Data privacy information for shareholders

With the following information, we would like to inform our shareholders, shareholder representatives and guests attending our Annual Shareholders' Meetings about the processing of their personal data by United Internet AG (hereinafter: "United Internet AG" or "we" or "us") and the rights to which they are entitled under data protection law.

For more information on data protection at United Internet AG, please see our Privacy Policy.

Controller

The controller for the processing of personal data is United Internet AG. You may reach United Internet AG at:

United Internet AG
Elgendorfer Straße 57
56410 Montabaur
Telephone: +49 (0) 2602 96 1100
Email: info@united-internet.de

For comments and queries regarding the processing of your personal data, you can contact the data protection officer of United Internet AG at

United Internet AG
Data Protection Officer (Der Datenschutzbeauftragte)
Elgendorfer Straße 57
56410 Montabaur
Email: privacy-ui@united-internet.de

Purposes and legal bases of data processing

We process your personal data in full compliance with the provisions of the EU General Data Protection Regulation (“GDPR”), the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”), the German Stock Corporation Act (Aktiengesetz, “AktG”) and other applicable laws and regulations.

We process the personal data of our shareholders (e.g. surname and first name, address, e-mail address, number of shares, type of share ownership and admission ticket number) and, if applicable, the personal data of shareholder representatives for the purpose of holding the Annual General Meeting. We process the surname and first name of guests attending the Annual General Meeting.

The shares in United Internet AG are registered shares. According to Sec. 67 AktG, these shares must be entered in our share register, stating the shareholder’s name, their date of birth and address (including an email address) and – in the event of no-par value shares – the number of shares held or the identification number of such shares. The shareholder is generally obliged to provide this information to us. To the extent that shareholders or, where applicable, shareholder representatives do not provide their personal data themselves, we usually receive the data from a shareholder’s custodian bank (so-called ultimate intermediary). Participation in the Annual General Meeting is not possible without providing personal data.

We process personal data of shareholders and shareholder representatives to the extent that this is required under applicable law for the proper preparation, conduct and wrap-up of the shareholders’ meeting, to allow the exercise of shareholders’ rights and for the maintenance of the share register. This includes, with regard to conducting the shareholders’ meeting, in particular the processing of the registration, the exercise of shareholders’ voting rights, the exercise of the right to speak, the right to ask questions and the right to file motions during the shareholders’ meeting, the compilation of the list of participants and the recording of objections and questions in the notarized minutes. For these purposes, the shareholders’ meeting will be broadcast live to premises of the shareholders’ meeting accessible to shareholders and shareholder representatives (e.g., in the entrance area) and to a back office for shorthand recording. The legal basis for the processing of personal data is Art. 6 (1) sentence 1 lit. c GDPR in conjunction with Secs. 67 and 67e, Secs. 118 et seqq. AktG.

When the shareholders’ portal is used, we also process personal data via server log files transmitted by the browsers automatically for technical reasons in order to establish a connection. The legal basis for this is Art. 6 (1) sentence 1 lit. f GDPR. The transmitted data includes:

• Name of the retrieved file
• Date and time of the retrieval
• Notification of whether the retrieval was successful
• Description of the type of web browser used
• Referrer URL (the previously visited page)
• Host name of the accessing computer (IP address)

For reasons of technical security, in particular to defend against attempted attacks, this data is stored for a short time.

In our shareholders’ portal we also use cookies (including the use of local/session storage), which are technically necessary for the operation of the shareholders’ portal. The legal basis for this data processing is Sec. 25 (2) no. 2 of the German Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, “TTDSG”) in conjunction with Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interest lies in the technically flawless provision of the shareholder portal.

In individual cases, we also process your personal data insofar as this is useful for the organization of the Annual General Meeting and therefore necessary to safeguard our legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) (for example, for shareholder communication and for statistical purposes as well as for the participation of guests in the Annual General Meeting and the maintenance of a guest directory for internal purposes). In this respect, the provision of personal data is not required by law or contract. However, guests can only attend the Annual General Meeting if they state their name.

In addition, we process your personal data, where necessary, to comply with other legal obligations, e.g., regulatory requirements or record retention requirements under stock corporation, commercial and/or tax laws. In this case, the respective legal provisions in conjunction with Art. 6 (1) sentence 1 lit. c GDPR form the legal basis for the processing of personal data.

Recipient(s) of your data

The service providers (including affiliated group companies) commissioned by us for the purpose of organizing the shareholders’ meeting process your personal data exclusively in accordance with the instructions of United Internet AG and only to the extent required for the performance of the service commissioned. All employees of United Internet AG as well as all staff of commissioned service providers who have access to and process your personal data have committed to treat such data confidentially.

In addition, we will make personal data, in particular the name of shareholders and shareholder representatives, available to other shareholders and shareholder representatives subject to the statutory requirements (in particular regarding the list of participants, Sec. 129 AktG). This also applies to personal data contained in motions to add items to the agenda, counter-motions, nominations and in contributions made in the context of exercising the right to speak or answering questions, if any. The legal basis in these cases is Art. 6 (1) sentence 1 lit. c GDPR, or, to the extent that there is no legal obligation to publish the personal data, Art. 6 (1) sentence 1 lit. f GDPR (legitimate interest).

Furthermore, we may be obliged by law to transmit your personal data to further recipients such as, for instance, public authorities in order to comply with statutory reporting obligations.

Your personal data will not be transferred to recipients in countries outside the European Union (“EU”) or the European Economic Area (“EEA”).

Storage period

We will anonymize or erase your personal data in accordance with the statutory provisions as soon as the two-year period for inspection of the register of participants in accordance with Sec. 129 (4) AktG has expired, the personal data are no longer required for the original purposes of collection or processing, the data are no longer required in connection with any administrative or court proceedings, and if no other statutory retention obligations apply. Personal data that we collect in connection with the shareholders’ meeting will be stored, as a general rule, for three years. The personal data stored in the share register must be stored, as a rule, for ten years after the shares were sold. We will erase server log files for the shareholders’ portal after 32 days at the latest.

Your rights

Subject to the legal requirements, the existence of which must be checked in each individual case, you have the right to obtain information about your processed personal data (Art. 15 GDPR) and to request the rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) of your personal data or the restriction of processing (Art. 18 GDPR) using the contact details provided above. You also have the right to lodge a complaint with the competent data protection supervisory authorities and the right to receive your personal data in a structured, commonly used and machine-readable format (Art. 20 GDPR).

If personal data is processed on the basis of Art. 6 para. 1 sentence 1 lit. f) GDPR, you also have the right to object to the data processing (Art. 21 GDPR) under the legal requirements, the existence of which must be checked in each individual case.