Information on data protection for shareholders of SFC Energy AG with regard to data processing for the purpose of the shareholders’ meetings

We take the protection of your personal data and their legally compliant processing very seriously. Therefore, the following notes contain information on the collection, processing and use of your personal data by SFC Energy Aktiengesellschaft (SFC Energy AG) in connection with the preparation, conduct and follow-up of the shareholders’ meeting as well as the rights to which you are entitled under the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

1. Who is responsible for data processing?

Responsible person for the processing of your personal data is:

SFC Energy AG
Eugen-Saenger-Ring 7
85649 Brunnthal-Nord
Tel: +49 89 67 35 92-0
Fax: +49 89 67 35 92-169
E-mail: [email protected]

If you have any questions regarding this data protection information, please contact the data protection officer responsible at SFC Energy AG by mail or e-mail at the following address:

Mr Kivanç Semen
Data Security Officer
DataCo GmbH
Dachauer Str. 65
80335 München
Telefon: +49 89 7400 45840
E-Mail: [email protected]

2. What personal data do we process and where do we get it from?

In connection with the conduct of our shareholders’ meeting, we process the following personal data of our shareholders as the persons responsible within the meaning of data protection laws:

  • First and last name, title if applicable, date of birth if applicable;
  • Nationality;
  • Address;
  • Shareholder data (admission ticket number, shareholder category – natural or legal person); and
  • Information on your share portfolio.

In addition, we process the name and address of any appointed shareholder representative. If shareholders or their appointed representatives contact us, we additionally process the personal data required to respond to the respective request, such as the e-mail address or telephone number.

We or the service providers we commissioned receive the shareholder’s personal data either from the shareholders themselves or, via our registration office, from the credit institutions that the shareholder has commissioned to hold our shares in safe custody (so-called deposit shares).

3. For what purposes and on what legal is your data processed?

We process your personal data in accordance with the GDPR, the BDSG, the German Stock Corporation Act (Aktiengesetz, AktG) and all other relevant legal regulations.

We use your personal data only for the purposes defined in the AktG. These include communications with shareholders and various procedures in connection with the handling of shareholders’ meetings. The processing of personal data in connection with shareholders’ meetings is carried out for the purpose of processing the registration and participation of shareholders or their appointed shareholder representatives in the shareholders’ meeting (e.g. examination of eligibility to participate, preparation of the list of participants) and to enable shareholders or their appointed shareholder representatives to exercise their rights within the framework of the shareholders’ meeting (including granting and revoking authorities). The legal basis for the processing of personal data is the AktG in conjunction with Art. 6 para. 1 lit. c) GDPR.

Furthermore, we process data that is communicated to us by you or by other parties under an obligation to disclose it in connection with voting rights notifications under the German Securities Trading Act (Wertpapierhandelsgesetz, WpHG). The legal basis for the processing in these cases is also the respective legal regulations and Art. 6 para. 1 lit. c) GDPR.

In addition, your personal data may also be processed to fulfil further statutory obligations, such as regulatory requirements and retention obligations under stock corporation law, commercial law and tax law. For instance we are obliged to retain, in a verifiable form, the powers of attorney granted in authorising the proxies that we appoint for the shareholders’ meeting and to keep these access-protected for three years. In such instances, too, Art. 6 para. 1 lit. c) GDPR is the relevant legal basis. If we wish to process your personal data for a purpose not mentioned above, we will inform you of this in advance within the framework of the statutory provisions and, if necessary, obtain your consent.

4. With what recipients might we share your data?

We use external service providers for handling the shareholders’ meetings, e.g. service providers for the organisation of the shareholders’ meeting, for printing and mailing the shareholders’ meeting invitations and shareholder notifications, as well as for conducting the shareholders’ meeting (essentially the verification of attendance, technical infrastructure for voting and documentation of the shareholders’ meetings). However, the commissioned service providers only receive personal data from us which is necessary for the execution of the commissioned service and they process the data exclusively in accordance with our instructions.

Other shareholders and participants of the shareholders’ meetings may see your data contained in the attendance list during the meeting prepared in accordance with § 129 AktG during the meeting and, as appropriate, for up to two years thereafter. If a shareholder demands that items be placed on the agenda, we will announce these items stating the name of the shareholder if the conditions pursuant to the stock corporation regulations are met. We will also make countermotions and election proposals from shareholders available on the Company’s website in accordance with the stock corporation regulations, stating the name of the shareholder, provided that the conditions are met.

Finally, we may be obliged to transfer your personal data to other recipients, for example in the publication of voting rights notices under the provisions of the WpHG, or to public authorities to satisfy statutory disclosure requirements (e.g. to tax or law enforcement authorities).

5. How long do we save your data?

We delete or anonymise your personal data as soon as it is no longer required for the above-mentioned purposes and provided we are not obliged to continue to save the data because statutory obligations regarding the furnishing of proof or retention (e.g. in accordance with the AktG, the German Commercial Code, the German Tax Code or other legal provisions) oblige us to continue to save the data. In addition, we retain data only in individual cases if it is necessary to do so in connection with claims made against or by our Company, or to uphold our aforementioned legitimate interests.

If you have specific questions about the storage period, please contact our data protection officer.

6. How do we protect your data?

We take appropriate technical and organisational security measures to protect your personal data from unintentional, unlawful or unauthorised destruction, loss, modification, disclosure or use.

7. What are your rights under data protection law?

Within the framework of the current data protection laws, you have the right to information on what personal data is saved relating to you, including information such as on the origin and categories of the data, the purposes of processing, the recipients (or categories thereof) and the respective retention period. In addition, you may demand correction and, under certain circumstances, deletion of your personal data. Furthermore, you may also have a right to limit the processing of your personal data (e.g. if your data is processed unlawfully) and a right to handover of the data you have provided in a structured, common and machine-readable format (and possibly the transfer of this data to a different data controller).

Right to object to data processing for upholding legitimate interests If we process your data to uphold legitimate interests of SFC Energy AG or a third party, you are entitled to object to this processing if your particular situation gives rise to grounds that oppose this data processing. In this case we will cease the processing unless we are able to demonstrate the existence of compelling legitimate grounds for processing worthy of protection which outweigh your interests, rights and freedom or that the processing serves the assertion, exercise or defence of legal claims.

You can assert the aforementioned rights at the address of our data protection officer listed in section 1. Please note that statutory exceptions (e.g. continued retention obligations) may prevent you from exercising your rights.

8. Do you wish to complain about how your data is being handled?

If you wish to file a complaint regarding the processing of your personal data, you can contact our data protection officer at the contact details listed at the beginning of section 1 in order to clarify the matter with us directly.

Irrespective of this, you have the right to complain to a competent data protection supervisory authority.

Status of the information in this document: April 2019

Where relevant changes occur, we will update this information and make it available on our website www.sfc.com. In addition, we will examine on a case-to-case basis whether there is an obligation to provide any other notification of a change to this information and will meet that notification obligation as appropriate.