Information on data protection for shareholders for the website of IONOS Group SE:

With the following, we would like to inform our shareholders, shareholder representatives and guests attending our shareholders’ meetings about the processing of their personal data by IONOS Group SE (hereinafter: “IONOS”, “we” or “us”) and their rights under data protection law.

Controller

The controller for the processing of personal data is IONOS Group SE. You may reach IONOS at:

IONOS Group SE
Elgendorfer Straße 57
56410 Montabaur
Telephone: +49 (0) 721 170 5522
Email: info@ionos-group.com

For comments and queries regarding the processing of your personal data, you can contact the data protection officer of IONOS at:

IONOS Group SE
Data Protection Officer (Der Datenschutzbeauftragte)
Elgendorfer Straße 57
56410 Montabaur
Email: datenschutz@ionos.de

Purposes and legal bases of data processing

We process your personal data in full compliance with the provisions of the EU General Data Protection Regulation (“GDPR”), the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”), the German Stock Corporation Act (Aktiengesetz, “AktG”) and other applicable laws and regulations.

In our capacity as the controller and for the purpose of conducting the shareholders’ meeting, we process personal data of our shareholders (e.g., first and last name, address, email address, number of shares, type of ownership of shares and admission ticket number) as well as, if applicable, personal data of the shareholder representatives. We process the first and last name of guests at the shareholders' meeting.

The shares in IONOS SE are registered shares. According to Sec. 67 AktG, these shares must be entered in our share register, stating the shareholder’s name, their date of birth and address (including an email address) and – in the event of no-par value shares – the number of shares held or the identification number of such shares. The shareholder is generally obliged to provide this information to us. To the extent that shareholders or, where applicable, shareholder representatives do not provide their personal data themselves, we usually receive the data from a shareholder’s custodian bank (so-called ultimate intermediary). Participation in the shareholders' meeting is not possible without providing personal data.

We process personal data of shareholders and shareholder representatives to the extent that this is required under applicable law for the proper preparation, conduct and wrap-up of the shareholders’ meeting, to allow the exercise of shareholders’ rights and for the maintenance of the share register. This includes, with regard to conducting the shareholders’ meeting, in particular the processing of the registration, the exercise of shareholders’ voting rights, the exercise of the right to speak, the right to ask questions and the right to file motions during the shareholders’ meeting, the compilation of the list of participants and the recording of objections and questions in the notarized minutes. For these purposes, the shareholders’ meeting will be broadcast live to premises of the shareholders’ meeting accessible to shareholders and shareholder representatives (e.g., in the entrance area) and to a back office for shorthand recording. The legal basis for the processing of personal data is Art. 6 (1) sentence 1 lit. c GDPR in conjunction with Secs. 67 and 67e, Secs. 118 et seqq. AktG.

When the shareholders’ portal is used, we also process personal data via server log files transmitted by the browsers automatically for technical reasons. The legal basis for this is Art. 6 (1) sentence 1 lit. c GDPR. In our shareholders’ portal we also use cookies that are technically necessary for the operation of the shareholders’ portal. The legal basis for this data processing is Sec. 25 (2) no. 2 of the German Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, “TTDSG”).

In certain individual cases, we also process your personal data if useful for the organization of the shareholders’ meeting and thus for safeguarding our legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR) (for instance for shareholder communication and for statistical purposes, as well as for the attendance of guests at the shareholders' meeting and a guest register for internal use). Therefore, the provision of personal data is not required by law or contract. Guests may only attend the Annual General Meeting if they provide their name.

In addition, we process your personal data, where necessary, to comply with other legal obligations, e.g., regulatory requirements or record retention requirements under stock corporation, commercial and/or tax laws. In this case, the respective legal provisions in conjunction with Art. 6 (1) sentence 1 lit. c GDPR form the legal basis for the processing of personal data.

Recipient(s) of your data

The service providers (including affiliated group companies) commissioned by us for the purpose of organizing the shareholders’ meeting process your personal data exclusively in accordance with the instructions of IONOS SE and only to the extent required for the performance of the service commissioned. All employees of IONOS SE as well as all staff of commissioned service providers who have access to and process your personal data have committed to treat such data confidentially.

In addition, we will make personal data, in particular the names of shareholders and shareholder representatives, available to other shareholders, shareholder representatives, as well as intermediaries and shareholder associations. This is subject to the statutory requirements (in particular regarding the list of participants, Sec. 129 AktG). This also applies to personal data contained in motions to add items to the agenda, counter-motions, nominations and in contributions made in the context of exercising the right to speak or answering questions, if any. Personal data contained in statements made during the shareholders' meeting may also be received by guests of the shareholders' meeting. If required for the proper conduct of the shareholders' meeting or to protect our legitimate interests, we may also transfer personal data to notaries and lawyers commissioned by us who are subject to a professional duty of confidentiality. Furthermore, we may be obliged by law to transmit your personal data to further recipients such as, for instance, public authorities in order to comply with statutory reporting obligations.

The legal basis in these cases is Art. 6 (1) sentence 1 lit. c) GDPR in conjunction with the legal provision from which an obligation to publish or transmit follows or, if there is no legal obligation to publish or transmit the personal data, Art. 6 (1) sentence 1 lit. f GDPR (legitimate interest).

Your personal data will not be transferred to recipients in countries outside the European Union (“EU”) or the European Economic Area (“EEA”).

Storage period

We will anonymize or erase your personal data in accordance with the statutory provisions as soon as the two-year inspection period pursuant to Section 129 (4) AktG has expired. The personal data is no longer required for the original purposes of collection or processing. The data is no longer required in connection with any administrative or legal proceedings, and there are no other statutory retention obligations or justifications for storage. We regularly store personal data that we collect in connection with the shareholders' meeting for three years. We must regularly retain the personal data stored in the share register for ten years after the shares have been sold. We will erase server log files for the shareholder portal at the latest after 32 days at the latest.

Your rights

Subject to the statutory requirements, the fulfillment of which must be assessed on a case by case basis, you have the right to access information about your processed personal data (Art. 15 GDPR) and to require rectification (Art. 16 GDPR) or erasure (Art.17 GDPR) of your personal data or the restriction of processing (Art. 18 GDPR) using the above-stated contact information. In addition, you have the right to lodge a complaint with the competent data protection supervisory authority and the right to receive your personal data in a structured, commonly-used and machine-readable format (Art. 20 GDPR).

If personal data are processed on the basis of Art. 6 (1) sentence 1 lit. f GDPR, you also have the right to object (Art. 21 GDPR) to the processing subject to the statutory requirements, the fulfillment of which must be assessed on a case-by-case basis.