Information on data protection for shareholders of SFC Energy AG with regard to data processing for the purpose of the Virtual General Meeting

Protecting your personal data and processing it in compliance with the law is a matter of high priority for us. Therefore, the following notes contain information on the collection, processing and use of your personal data by SFC Energy AG in connection with the preparation, conduct and follow-up of the Virtual General Meeting as well as the rights to which you are entitled under the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

We will conduct the General Meeting in 2020 without the physical presence of shareholders and their appointed representatives as a Virtual General Meeting with the option of joining the Virtual General Meeting. Shareholders and their appointed representatives may therefore not physically participate in the General Meeting. However, the entire General Meeting can be followed by video and audio transmission by connecting to the shareholder portal. The shareholder portal is operated by our service provider Better Orange IR & HV AG, Haidelweg 48, 81241 Munich exclusively on our behalf and according to our instructions. The shareholder portal is available at https://www.sfc.com/en/investors/shareholders-annual-meeting-2020/.

1. Who is responsible for data processing?

The entity responsible for processing your personal data is:

SFC Energy AG
Eugen-Sänger-Ring 7
85649 Brunnthal
Germany
Tel: +49 89 67 35 92-0
Fax: +49 89 67 35 92-169
E-Mail: [email protected]

If you have any questions about this data protection information, you can contact the data protection officer of SFC Energy AG by post or by email at the following address:

Mr. Kivanç Semen
Data Protection Officer
DataCo GmbH
Dachauer Str. 65
80335 Munich
Germany Phone: +49 89 7400 45840
E-Mail: [email protected]

2. What personal data do we process and where do we get it from?

In connection with the execution of our Virtual General meeting, we process the following personal data of our shareholders:

  • First and last name, title if applicable, date of birth if applicable;
  • Nationality;
  • Address;
  • Shareholder data (access data for the shareholder portal (GM ticket number), shareholder category – natural or legal person); and
  • Information on your share portfolio.

In addition, we process the name and address of any appointed shareholder representative. If shareholders or their appointed representatives contact us, we additionally process the personal data required to respond to the respective request, such as the email address or telephone number. When you visit our shareholder portal on the internet, we collect data on access to our shareholder portal. The following data and device information are logged in the web server log files:

  • Retrieved or requested data;
  • Date and time of retrieval;
  • Message whether the retrieval was successful;
  • Type of web browser and operating system used;
  • IP address;
  • GM ticket number and session ID;
  • Login and password reset; and
  • knowledge and acceptance of the terms of use.

In addition, we also process information on questions sent to SFC Energy AG via the shareholder portal, on countermotions and nomination proposals and other requests by shareholders or their appointed representatives submitted in relation to the Virtual General Meeting, as well as on your voting behaviour. We or the service providers we commissioned receive the shareholder’s personal data either from the shareholders themselves or, via our registration office, from the credit institutions that the shareholder has commissioned to hold our shares in safe custody (so-called deposit shares).

If you act as an appointed representative for a shareholder, we will receive your personal data from the shareholder who has granted you power of attorney and directly from you if your conduct at the Virtual General Meeting is affected.

3. For what purposes and on what legal basis is your data processed?

We process your personal data in compliance with the provisions of the GDPR, the BDSG, the German Stock Corporation Act (Aktiengesetz, AktG) as well as any other relevant legal provisions. Via the shareholder portal, you can, among other things, exercise your voting rights by postal vote, grant powers of attorney, submit questions or submit objections to the minutes. To use the shareholder portal, you must log in with your access data (GM Ticket number and password), which you receive with your GM ticket. Use of the shareholder portal is subject to the terms of use available there.

a) Operation of the shareholder portal

The processing of the above-mentioned access data and device information in web server log files is technically necessary for the shareholder portal as well as for detecting misuse, troubleshooting and ensuring the smooth running of the Virtual General Meeting. In this respect, we have a justified interest in providing you with the shareholder portal as a service for shareholders and shareholder representatives so that you can exercise your shareholder rights in a user-friendly manner and be connected to the Virtual General Meeting. The legal basis for these processing operations is Article 6(1)(f) GDPR.

b) Identity verification

When you register in the shareholder portal, we process your registration information (first and last name, title; email address; GM ticket number and password) in order to verify your authorisation to attend the Virtual General Meeting as shareholder or shareholder representative or to take preparatory measures. The processing is required to fulfil our obligations under stock corporation law in accordance with sections 118 et seqq. AktG and, if applicable, in connection with section 1 (2)(2) and (4) of the law on measures in company, cooperative, association, foundation and residential property law to combat the effects of the COVID 19 pandemic (C-19 AuswBekG). The legal basis for the processing is Article 6(1)(c) GDPR.

c) Preparation, implementation and follow-up of the Virtual General Meeting

When processing your personal data in connection with the Virtual General Meeting, we comply with the purposes stipulated in the German Stock Corporation Act. These include communication with shareholders and various procedures in connection with the handling of Virtual General Meetings. We process your personal data in order to process the registration and connection to the Virtual General Meeting of the shareholders or their appointed authorized representatives (e.g. checking the authorization to connect, creating the list of participants, sending GM tickets) and to enable the shareholders or their designated authorized representatives to exercise their rights within the scope of the virtual general meeting (including granting and revoking powers of attorney).

In particular, we will also process your voting behaviour if you or your appointed representatives exercise your voting rights before or during the Virtual General Meeting by postal vote or by electronic postal vote via the shareholder portal in order to ensure the proper resolution and valuation of votes at the Virtual General Meeting. In addition, we process information about your objection to resolutions of the Virtual General Meeting if you declare such an objection during the Virtual General Meeting via the shareholder portal.

The legal basis for these processing operations is Art. 6 (1)(c) GDPR in conjunction with our obligations under stock corporation law pursuant to sections 118 et seq. AktG and, where applicable, in conjunction with the C-19 AuswBekG.

The processing of your personal data is necessary for the proper execution of the Virtual General Meeting. If you do not provide us with the necessary personal data, we may not be able to connect you to the Virtual General Meeting.

d) Exercise of the right to ask questions

If you as a shareholder make use of the opportunity to submit questions in advance of the Virtual General Meeting via our shareholder portal and your questions are dealt with in the Virtual General Meeting or, if applicable, in advance by publishing frequently asked questions (FAQs) on the website of SFC Energy AG, this will generally be done by stating your name. This can be taken note of by other persons attending the Virtual General Meeting. This data processing is necessary in order to safeguard our legitimate interest in bringing the course of the Virtual General Meeting as close as possible to a physical general meeting and the legitimate interest of the other persons attending the Virtual General Meeting in finding out the name of a questioner. The legal basis for this processing is Article 6(1)(f) GDPR.

e) Processing in the context of voting rights notifications

In addition, we process data transferred by you or other notifying persons as part of voting rights notifications in accordance with the German Securities Trading Act (Wertpapierhandelsgesetz). The relevant statutory provisions and Art. 6(1)(c) GDPR serve again as the legal basis for processing data in these cases.

f) Processing for the fulfilment of legal retention requirements

In addition, your personal data may also be processed for satisfying further legal obligations such as regulatory requirements as well as retention obligations under stock corporation law, commercial law and tax law. We are required, for example, to record the power of attorney granted to the proxy designated by us for the Virtual General Meeting so that it can be verified and to keep and protect it against third-party access for a period of three years. In such instances, too, Art. 6 (1)(c) GDPR is the relevant legal basis.

g) Cookies

We use technically essential cookies for our shareholder portal. Cookies are small files that are stored on your desktop, notebook or mobile device by a website you visit. From this we can see, for example, whether there has already been a connection between your device and our shareholder portal, or which language or other settings you prefer. Cookies can also contain personal data. You can set your browser so that you are informed about the setting of cookies and allow cookies only in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If you decide not to use cookies, it is possible that not all functions of our shareholder portal will be available to you or that individual functions will only be available to a limited extent. The necessary session cookies used by us are only used for the purpose of providing the portal site and for the registration and identification of shareholders. They are essential for the functions of the shareholder portal and are deleted when you close your browser.

The setting of and access to the data stored in absolutely necessary cookies and the processing of personal data associated with these cookies is necessary to safeguard our legitimate interest in enabling our shareholders and shareholder representatives to visit our shareholder portal. In this respect, the legal basis for this processing is Article 6(1)(f) GDPR. If, in providing the shareholder portal, we wish to use cookies that are not absolutely necessary for the operation of the shareholder portal, such as function or performance cookies, we will only do so if you have given your consent. In this case, when you visit the shareholder portal, we will inform you about our cookies and associated data processing in a pop-up window before using cookies and ask you for your voluntary consent.

h) Other processing

If we intend to process your personal data for any purpose other than those mentioned above, we will inform you of any such intention in advance in compliance with the statutory provisions and obtain your consent, if required.

4. What recipients might we share your data with?

To handle Virtual General Meetings, we use external service providers, e.g. service providers for organizing the Virtual General Meeting, for printing and mailing the invitations to the General Meeting and shareholder notifications, and for conducting the Virtual General Meeting (mainly for providing the shareholder portal through which the Virtual General Meeting is accessible). However, the commissioned service providers only receive those personal data from us that are necessary for the execution of the commissioned service, and they process the data exclusively on our behalf and according to our instructions. All our employees and all employees of external service providers who have access to and/or process personal data are obliged to treat this data as confidential.

In accordance with section 129 AktG, other shareholders and persons attending the Virtual General Meeting can view any data you may have entered in the register of participants during the Virtual General Meeting and, if applicable, up to two years thereafter.

If a shareholder demands any issues to be included on the agenda, such issues will be announced by us by indicating the name of the shareholder provided the requirements under stock corporation law are met. We will also publish shareholders’ counter-proposals and nominations on the company’s website in accordance with stock corporation law by indicating the name of the shareholder provided the requirements are met. If you as a shareholder make use of the opportunity to submit questions and your questions are dealt with during the Virtual General Meeting or, if applicable, in advance by publishing frequently asked questions (FAQ) on the website of SFC Energy AG, this will generally be done by stating your name. This can be taken note of by other persons attending the Virtual General Meeting.

Finally, we may be required to transfer your personal data to further recipients, e.g. when publishing notifications of voting rights in accordance with the provisions of the German Securities Trading Act, or to authorities in compliance with statutory notification requirements (e.g. to tax authorities or prosecuting authorities).

5. How long do we store your data?

We will erase or anonymise your personal data once it is no longer needed for the aforementioned purposes and we are no longer required to continue storing such data in compliance with statutory obligations of documentation and retention (e.g. under the German Stock Corporation Act, the German Commercial Code, the German Fiscal Code or other legal provisions). In addition, we also retain data if required in relation to claims asserted by or against our company or for safeguarding our aforementioned legitimate interests. If you have specific questions concerning the storage period, please contact our Data Protection Officer.

6. How do we protect your data?

We maintain appropriate technical and organisational security measures to protect your personal data against any accidental, unlawful or unauthorised destruction, loss, alteration, disclosure or use.

7. What rights do you have under data protection law?

Within the framework of the applicable data protection laws, you have the right to obtain information about the personal data stored about you, including information such as the origin and categories of the data, the purposes of the processing, the recipients (or categories thereof) and the respective retention period, if the legal requirements are met. In addition, you may claim rectification and, in certain circumstances, erasure of your personal data. Furthermore, you may be entitled to restrict the processing of your personal data (e.g. if the processing of your data is unlawful) and to request the surrender of the data provided by you in a structured, conventional and machine-readable format (and, where applicable, to claim the transfer of such data to another controller).

Insofar as we process your data to protect the legitimate interests of SFC Energy AG or a third party, you are entitled to object to this processing if reasons arise from your particular situation that conflict with this data processing. In such case, we will terminate the processing unless we can provide evidence of compelling legitimate grounds for the processing that override your interests, rights and freedoms or if the processing serves the purpose of asserting, exercising or defending legal claims.

You can assert the aforementioned rights by contacting our Data Protection Officer at the address specified under no. 1 above. It should be noted that there may be statutory exceptions (e.g. continuing retention obligations) that prevent an exercise of your rights. You can also contact our data protection officer if you have a complaint regarding the processing of your personal data and wish to clarify the matter directly with us.

Irrespective of this, you as a data subject have the right to complain to a competent data protection supervisory authority.

The information in this document was updated in: April 2020

In case of any relevant changes, we will provide an update of this information on our website www.sfc.com. Furthermore, we will review on a case-by-case basis whether a change of this information will give rise to any obligation to provide another form of notification and will comply with any such notification obligation accordingly.