The EU General Data Protection Regulation (GDPR) regulates the protection of data. In the following, we would like to inform our shareholders about the processing of their personal data and their rights

United Internet AG (hereinafter “we” and “us”) places great emphasis on compliance with data protection provisions. By providing the information below, we would like to inform our shareholders, shareholder representatives and guests who may attend our Annual Shareholders' Meetings, about the processing of their personal data and the rights accruing to them under data protection law.

For more information on data protection at United Internet AG, please see our Privacy Policy.

Controller

The controller for the processing of personal data is United Internet AG. You can contact United Internet AG at:

United Internet AG
Elgendorfer Straße 57
56410 Montabaur
Germany
Telephone: +49 (0)2602 96 1100
Fax: +49 (0)2602 96 1013
email: info@united-internet.de

If you have comments on or inquiries about the processing of personal data, please contact United Internet AG’s Data Protection Officer at:

United Internet AG
The Data Protection Officer
Elgendorfer Straße 57
56410 Montabaur
Germany
email: info@united-internet.de

Purpose and legal basis of processing

We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Stock Corporation Act (AktG) and all other relevant legal provisions.

United Internet AG shares are registered shares. In the case of registered shares, Section 67 of the German Stock Corporation Act (AktG) stipulates that these shares must be entered into the company’s share register, indicating the name, date of birth and the address (including e-mail address) of the shareholder as well as, in the case of no-par-value shares, the number of shares or the share certificate number. Shareholders are obliged to provide the company with this information.

When registered shares are bought, sold or kept in safe custody, the participating credit institutions/custodian banks generally pass on to us the mandatory disclosures and all other infor-mation (e.g., along with the aforementioned data, the nationality, gender and remitting bank) necessary for maintaining the share register. In some cases, United Internet AG may also receive personal data directly from shareholders or shareholder representatives.

We use the personal data of our shareholders (e.g., name and contact information, number of shares, share class, form of share ownership, number of the admission ticket to a Shareholders’ Meeting, information on the registration) as well as the personal data of shareholder representatives for the purposes provided for under the German Stock Corporation Act (AktG), in particular, for maintaining the share register, communicating with you as shareholders and organizing Shareholders’ Meetings. The processing of personal data is required by law for these purposes. The legal basis for the processing of your personal data is established under the German Stock Corporation Act (in particular, Sections 67, 67e, 118 ff. AktG) in conjunction with point (c) of Article 6 (1) sentence 1 GDPR. If a Shareholders’ Meeting takes place as a virtual shareholders’ meeting within the meaning of Section 1 (2) of the German Act on Measures Under the Law of Companies, Cooperative Societies, Associations, Foundations and Commonhold Property to Combat the Effects of the COVID-19 Pandemic of March 27, 2020, (Covid 19 Act) the processing of personal data is legally mandatory for the proper preparation and implementation of the virtual shareholders’ meeting, for the exercise of voting rights and for tuning into and following the meeting electronically. The legal basis for the processing is point (c) of Article 6 (1) sentence 1 GDPR in conjunction with Sections 67e, 118 ff. AktG and in connection with Section 1 of the Covid 19 Act.

In addition, data processing that is necessary for the organization of Shareholders’ Meetings may be carried out on the basis of prevailing legitimate interests (point (f) of Article 6 (1) sentence 1 GDPR).

Furthermore, we use your data on the basis of point (c) of Article 6 (1) sentence 1 and (4) GDPR for purposes that are compatible with those indicated above (in particular, for preparing statistics on, for instance, the changes in the shareholder structure, the number of transactions or overviews of the major shareholders).

In addition, we also process your personal data if necessary to comply with other mandatory obligations, such as regulatory requirements and/or retention requirements under German stock corporation, commercial and/or tax law. To fulfill the provisions under German stock corporation law, we must, for example, maintain the data pertaining to the documented proof of the authorization granted to the proxies nominated by the company for a Shareholders’ Meeting. The legal basis for the processing in this case is established by the respective statutory provisions and point (c) of Article 6 (1) sentence 1 GDPR.

In individual cases, we also process your data insofar as this is necessary to protect the legitimate interests of United Internet AG (point (f) of Article 6 (1) sentence 1 GDPR), among other things, for statistical purposes, for the processing of contact and service enquiries, for the production and publication of photographs and video recordings at our events, or for guest participation at Shareholders’ Meetings.

In our shareholder portal, we use your personal data as a shareholder in principle only for the purpose for which you have provided us with the data, e.g., to provide you with access to the Shareholders’ Meeting services, including the capability to follow along with a Shareholders’ Meeting by electronic means, to register and log on to the shareholder portal individually, to request a new password, to document your online registration for a Shareholders’ Meeting, to document online orders (in particular, admission tickets), to document votes cast by you via absentee voting, to document your representation by an authorized representative under a proxy and your instructions (if any), to contact you in the event of contact and service enquiries or to provide you with access to certain information.

If you have given your consent on our shareholder portal to being contacted via electronic communication for the dispatch of the invitation to a Shareholders’ Meeting, for the dispatch of the admission ticket to the Shareholders’ Meeting, for the dispatch of our email newsletter, for the dispatch of financial reports, for participation in a shareholder competition or for the dispatch of other information from United Internet AG, we will process your email address as well as, if necessary, your telephone number on the basis of the consent given in the relevant case (point (a) of Article 6 (1) sentence 1 GDPR).

When shareholders and shareholder representatives visit our shareholder portal, data and device information are collected via the accessing of the shareholder portal and recorded in the web server log files. This includes the following data:

  • the name of the accessed file,
  • the date and time the portal is accessed,
  • the information whether or not accessing the portal was successful,
  • a description of the type of web browser used,
  • the referrer URL (the previously visited website), and
  • the host name of the accessing computer (the IP address).

Your browser transmits these data automatically when you visit the shareholder portal.

In our shareholder portal, we also use cookies to ensure the functionality of the website. Cookies are small text files that store information on users’ movements when they visit a website and that are placed on users’ computers and held available for further visits to the website. The cookies necessary purely for technical reasons that we use enable navigation on our shareholder portal. These cookies additionally ensure that your session is secure. Based on session storage technology, after logging on, information on the authentication token and the session data are collected. Additionally, the local storage function is used to store the timestamp of the login. For reasons of security, this enables an automatic logout after a set length of time has elapsed. When the browser is closed, these data are automatically erased. The legal basis for the data processing by means of cookies and web server log files is established by point (f) of Article 6 (1) sentence 1 GDPR.

If we intend to process your personal data for a purpose that is not one of the aforementioned, we will inform you before doing so in accordance with the statutory provisions.

Recipients of your data 

For the purpose of maintaining the share register and for organizing Shareholders’ Meetings (e.g., for the printing and dispatching of invitation material or conducting a Shareholders’ Meeting), to an extent, we use external service providers and affiliated companies who are granted access to your personal data within the scope of the tasks entrusted to them. Our partners are carefully selected in the context of the processing and are subject to compliance with United Internet AG’s data protection standards in accordance with Article 28 GDPR.

Our shareholder portal is operated by Computershare Deutschland GmbH & Co. KG on behalf of United Internet AG in accordance with instructions from United Internet AG in the context of processing pursuant to Article 28 GDPR. Computershare does not use your personal data for its own purposes.

The service providers and affiliated companies we work with process your personal data exclusively in line with our instructions and only to the extent necessary for carrying out the contracted service. All the employees of United Internet AG, of the group of companies and the employees of the service providers who have access to your personal data and/or process them are under an obligation to treat these data confidentially.

Moreover, we may be obligated to transfer your data to further recipients, such as public authorities for the purpose of complying with statutory disclosure obligations.

If you participate in a Shareholders’ Meeting, the other shareholders and shareholder representatives of United Internet AG are able to view the data recorded in the list of participants for a period of up to two years after the Shareholders’ Meeting pursuant to Section 129 (4) of the German Stock Corporation Act. Counter-motions and nominations by shareholders must be made accessible under the conditions laid down by Sections 126 and 127 of the German Stock Corporation Act, including the name of the shareholder. Any motions made in accordance with Section 122 (2) of the German Stock Corporation Act to add items to the agenda are published by United Internet AG, also including the name of the applicant. If a Shareholders’ Meeting takes place as a virtual Shareholders’ Meeting within the meaning of Section 1 (2) of the Covid 19 Act, the personal data of shareholders or shareholder representatives exercising their voting rights may be viewed by other shareholders and shareholder representatives within the scope of the statutory provisions (in particular, the list of participants, Section 129 of the German Stock Corporation Act, insofar as the shareholders or shareholder representatives are listed therein). This also applies to questions that shareholders or shareholder representatives may have asked in advance (Section 1 (2) no. 3 Covid-19 Act).

Transfers to non-EU countries

If we disclose personal data to service providers outside the European Economic Area (EEA), the disclosure of the data takes place only if the non-EU country has had a suitable level of data protection confirmed by the EU Commission or if other suitable data protection guarantees are in place (e.g., binding data protection rules within the company or an agreement making use of the EU Commission’s standard contractual clauses).

You are welcome to request detailed information on this as well as on the data protection level of service providers in non-EU countries by using the aforementioned contact address.

Data security

When transferring data, we use the secure sockets layer (SSL) security protocol in conjunction with 256-bit encryption. This technology offers the highest level of security and is therefore also used by banks for data protection with online banking for instance. You can recognize the transfer of encrypted data from the icon showing a closed lock in the status bar at the bottom of your browser window or in the browser address bar.

United Internet AG secures the shareholder portal and other systems by setting in place technical and organizational measures against the loss, destruction, access, changing and dissemination of your data by unauthorized persons. Access to your user account is only possible if your personal password has been entered. Please always treat your access information confidentially and close the browser window when you have finished communicating with us, especially if you share the computer with others.

Retention period 

We always anonymize or delete your personal data as soon as they are no longer necessary for the designated purposes, the personal data are no longer required for any administrative or legal proceedings and no other statutory obligations to provide proof or retain the data or any other justifications for the retention of the data exist (e.g. under stock corporation, commercial and/or tax law).

The retention period for data collected in connection with a Shareholders’ Meeting is generally up to three years.

The data stored in the share register must generally be kept for ten years after the shares have been sold. In addition, we store personal data only on a case-by-case basis if, for instance, this is necessary in connection with claims.

Rights of the data subject

Under the statutory requirements, you have the right to obtain information on your personal data being processed from the aforementioned contact address (Article 15 GDPR) and to the rectification (Article 16 GDPR) or deletion (Article 17 GDPR) of your personal data or to restrict their processing (Article 18 GDPR).

Furthermore, you have the option of consulting the competent supervisory authority.

Right to object (Article 21 GDPR): If we process your data to pursue legitimate interests (point (f) of Article 6 (1) sentence 1 GDPR), you can object to this processing except when reasons arise on the grounds of your particular situation that prevent this processing. Please submit your objection to the aforementioned contact address.

Right to withdraw consent (Article 7 (3) GDPR): If we process your personal data based on your consent (point (a) of Article 6 (1) sentence 1 GDPR), you can withdraw this consent at any time. To withdraw your consent please use the aforementioned contact address.

Right to data portability (Article 20 GDPR): If we process your personal data based on your consent (point (a) of Article 6 (1) sentence 1 GDPR), you have the right to receive your personal data in a structured, commonly used and machine-readable format.