personal Data

Includes racial or ethnic origin, political opinions, religious beliefs, biometric data, health information, financial information, and identification numbers.

Data Protection Principles

Legal Bases

Magna may process personal data based on legal obligations, contractual requirements, legitimate interests, user consent, or protection of vital interests.

Responsibilities of Controllers and Processors

Magna Controllers and Processors are responsible for ensuring compliance with applicable data privacy laws, maintaining records of processing activities, and safeguarding the rights of data subjects.

Personal Data Retention

Personal data must only be retained as long as necessary according to Magna’s Global Record Retention Schedule.

Transfers and Disclosures

International transfers of personal data require appropriate legal safeguards and approved protection mechanisms.

Privacy by Design

Magna conducts privacy risk assessments before processing sensitive or high-volume personal data and implements safeguards to minimize identified risks.

Rights of Data Subjects

Personal Data Breaches

Magna takes personal data breaches seriously and responds promptly by implementing safeguards and notification procedures where required.

Training and Awareness

Employees handling personal data must receive appropriate training and demonstrate understanding of applicable privacy obligations.

Compliance

Violations of this policy may result in disciplinary action up to and including termination of employment.

Countries of Scope

European Union countries, Argentina, Brazil, China, India, Japan, North Macedonia, Serbia, South Korea, Switzerland, Thailand, Turkey, and the United Kingdom.

```