The EU General Data Protection Regulation (GDPR) regulates the protection of data. In the following, we would like to inform our shareholders about the processing of their personal data and their rights

With the following, we would like to inform our shareholders, shareholder representatives and guests attending our shareholders’ meetings about the processing of their personal data by United Internet AG (hereinafter: “United Internet AG”, “we” or “us”) and their rights under data protection law.

For more information on data protection at United Internet AG, please see our Privacy Policy.

Controller

The controller for the processing of personal data is United Internet AG. You may reach United Internet AG at:

United Internet AG
Elgendorfer Straße 57
56410 Montabaur
Telephone: +49 (0) 2602 96 1100
Email: info@united-internet.de

For comments and queries regarding the processing of your personal data, you can contact the data protection officer of United Internet AG at

United Internet AG
Data Protection Officer (Der Datenschutzbeauftragte)
Elgendorfer Straße 57
56410 Montabaur
Email: info@united-internet.de

Purposes and legal bases of data processing

We process your personal data in full compliance with the provisions of the EU General Data Protection Regulation (“GDPR”), the German Federal Data Protection Act (Bundesdatenschutzgesetz,BDSG”), the German Stock Corporation Act (Aktiengesetz, “AktG”) and other applicable laws and regulations.

In our capacity as the controller and for the purpose of conducting the shareholders’ meeting, we process personal data of our shareholders (e.g., first and last name, address, email address, number of shares, type of ownership of shares and admission ticket number) as well as, if applicable, personal data of the shareholder representatives.

The shares in United Internet AG are registered shares. According to Sec. 67 AktG, these shares must be entered in our share register, stating the shareholder’s name, their date of birth and address (including an email address) and – in the event of no-par value shares – the number of shares held or the identification number of such shares. The shareholder is generally obliged to provide this information to us. To the extent that shareholders or, where applicable, shareholder representatives do not provide their personal data themselves, we usually receive the data from a shareholder’s custodian bank (so-called ultimate intermediary).

We process personal data of shareholders and shareholder representatives to the extent that this is required under applicable law for the proper preparation, conduct and wrap-up of the shareholders’ meeting, to allow the exercise of shareholders’ rights and for the maintenance of the share register. This includes, with regard to conducting the shareholders’ meeting, in particular the processing of the registration, the exercise of shareholders’ voting rights, the exercise of the right to speak, the right to ask questions and the right to file motions during the shareholders’ meeting, the compilation of the list of participants and the recording of objections and questions in the notarized minutes. For these purposes, the shareholders’ meeting will be broadcast live to premises of the shareholders’ meeting accessible to shareholders and shareholder representatives (e.g., in the entrance area) and to a back office for shorthand recording. The legal basis for the processing of personal data is Art. 6 (1) sentence 1 lit. c GDPR in conjunction with Secs. 67 and 67e, Secs. 118 et seqq. AktG.

When the shareholders’ portal is used, we also process personal data via server log files transmitted by the browsers automatically for technical reasons. The legal basis for this is Art. 6 (1) sentence 1 lit. c GDPR. In our shareholders’ portal we also use cookies that are technically necessary for the operation of the shareholders’ portal. The legal basis for this data processing is Sec. 25 (2) no. 2 of the German Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, “TTDSG”).

In certain individual cases, we also process your personal data if useful for the organization of the shareholders’ meeting and thus for safeguarding our legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR) (for instance for shareholder communication and for statistical purposes).

In addition, we process your personal data, where necessary, to comply with other legal obligations, e.g., regulatory requirements or record retention requirements under stock corporation, commercial and/or tax laws. In this case, the respective legal provisions in conjunction with Art. 6 (1) sentence 1 lit. c GDPR form the legal basis for the processing of personal data.

Recipient(s) of your data

The service providers (including affiliated group companies) commissioned by us for the purpose of organizing the shareholders’ meeting process your personal data exclusively in accordance with the instructions of United Internet AG and only to the extent required for the performance of the service commissioned. All employees of United Internet AG as well as all staff of commissioned service providers who have access to and process your personal data have committed to treat such data confidentially.

In addition, we will make personal data, in particular the name of shareholders and shareholder representatives, available to other shareholders and shareholder representatives subject to the statutory requirements (in particular regarding the list of participants, Sec. 129 AktG). This also applies to personal data contained in motions to add items to the agenda, counter-motions, nominations and in contributions made in the context of exercising the right to speak or answering questions, if any. The legal basis in these cases is Art. 6 (1) sentence 1 lit. c GDPR, or, to the extent that there is no legal obligation to publish the personal data, Art. 6 (1) sentence 1 lit. f GDPR (legitimate interest).

Furthermore, we may be obliged by law to transmit your personal data to further recipients such as, for instance, public authorities in order to comply with statutory reporting obligations.

Your personal data will not be transferred to recipients in countries outside the European Union (“EU”) or the European Economic Area (“EEA”).

Storage period

We will anonymize or erase your personal data in accordance with the statutory provisions as soon as the two-year period for inspection of the register of participants in accordance with Sec. 129 (4) AktG has expired, the personal data are no longer required for the original purposes of collection or processing, the data are no longer required in connection with any administrative or court proceedings, and if no other statutory retention obligations apply. Personal data that we collect in connection with the shareholders’ meeting will be stored, as a general rule, for three years. The personal data stored in the share register must be stored, as a rule, for ten years after the shares were sold. We will erase server log files for the shareholders’ portal after 32 days at the latest.

Your rights

Subject to the statutory requirements, the fulfillment of which must be assessed on a case by case basis, you have the right to access information about your processed personal data (Art. 15 GDPR) and to require rectification (Art. 16 GDPR) or erasure (Art.17 GDPR) of your personal data or the restriction of processing (Art. 18 GDPR) using the above-stated contact information. In addition, you have the right to lodge a complaint with the competent data protection supervisory authority and the right to receive your personal data in a structured, commonly-used and machine-readable format (Art. 20 GDPR). If personal data are processed on the basis of Art. 6 (1) sentence 1 lit. f GDPR, you also have the right to object (Art. 21 GDPR) to the processing subject to the statutory requirements, the fulfillment of which must be assessed on a case-by-case basis.