I. General information

a) Introduction
METRO AG attaches great importance to data protection and the protection of privacy. The following data protection notices are designed to inform you, our shareholders, about the processing of your personal data and your rights regarding such processing according to applicable data protection laws, in particular Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), in connection with the preparation, and conduct of and follow-up on the Annual General Meeting.

b) 'Controller' within the meaning of Article 4 No. 7 GDPR
METRO AG, Metro-Straße 1, 40235 Düsseldorf

c) Contact details of the Data Protection Officer
METRO AG, Data Protection Officer, Metro-Straße 1, 40235 Düsseldorf
E-mail: datenschutz@metro.de

II. Information regarding the processing of data

1. Data categories

a) In particular, we are processing the following categories of personal data:

  • First and last name
  • Address
  • Number of shares
  • Class of shares
  • Type of ownership of the shares, and Entry ticket number/ registration confirmation

b) In addition, we may also process personal data of a proxy holder nominated by you (in particular name and place of residence).

c) If you or your proxy holders contact us, we also process the personal data required to respond to any inquiries (such as the contact data provided by our shareholder or their proxies, such as e-mail address or telephone number).

d) Furthermore, we also process information on motions, questions, election proposals and requests from our shareholders, insofar as these are made.

e) In the case of a virtual Annual General Meeting, we also process the following data:

  • Individual access data for the InvestorPortal
  • exercise of voting rights (including time)
  • Grating of power of attorney to proxies (including time)
  • Submission of questions or contact with the notary (including time)
  • Acceptance of the terms of use (including time)

f) When using the InvestorPortal, your internet browser automatically transmits the following data to us:

  • Date and time of access
  • Transferred date volume
  • Notification, whether data retrieval was successful
  • IP address
  • Type of web browser
  • The URL of your previously visited webpage

A combination of this data with other sources of data, especially user data, is not carried out.

g) To ensure the operation of the InvestorPortal, we only use necessary cookies. You can prevent cookies from being set via your browser settings. However, completely blocking all cookies may mean that you cannot use the Stockholder Portal.

2. Purposes and legal basis of the processing

a) We use the personal data mentioned under 1.a – 1.e to enable you as our shareholder to participate in and exercise your rights at the Annual General Meeting. The processing of personal data is indispensable for the proper preparation, conduct and follow-up on the Annual General Meeting and to enable your participation in the Annual General Meeting pursuant to §§ 118 et seqq. of the German Stock Corporation Act (AktG). The legal basis for the processing of personal data is Article 6 Section 1 Sentence 1 point c) GDPR in conjunction with the German Stock Corporation Act and in the case of the virtual General Meeting the Act on Measures in Corporate, Cooperative, Association, Foundation and Condominium Law to Combat the Effects of the COVID 19 Pandemic ("Covid 19 Act").

b) In the case of a virtual Annual General Meeting, we also process the data mentioned under 1.e -- 1.g in order to provide you with secure access to the InvestorPortal and to be able to operate it in a failure-free and secure manner. This corresponds to our legitimate interest, on the basis of which this data processing is carried out in accordance with Art. 6 Para. 1 S. 1 lit. f) GDPR.

c) The data mentioned under 1.c. is also processed for the purpose of answering your respective inquiry. The processing takes place on the basis of Art. 6. paragraph 1 p. 1 lit. bf) GDPR.

d) We may also process the personal data mentioned under 1. a – 1.g. in order to compile internal statistics, e.g. on the largest shareholders. It is in our legitimate interest to produce such internal statistics for information purposes. The processing of the personal data is based on Art. 6. paragraph 1. p. 1 lit. f) GDPR.

e) In addition, we may also process personal data mentioned under 1.a – 1.e to fulfil other legal obligations, such as regulatory requirements and obligations to retain data under stock corporation law, securities law, commercial law and tax law. The legal basis for the processing is the relevant statutory provisions in conjunction with Article 6 Section 1 Sentence 1 point c) GDPR.

All METRO AG shares – ordinary shares and preference shares – are bearer shares. Unlike registered shares, METRO AG does not keep a stock register as defined by § 67 German Stock Corporation Act in which the name, date of birth and address of the shareholder as well as the number of shares are entered.

3. Categories of recipients of personal data

a) We are using external service providers to prepare, conduct and follow up on the Annual General Meeting (in particular for printing and mailing the invitation to the Annual General Meeting as well as for registering for the Annual General Meeting and for the preparation and operation of the virtual InvestorPortal). Service providers commissioned for the purpose of preparing, conducting and following up on the Annual General Meeting as well as for the preparation and operation of the InvestorPortal will receive from us only such personal data as are required for the execution of the commissioned service and will process the data exclusively in accordance with METRO AG's instructions. All of our employees and all employees of external service providers who have access to and/or process personal data are obliged to treat this data confidentially.

b) In addition, participants in the Annual General Meeting and postal voters may inspect the list of participants or the list of postal voters to be made accessible at the Annual General Meeting pursuant to § 129 Section 1 Sentence 2 German Stock Corporation Act and the data on all participants in the Annual General Meeting recorded therein. This also applies in the case of a virtual General Meeting. In this case, the list of participants can be viewed in the virtual InvestorPortal

c) If shareholders wish to submit a request to add items to the agenda, countermotions or election proposals, we may have to publish the name of the shareholder under certain conditions. This also applies to questions that shareholders have submitted in advance at a virtual General Meeting (§ 1 (2) No. 3 Covid 19 Act). When answering questions, the Management Board reserves the right to indicate the name of the shareholder or his or her proxy holder, unless the shareholder or proxy holder has objected to this.

4. Data sources

As a rule, we or the service providers commissioned by us receive the personal data of the shareholders via our registration office from the credit institutions of the shareholders who have commissioned them to hold our shares in custody (so-called custodian banks) and, in particular in the case of the appointment of proxies, by the entries made by shareholders and proxies in the InvestorPortal.

5. Storage period

The storage period for the data recorded in connection with the Annual General Meeting is regularly up to three years. As a general rule, we anonymise or delete personal data unless we are required by law to provide evidence and retain data for a longer period of time or are required to do so as part of legal proceedings. Information on shareholders' questions and speeches at the upcoming Annual General Meeting will generally be anonymised after one month, unless longer storage is necessary for the reasons stated above.

III. Rights of data subjects

As a data subject, you may contact our Data Protection Officer at any time with an informal notification using the contact details listed under above in order to exercise your rights – the prerequisites of which must be checked in each individual case – under the GDPR. These include, in particular:

  • The right to obtain information on data processing and a copy of the data processed (right of access, Article 15 GDPR),
  • the right to request the rectification of inaccurate data or the completion of incomplete data (right to rectification, Article 16 GDPR),
  • the right to request the deletion of personal data and, if the personal data have been published, the information to other data controllers on the request for deletion (right to erasure, Article 17 GDPR),
  • the right to request the restriction of data processing (right to restriction of processing, Article 18 GDPR).

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The authority responsible for us is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf.

Information about your right of objection according to Art. 21 DSGVO

You have the right to object at any time to the processing of your data on the basis of Art. 6 Par. 1 S. 1 f) GDPR (data processing based on a balancing of interests) if there are reasons arising from your particular situation. If you object, we will no longer process your personal data unless we can prove compelling and applicable reasons for processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. The objection can be made informally and should be addressed to our Data Protection Officer (contact details see above).