Data privacy notices for investors and shareholders - Vonovia

Data privacy information for shareholders and investors of Vonovia SE

Convenience translation (The German version of Data privacy information for shareholders and investors of Vonovia SE published on the website is binding)

In this data protection information, we inform you about the processing of your personal data in your capacity as shareholders and investors of Vonovia SE (collectively also “shareholders” or data subjects and hereinafter “you”, “your” or “you”). In the case of shareholders in the legal form of a legal entity, we may process personal data of the representative bodies or employees of the company. This data protection information also applies to these contact persons.

Transparency and the protection of your data and privacy are important to us. Of course, we process your data in compliance with the General Data Protection Regulation (hereinafter “DSGVO”) and the Federal Data Protection Act (hereinafter “BDSG”). Through appropriate technical and organizational measures, we ensure that an adequate level of data protection exists in our company.

For information on how we process your data, please refer to the following:

1. Scope and responsible person

1.1. Scope of application of this data protection information

This data protection information applies to the processing of personal data of data subjects in their capacity as shareholders or investors of Vonovia SE, including those interested in investing in Vonovia shares.

You can view this data protection information at investoren.vonovia.de/datenschutz or request it by phone or e-mail using the contact below.

1.2. Person responsible for the processing of your personal data

The controller for the processing of your personal data within the meaning of Art. 4 No. 7 DSGVO is Vonovia SE. The contact details are:

University Street 133, 44803 Bochum
Tel.: +49 234 314-1609
Fax: +49 234 314 -2995
E-mail: investorrelations@vonovia.de

1.3. Data Protection Officer Vonovia

Please address your questions regarding data protection to

Dr. Stefan Drewes
c/o Vonovia SE
University road 133
44803 Bochum
E-mail: datenschutz@vonovia.de

We expressly point out that if you use this e-mail address, the contents will not be exclusively noted by our data protection officer. If you wish to exchange confidential information, we therefore request that you first contact us directly via this e-mail address without a more detailed description of the circumstances.

2. Purposes and legal bases of the processing of your personal data

We process personal data in accordance with the provisions of the DSGVO and the BDSG on a basis for the purposes specified below on the following legal bases:

2.1. Due to legal requirements (Art. 6 para. 1 lit. c) DSGVO) or in the public interest (Art. 6 para. 1 lit. e) DSGVO)

As a listed company, we are subject to legal obligations, i.e. statutory requirements (e.g. Money Laundering Act, tax laws, Stock Corporation Act) as well as stock exchange supervisory requirements. The purposes of the processing include identity verification, fraud and money laundering prevention, in each case on the basis of Art. 6 (1) lit. c) DSGVO in conjunction with the statutory requirements.

The shares of Vonovia SE are registered shares for which the Company is obliged pursuant to Section 67 (1) AktG to enter the name, date of birth, postal and electronic address of the shareholder, the number of shares or the share number and, in the case of par value shares, the amount in the Company’s share register. The shareholder is required by law to provide the Company with this information. We process this data in accordance with Section 67e of the German Stock Corporation Act (AktG) for the purposes of identification, communication with shareholders, the companies and intermediaries, exercising shareholders’ rights, maintaining the share register and for cooperation with shareholders.

Under certain circumstances, the data collected for the purpose of maintaining the share register may also be used to fulfill regulatory requirements or obligations under stock corporation, commercial or tax law (e.g. compliance with voting prohibitions, administration of proxies), such as when providing evidence of the authorization of the proxy pursuant to Section 134 (3) sentence 5 AktG. The legal basis for the collection and use of the data is Article 6 (1) (c) DSGVO in conjunction with the relevant provisions of stock corporation law.

2.2. Performance of contracts and pre-contractual measures (Art. 6(1)(b) DSGVO)

We also process your personal data to fulfill contractual obligations and to carry out pre-contractual measures at the request of the data subject (e.g. for contract-related communication by e-mail). The purposes of data processing depend on the specific subject of the contractual and corporate relationship or, for example, the inquiry of an interested party and may include, among other things, needs analyses and consultations. The entries in the share register are used for the tasks of the Company pursuant to Section 67 (6) sentence 3 AktG, e.g. maintenance of the share register, invitation to and holding of the Annual General Meetings, maintenance, interpretation and storage of the list of participants, administration of the lists of speakers, publication of countermotions, recording and evaluation of votes or information on corporate events within the meaning of Section 67a (6) AktG – if necessary via intermediaries pursuant to Section 67b and Section 67 f AktG. Under this legal basis, your data will also be processed for the purpose of fulfilling obligations under the Articles of Association or the Articles of Association and in connection with your position as a shareholder, in particular for exercising and guaranteeing your shareholder rights (e.g. voting rights, rights to information, rights in connection with the Annual General Meeting, dividend rights, subscription rights or, if applicable, rights to participate in liquidation proceeds).

2.3. For the protection of legitimate interests (Art. 6(1)(f) DSGVO)

In addition, we process your personal data insofar as this is necessary to protect the legitimate interests of us or third parties. This is the case, for example, if in the case of capital increases individual shareholders must be excluded from information on subscription offers due to their nationality or place of residence in order to comply with securities regulations of the countries concerned, in the processing of personal data of investors’ contact persons or of guests at the Annual General Meeting.

Other examples include:

Providing services and/or information (e.g., annual reports) intended for you;
Preparation of statistics, e.g. for the presentation of shareholder development and structure, number of share transactions;
Responding to inquiries outside of contractual communication via email or contact form;
Operation and management of our websites;
Planning and organization of our general meetings;
Ensure network and data security within the scope of permissible necessity;
direct advertising or market research, unless you have objected to the use of your data;
Assertion of legal claims and defense in the context of legal disputes;
Prevention and investigation of criminal acts; measures to ensure the right of domicile, e.g. at real and virtual assemblies.

2.4. Based on your consent (Art. 6(1)(a) DSGVO)

Insofar as you have given us consent to process personal data for specific purposes (e.g. creation and use of recordings or interviews in the context of events, for contact by telephone, e-mail or messenger service for the purpose of advertising or market research), the lawfulness of the processing is based on your consent.

3. Categories of personal data

We process the following categories of personal data in the course of our relationships with shareholders, investors or interested parties:

Personal identification and contact data (e.g. name, title, date of birth, address, telephone number, e-mail address).
for shareholders in the legal form of a legal entity: personal identification and contact details of contact persons (governing bodies, employees, representatives)
further details of the share register: number of shares, share number and nominal amount
Financial identification data (e.g. IBAN, BIC)
Image data and recordings (films, photographs, video recordings, digital photos; interviews)
Profiles on corporations (company information; investment behavior)
Communication data (correspondence; notifications)

4. Data sources

Insofar as we do not receive the personal data directly from you, e.g. when registering for the Annual General Meeting, casting votes, issuing proxies or instructions (to us), your data will be collected by the credit institutions involved in the acquisition and custody (custodian bank as “intermediary” pursuant to Section 67 (4) AktG) and forwarded to us via Clearstream Banking AG, Eschborn, which acts as custodian for Vonovia SE shares. For the purpose of maintaining the share register, further data, such as nationality and gender, is collected by the credit institution and forwarded to us via Clearstream Banking AG. If necessary, we also collect data on corporations from publicly accessible sources (directories and databases), such as FactSet Research Systems Inc. or NASDAQ IR Insight (NASDAQ Inc.), company, trade and association registers, debtor directories, land registers, press publications or Internet sites and self-publications of the shareholders or investors concerned.

5. Recipients of personal data

Within the Vonovia Group, access to your data is granted to those offices that require it in order to fulfill contractual and legal obligations. Service providers and vicarious agents (as defined in Section 278 of the German Civil Code (BGB)) employed by us may also receive data for these purposes.

When processing your personal data, we also use external service providers whom we have obligated to maintain confidentiality (e.g. printing and dispatch of shareholder notices, invitations, registration, technical processing, legal advice for holding virtual general meetings, if applicable, registration of proxies, exercise of shareholder rights). We pass on the shareholders’ data forwarded to us by the banks for the purpose of maintaining the share register to the service provider commissioned to maintain Vonovia SE’s share register via Clearstream Banking AG Eschborn.

Where necessary, commissioned processing agreements have been concluded with these service providers in accordance with Art. 28 DSGVO. A further transfer of your personal data may take place to authorities for the fulfillment of statutory notification obligations, e.g. if certain voting rights thresholds are exceeded. Furthermore, other shareholders at the Annual General Meeting may request to inspect the list of participants, which is to be compiled and made available in accordance with Section 129 AktG.

Furthermore, under certain circumstances we transmit personal data of shareholders to external advisors or functionaries such as lawyers, tax advisors, auditors, special auditors, special representatives (Section 147 AktG), courts or arbitration tribunals for the purpose of legal defense or prosecution.

Subject to the legal requirements, data may be passed on to external recipients, e.g. public bodies and institutions (e.g. social insurance agencies, law enforcement agencies, courts) or other recipients (e.g. postal services, credit institutions, professional secrecy holders).

6. Transfer to third countries

As a matter of principle, the Vonovia Group does not intend to transfer personal data to countries outside the European Union (third countries).

7. Retention and deletion of your personal data

We store your personal data as required to achieve the stated purposes (item 2.), in particular for the duration of your legal status as a shareholder (and entry in the share register). From the time we become aware that you are no longer a shareholder, we will store your personal data for 12 months, subject to other statutory provisions (e.g. retention obligations).

If there are no other purposes for processing the data, we also store your data for the duration of the statutory limitation periods (generally three years), irrespective of the deletion period (12 months) pursuant to Section 67e (2) of the German Stock Corporation Act (AktG) for the purpose of legal defense or assertion of claims. Ongoing legal cases suspend the occurrence of the statute of limitations and extend the retention periods accordingly.

In addition, we store your personal data if we are legally obligated to do so. Corresponding obligations to provide proof and to retain data result, among other things, from the German Commercial Code (§ 257 HGB), the German Fiscal Code (§ 147 AO) and the German Money Laundering Act (§ 8 GwG). Accordingly, the retention obligations range from three to ten years. After expiry of the retention obligations, the personal data is automatically deleted.

8. Your rights

Please address your request to

by e-mail: datenschutz@vonovia.de
in writing:

Vonovia SE
GDPR
PO Box 10 04 01
57004 Siegen

or to the shareholders’ contact information stated under 1.2.

You may at any time, in accordance with the GDPR, request us to

provide you with information about the personal data concerning you that we process (Art. 15 DSGVO),
correct personal data concerning you that is inaccurate (Art. 16 GDPR);
Erase their personal data stored by us (Art. 17 GDPR), restrict the processing of personal data processed about them – “block” (Art. 18 GDPR) and / or surrender (Art. 20 GDPR);
obtain copies of personal data concerning you and provided to Vonovia SE (Art. 15 (3) or Art. 20 DSGVO)

You may revoke any consent you have given us to process personal data at any time. The revocation is only effective for the future, the lawfulness of processing in the past and processing on other legal bases remains unaffected by the revocation.

Insofar as we process your personal data on the basis of legitimate interests (Art. 6 (1) p. 1 lit. f) DSGVO), you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. We will then no longer process your data for this purpose(s), unless our interests worthy of protection prevail or the processing serves the assertion, exercise or defense of legal claims. Notwithstanding the foregoing, in the case of direct marketing (such as postal newsletters), you may object to the processing of your personal data at any time without giving any reason.

If you assert your rights against us, we process your personal data collected in this context to respond to your request. The processing of your personal data is carried out for the fulfillment of a legal obligation on the basis of Art. 6 para. 1 p. 1 lit. c) DSGVO. We store correspondence conducted in connection with inquiries for three years to fulfill our legal obligations to provide evidence.

Without prejudice to your rights under this section, you may lodge a complaint with a data protection supervisory authority if you consider that the processing of personal data concerning you by us infringes the GDPR (Article 77 GDPR).

The supervisory authority for data protection responsible for us is

State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
Kavalleriestr. 2-4
40213 Düsseldorf
Phone: 0211/38424-0
Fax: 0211/38424-999
E-mail: poststelle@ldi.nrw.de

Vonovia [Date]

Appendix: Definitions

This data protection information is based on the following terms, which we have defined for ease of understanding and provide to you as an explanation:

1. The BDSG is the German Federal Data Protection Act (Datenschutz-Anpassungs- und -Umsetzungsgesetz EU – DSAnpUG-EU) to adapt to the EU General Data Protection Regulation (Regulation (EU) 2016/679) and to implement Directive (EU) 2016/680). It entered into force at the same time as the GDPR and substantiates the provisions of the GDPR in sub-areas (e.g. data processing of shareholders by the employer).

2. The GDPR is the EU General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC).

3. Recipient means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law are not considered recipients; the processing of such data by the aforementioned authorities shall be carried out in accordance with the applicable data protection legislation, in accordance with the purposes of the processing. Recipients of your personal data may include, for example, the postal service or shipping service providers when we send you documents.

4. The shareholders are the shareholders of Vonovia SE.

5. Personal data is any information relating to an identified or identifiable natural person, i.e. the data subject. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data can be, for example, name, contact details, tax number or financial identification data (e.g.: IBAN).

6. The controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law. Vonovia SE is the data controller for the data processing activities described in this data protection declaration (Clause 1.2.).

7. Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Vonovia at a glance

Latest Publications

Transactions

Share information

Creditor Relations

News & Publications

Corporate Governance

Service

Vonovia at a glance

This could also be interesting for you

Latest Publications

This could also be interesting for you

Transactions

This could also be interesting for you

Share information

This could also be interesting for you

Creditor Relations

This could also be interesting for you

News & Publications

Corporate Governance

Service

This could also be interesting for you