Customers

Responsibility to customer: focus and performance

One of the key factors of Cellnex's business model is continuous interaction with the customers throughout the entire service provision process. From commercial management, to response to incidents, reporting and possible queries and complaints during provision, operation and maintenance. Customers are one of the most important stakeholders for the company. In this regard, Cellnex has defined a relationship model with its customers based on proximity, transparency and striving for constant improvement.

With the aim of guaranteeing a personal and stable relationship with customers, Cellnex is committed to orienting its sales force by market segment, strengthening the role of the manager, whose mission is a specialised end-to-end relationship with customers, offering them a comprehensive and personalised service, focusing on their overall satisfaction.

In addition, the extension of Cellnex's commitment to its customers is one of the strategic lines of Cellnex's ESG Master Plan. Consequently, one of the objectives defined by the Plan to be achieved by 2025 is the development of a specific Code of Conduct for customers that includes issues such as working conditions, human rights, anti-corruption and bribery, to ensure compliance with ESG issues.

The Global Commercial Vision is one of the Core Business Functions (CBF) underpinning Cellnex's Industrial Model, where the objective is to implement a common business perspective and commercial strategy, offering a broader vision of the market and a clear customer focus.

To this end, the corporate Global Marketing and Sales area is responsible for identifying international opportunities, developing commercial activity in each country by providing support materials, introducing new services and products, and extending good practices to all sales representatives.

In addition, under the Industrial Model, the Salesforce tool has been implemented in all countries to homogenise and standardise the sales process and to better coordinate and understand the commercial process. Salesforce is the management, reporting and commercial monitoring tool used by all Cellnex sales staff in all countries. During 2021, the tool undergone various updates, which provide more detailed and precise visibility of all sales activities.

Cellnex Connectivity Days

The Cellnex Connectivity Days programme continued in 2021, a series of conferences that bring together a range of major players in the field of telecommunications to discuss the most innovative and topical issues in the sector. The conferences and topics featured in 2021 were as follows:

• April 2021: "Towards the city of the future", a project focused on improving the connectivity of the cities of the future through the deployment of telecommunications infrastructures and Smart & IoT services.
• June 2021: "When connectivity in health really matters", a project developed to address the needs of the health service through digitalisation.
• 7 October 2021: "Enabling Industry 4.0: Boost productivity with private wireless networks", a project to address the challenges and benefits of private network deployments for the manufacturing industry.

Customer Service

Customer Service is a strategic priority and a cross-cutting commitment that must be present every the Cellnex action create sustainable value distributed to all stakeholders.

To guarantee a personal and stable relationship with customers, Cellnex has designed a global customer service model in which it provides the customer with three contact points throughout the service:

• Commercial: Each customer is assigned an account manager, whose responsibility is to keep abreast of all the relationships that Cellnex maintains with its customer to meet their needs and concerns from a global perspective.
• Project Manager: These are the contacts with the customer, together with the Account Manager, in the feasibility and delivery stage of a service. They play an important role in customer satisfaction, as they are the department that can influence customer satisfaction through optimal performance in designing the service to be provided.
• Supervisor: These are the main contact with the customer, together with the account manager, in the service delivery stage. They are responsible for ensuring the availability of service levels, and monitoring and optimising the service provided.

In addition, in the countries where the volume of customers is not so very high, business with customers can be much closer and more individualized. This allows close links to be established through regular conversations managed directly by an account manager or director.

Cellnex focuses on stakeholder needs and expectations, offers high quality services, satisfies customers and is continuously improving. In this respect, at Cellnex Spain in 2021 the average frequency of interruption was 119 days (97 days in 2020), that is, on average a customer who had contracted a service with Cellnex would have observed a network interruption approximately every 119 days, and the average duration of interruption was 2.2 hours (2 hours in 2020). This demonstrates the trend of improvement in the interruption frequency. In Cellnex Italy, in 2021 the average network outage frequency was 1.2%, with around 94 outages per month with an average duration of 2.2 hours.

In addition, Cellnex offers customers a number of communication channels. Through these channels, Cellnex receives the claims sent by its customers and analyses them. In this regard, with a view to 2023, the ESG Master Plan has defined the establishment of a common Claims Management Procedure for the entire Company.

In 2021, there were 124 complaints (13 in 2020), of which 98% (100% in 2020) were processed and resolved in accordance with the company's procedures before the end of the year, the rest are still being processed in 2022.

A complaint is defined as a formal expression of dissatisfaction with the service received by a customer, user or group.

• Customer complaint: A complaint submitted directly by a customer with whom Cellnex has a contractual relationship.
• User complaint: A complaint submitted by the end user, received directly or derived from an external customer.
• Group complaint: Complaint from a group of users that may be represented by public administration bodies and private organisations (antenna organisations, neighborhood associations, etc.).

Customer Engagement

Following the customer care model, Cellnex carries out satisfaction surveys to ascertain customer overall opinion of the company and to evaluate the quality and suitability of the service provided, to be able to draw up an Action Plan in line with the resulting needs.

One action framed within the ESG Master Plan in relation to the extension of Cellnex's commitment to its customers is developing a standard survey and a corporate model to measure customer engagement. As such, during 2021, a unified global survey was designed (the "Customer Engagement Survey") for all business units, which was launched during the last four months of 2021 in a coordinated and homogeneous manner for all countries. Based on the results obtained, it will be possible to analyse the Cellnex services and activities that are most highly valued by customers, in order to extend best practices between the various countries. The homogeneous view provided by the survey will allow Cellnex to make a more realistic comparison between customers in all the countries where the Company provides its services.

Customer Engagement Survey

In 2021, a Customer Commitment study was launched for the first time in all Business Units. The main objectives were the following:

• Obtaining a global and easy framework, deployable across Cellnex, to compare customer engagement in all Business Units with common KPIs.
• Analysing the customer engagement both overall and country-specific by launching a common customer survey in Cellnex countries

The survey is linked to the Cellnex Process Map and is broken down into five categories: General, Offer and Sell, Deliver Services, Assurance and Customer Care, in which specific questions related to these topics are defined. In addition, the Business Units can add specific questions, with prior validation at corporate level. Moreover, to guarantee objectivity and independence, Business Units are recommended to the have the survey carried out by an external partner.

The results of the main key indicators (Customer satisfaction-CSAT, Net promoter score-NPS, Customer effort score-CES, Response rate-RR) were segmented by customer category (MNO and other critical customers, important customers, and Long Tail customers) and by customer segment (Broadcast, Operators, Public Administrations and Enterprises).

In this regard, 12 countries participated in the Customer Engagement Survey defined in 2021, in which more than 450 surveys were launched. The overall response rate was 61%, thus exceeding the target response rate that was initially defined.

Information Security

Information is a very important asset for Cellnex Group, and it is necessary to guarantee the confidentiality, integrity and availability of information in accordance with recognised standards of Information Security management in the provision of services as a Telecommunications infrastructure operator to Operators, Broadcasters, Public Administrations and Corporations.

In this regard, in 2019 Cellnex approved the Information Security Policy, which aims to establish the guidelines and lines of action in Information Security that govern the way in which Cellnex Group manages and protects its information and services, as well as its communication to stakeholders and implementation in all companies and functional areas of the Group.

To this end, measures are taken to identify and protect information assets from unauthorised access, modification, communication or destruction, whether intentional or accidental, ensuring that they are used only for purposes approved by Cellnex Management.

Involvement in the protection of these assets and the implementation and maintenance of appropriate security controls is the responsibility of the entire Cellnex team. To this end, employees have the necessary material resources, continuous training in technologies and skills, and development processes to detect individual needs.

In order to develop the provisions of the Information Security Policy, Cellnex has drawn up a Global Strategic Security Plan for Cybersecurity and Physical Security, which enables it to anticipate high-impact incidents, in accordance with the reference frameworks. The Plan applies to all the companies that make up Cellnex group and covers all aspects of corporate security, regardless of the type of threat, whether physical, IT or hybrid.

The Global Strategic Security Plan for Cybersecurity and Physical Security defined the actions to be undertaken between 2019 and 2022. However, thanks to the quick pace of implementation of the actions the completion of the plan has been brought forward one year to end in 2021. In this regard, Cellnex is currently defining the new Global Security Strategic Plan 2022-2025.

The main initiatives developed during 2021 within the framework of the Strategic Plan are as follows:

• Implementation of two-factor authentication for access by all users (internal and external) to Cellnex applications.
• Deployment of virtual patching solution to protect Cellnex assets against new vulnerabilities that may arise.
• Optimisation of network segmentation to prevent the spread of malware in the event of an infection within Cellnex.

The projects run during 2021 involved major investment focused on anti-fraud protection related to the user (identity theft, phishing detection, etc.) and assets, both physical (advanced protection of the workstation, virtual patching, etc.) and cloud (implementation of CASB).

The Global Security Office was established to provide global Information Security support. During 2021 the services provided by the Office were consolidated in the countries defined in the Global Security Strategic Plan 2019-2022. By 2022 the Security Office will be expanded with new functions to strengthen its functional and also geographical scope, incorporating all new business units (Portugal, Ireland, Sweden, Denmark, Austria, Poland and Finland). The new services to be offered include the following

• Development and maintenance of the third party security risk management model.
• Annual review of the security master plans for each business unit.
• Support for the monitoring of new regulations with an impact on security for each business unit.

Cellnex has a Personal Data Protection Policy, through which Cellnex Group guarantees the security, secrecy and confidentiality of the personal data under its responsibility, adopting the most demanding and robust security measures and technical means to prevent any loss, misuse or unauthorised access. As such, any personal data that Cellnex Group collects through the various channels will be treated with absolute confidentiality, and it pledges to keep them secret and discharge its obligation to protect them by adopting all reasonable measures necessary to prevent alteration, loss and unauthorised access or processing, in accordance with the provisions of applicable law.

In addition, Cellnex's ESG Master Plan, includes an objective for 2025 to join other companies in signing the "Charter of Trust", a charter for greater cybersecurity.

Continuous improvements in information security are introduced within the framework of a Management System, which the Management is committed to leading in accordance with the ISO 27001 standard, and which applies to all of the Group's Business Units. This is centered on people management, process management and continuous improvement, which guarantees its effectiveness and efficiency. In 2021, the global ISO 27001 certification was maintained in the countries already included in the 2020 perimeter and all the companies in Portugal and Ireland were included, as well as OnTower UK. By 2022, Sweden, Austria and Denmark are expected to be included in the global ISO 27001 certification.

Automation of security processes

Cellnex is committed to the automation of security processes, for example through the development of tools that enable automatic implementation of actions upon detection of certain events to block sophisticated attacks. This has made it possible to gain detection, prevention and protection capacity, thereby increasing the response capacity and security level, and mitigating the associated risks. Detected and blocked security incidents have increased in complexity in recent years due to the development of increasingly targeted attacks.

During 2021, no incident involving theft, data breaches or loss of information or affecting the business was detected in any of Cellnex's business units.

One incident was reported to the Spanish Data Protection Agency in which an employee's credentials were compromised, giving access to his mailbox. This account was used to send emails to contacts in his address book. There was no impact on the business and the incident was closed by the Spanish Data Protection Agency.

Awareness

During 2021, several awareness and training campaigns were carried out for employees related to information security. In this regard, for example, the following were carried out:

• 7 awareness campaigns using "Phishing" simulations (where an attacker sends a fraudulent message designed to trick an employee into revealing confidential information or to implement malicious software on the victim's infrastructure).
• 1 simulation of a high impact virus event for 100% of employees.
• 2 mandatory training sessions also for 100% of employees.

In addition, information security advice has been provided and alerts have been given on virus or phishing campaigns aimed at Cellnex staff.

All of this has contributed to a 25% drop in the rate of phishing campaigns from 2020 to 2021, despite the increase in the sophistication of the attacks.