Data protection notices
I. General information
a. Introduction
METRO AG attaches great importance to data protection and the protection of privacy. The following data protection notices are designed to inform you, our shareholders, about the processing of your personal data and your rights regarding such processing according to applicable data protection laws, in particular Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), in connection with the preparation, and conduct of and follow-up on the Annual General Meeting.
b. Controller within the meaning of article 4 no. 7 GDPR
METRO AG, Metro-Straße 1, 40235 Düsseldorf
c. Contact details of Data Protection Officer
METRO AG, Data Protection Officer, Metro-Straße 1, 40235 Düsseldorf
E-Mail: datenschutz@metro.de
II. Information regarding the processing of data
1. Data categories
a. We process the following data categories:
- first and last name
- address
- e-mail-address,
- number of shares
- class of shares
- type of share ownership and,
- number of entry ticket/registration confirmation
b. In addition, we may also process personal data of a proxy holder nominated by you (in particular name and place of residence).
c. If you or your proxy holders contact us, we also process the personal data required to respond to any inquiries (such as the contact data provided by the shareholder or their proxies, such as e-mail address or telephone number).
d. Furthermore, we also process personal information on motions, questions, statements, election proposals, objections and requests from the shareholders, insofar as these are made.
e. For a virtual General Meeting we additionally process the following data:
- access data for InvestorPortal
- login for InvestorPortal
- information on exercise of voting rights (incl. point of time)
- grant of power of attorney (incl. point of time)
- questions, statements and objections or contact to the notary (incl. point of time)
- Picture, audio and video recording/broadcast (incl. point of time) when exercising the right to speak and right to information as well as the submission of motions and election proposals
- communication data to control the functionality of the video communication between us and a shareholder
- acceptance of terms of use (incl. point of time)
f. When using the InvestorPortal your browser automatically transfers the following data to us:
- date and time of access
- transferred data volume
- notification whether data retrieval was successful
- IP address
- type of webbrowser
- the previously visited website
A combination of the data with other sources of data, especially user data, is not carried out.
g. To ensure the operation of the InvestorPortal, we only use technically necessary cookies. You can prevent cookies from being set via your browser settings. However, completely blocking all cookies may mean that you cannot use the InvestorPortal.
2. Purposes and legal basis of the processing
a. We process the data mentioned under 1.a – 1.d to enable you as our shareholder to participate in and exercise your rights at the Annual General Meeting. The processing of personal data is indispensable for the proper preparation, conduct and follow-up on the Annual General Meeting and to enable your participation in the Annual General Meeting pursuant to §§ 118 et seqq. of the German Stock Corporation Act (AktG) as well as for the preparation of the list of participants. The legal basis for the processing of personal data is article 6 section 1 sent. 1 lit c) GDPR in conjunction with the German Stock Corporation Act.
b. In the case of a virtual Annual General Meeting, we also process the data mentioned under 1.a -- 1.g for the purposes listed under 2.a., in particular in order to provide you with secure access to the InvestorPortal and to be able to operate it in a failure-free and secure manner. Legal basis is article 6 section 1 sent. 1 lit. f) GDPR in connection with the legal provision of the German Stock Corporation Act, in particular §§ 118a, 130a. In addition, we store and process picture, audio and video recordings/broadcast as well as submissions (for example statements) via the InvestorPortal and the names of the shareholders concerned in order to be able to answer questions and to document other forms of exercising shareholder rights in a verifiable manner as well as to defend ourselves against possible legal claims. This corresponds to our legitimate interest, on the basis of which this data processing is carried out in accordance with article 6 section 1 sent. 1 lit. f) GDPR.
c. The data mentioned under 1.c. is also processed for the purpose of answering your respective inquiry. The processing takes place on the basis of article 6 section 1 sent. 1 lit. b) GDPR.
d. We may also process the personal data mentioned under 1. a – 1.g. in order to compile internal statistics, e.g. on the largest shareholders. It is in our legitimate interest to produce such internal statistics for information purposes. The processing of the personal data is based on article 6 section 1 sent. 1 lit. f) GDPR.
e. In addition, we may also process personal data mentioned under 1.a – 1.e to fulfil other legal obligations, such as regulatory requirements and obligations to retain data under stock corporation law, securities law, commercial law and tax law. The legal basis for the processing is the relevant statutory provisions in conjunction with article 6 section 1 sent. 1 lit. c) GDPR.
All METRO AG shares – ordinary shares and preference shares – are bearer shares. Unlike registered shares, METRO AG does not keep a share register as defined by § 67 German Stock Corporation Act in which the name, date of birth and address of the shareholder as well as the number of shares are entered.
3. Categories of recipients of personal data
a. We are using external service providers to prepare, conduct and follow up on the Annual General Meeting (in particular for registering for the Annual General Meeting, for the preparation and operation of the virtual InvestorPortal, the conduct of the (virtual) Annual General Meeting). Service providers commissioned for the purpose of preparing, conducting and following up on the Annual General Meeting as well as for the preparation and operation of the InvestorPortal will receive from us only such personal data as are required for the execution of the commissioned service and will process the data exclusively in accordance with METRO AG's instructions. All of our employees and all employees of external service providers who have access to and/or process personal data are obliged to treat this data confidentially.
b. Statements submitted by the shareholders prior to the virtual Annual General Meeting will be published stating the name of the shareholder. In case of requests to speak in the Annual General Meeting for the exercise of the right to speak, raise questions or submit motions, the Chairman of the Annual General Meeting will regularly state the name of the shareholder resp. his/her proxy.
c. In addition, participants in the Annual General Meeting may inspect the data on all participants in the Annual General Meeting recorded in the list of participants to be made accessible at the Annual General Meeting pursuant to § 129 section 1 sent. 2 German Stock Corporation Act. This also applies in the case of a virtual Annual General Meeting pursuant to § 129 section 1 sent. 3, section 4 German Stock Corporation Act. In this case, the list of participants can be inspected in the virtual InvestorPortal. For a time period of up to two years after the Annual General Meeting each shareholder as well as the registered participants and proxies may demand inspection of the list of participants and receipt of a copy.
d. If shareholders wish to submit a request to add items to the agenda, counter-motions or election proposals, we may have to publish the name of the shareholder under certain conditions on the website of METRO AG.
4. Data sources
As a rule, we or the service providers commissioned by us receive the personal data of the shareholders via our registration office from the credit institutions of the shareholders who have commissioned them to hold our shares in custody (so-called custodian banks) as well as from the shareholders or their proxies.
5. Storage period
The storage period for the data recorded in connection with the Annual General Meeting is regularly up to three years. The storage period for data recorded in the list of participants is regularly two years after the end of the Annual General Meeting, § 129 section 4 sent. 2 German Stock Corporation Act. As a general rule, we anonymise or delete personal data unless we are required by law to provide evidence and retain data for a longer period of time or are required to do so as part of legal proceedings. Information on shareholders' questions and speeches at the upcoming Annual General Meeting will generally be anonymised after one month, unless longer storage is necessary for the reasons stated above.
6. Cookies
In order to ensure the security of the InvestorPortal and to enable the usage of certain functions, we use so-called cookies. These are small text files that are stored on your device. Some of the cookies we use, are deleted following the end of the browser session, i.e. after closing your browser (so-called session cookies). Other cookies remain on your device and enable us to recognize your browser on your next visit (persistent cookies). You may adjust your browser so that you are informed about the setting of cookies and decide individually about its acceptance or exclude the acceptance of cookies for certain cases or in general.
To operate the InvestorPortal we use the following, technically necessary cookies:
Name | Purpose | Duration |
---|---|---|
X-XSRF-TOKEN | ensures secure connection between the InvestorPortal and Q-Live | session |
.AspNetCore.Antiforgery.8-SwGiRsH58 | ensures secure connection between the InvestorPortal and Q-Live | session |
cookieconsent_status | stores cookie consent settings | 7 days |
laravel_session | identifies a session instance for a user | 7 days |
XSRF-TOKEN | Protection of the application against cross-site request forgery | 120 minutes |
III. Rights of data subjects
As a data subject, you may contact our Data Protection Officer at any time with an informal notification using the contact details listed above in order to exercise your rights – the prerequisites of which must be checked in each individual case – under the GDPR. These include, in particular:
- the right to obtain information on data processing and a copy of the data processed (right of access, article 15 GDPR),
- the right to request the rectification of inaccurate data or the completion of incomplete data (right to rectification, article 16 GDPR),
- the right to request the deletion of personal data and, if the personal data have been published, the information to other data controllers on the request for deletion (right to erasure, article 17 GDPR),
- the right to request the restriction of data processing (right to restriction of processing, article 18 GDPR),
- the right to data portability (article 20 GDPR).
You also have the right to lodge a complaint with a supervisory authority (article 77 GDPR). The authority responsible for us is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf.
Information on your right to object pursuant to article 21 GDPR
You have the right to object at any time to the processing of your data on the basis of article 6 section 1 sent. 1 lit. f) GDPR (data processing based on a balancing of interests) if there are reasons arising from your particular situation. If you object, we will no longer process your personal data unless there are compelling and applicable reasons for processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. The objection can be made informally and should be addressed to our Data Protection Officer (contact details see above).