Data protection declaration for shareholders

Information on Data Protection for Shareholders of Österreichische Staatsdruckerei Holding AG

Data protection is a high priority for Österreichische Staatsdruckerei Holding AG (hereinafter referred to as “us”, or “we”). The following information is intended to inform our shareholders, shareholder representatives and other participants in our Annual General Meeting about the processing of their personal data and the rights they are entitled to under data protection law.

Name and address of the Controller

The person responsible for the processing of your data is:

Österreichische Staatsdruckerei Holding AG
Tenschertstraße 7
1230 Vienna, Austria

Tel.: +43 1 206 66-0
E-Mail: office@staatsdruckerei.at
Website: www.staatsdruckerei.at

For comments and queries regarding the processing of personal data, you can contact the data protection officer of Österreichische Staatsdruckerei Holding AG at:

privacy@staatsdruckerei.at

Purposes of data processing

We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), the Stock Corporation Act (AktG) and all other relevant legal regulations.

We use your personal data (e.g. name or company name, address, date of birth or register or number under which the legal entity is maintained in its country of origin, account number, number of shares or share number, e-mail address, and, if applicable, personal data of your shareholder representatives) for the purposes provided for in the German Stock Corporation Act, in particular for maintaining the share register, communicating with you as a shareholder and handling Annual General Meetings. The processing of personal data for these purposes is legally required.

As a matter of principle, we use your personal data only for the purpose for which you have provided us with the data:

for keeping the share register
to give you access to the Annual General Meetings
for the documentation of your registration for the Annual General Meeting by post or by e-mail,
for the documentation of your representation by proxy at the Annual General Meeting by the respective authorised representative and
any instructions you may have given
for contacting us for contact and service requests in connection with the Annual General Meeting or to provide certain information.

Legal basis of data processing

The legal basis for the processing of your personal data is the German Stock Corporation Act (AktG) (in particular those pursuant to Article 9 Section 1 in conjunction with Article 61 Section 1 ff AktG) in conjunction with art. 6 (1) sentence 1 lit. c) GDPR.

The preparation of the minutes of the Annual General Meeting is based on the statutory provisions on the taking of minutes in accordance with Article 120 AktG Section 1ff and Article 87NO.

In addition, we may also process your personal data to fulfil other legal obligations, such as regulatory requirements, stock corporation, commercial and/or tax law retention obligations. In order to comply with provisions of stock corporation law, for example, when authorising the proxies appointed by the company for the Annual General Meeting, we must record the data serving as proof of the authorisation in a verifiable manner (Article 114 Section 1 AktG). In this case, the respective legal regulations of the German Stock Corporation Act and Art. 6(1) sentence 1 lit. c) GDPR serve as the legal basis for processing.

In individual cases, we will also process your data to the extent necessary to safeguard the legitimate interests of Österreichische Staatsdruckerei Holding AG (Art. 6 (1) sentence 1 lit. f) GDPR), including for statistical purposes, processing contact and service inquiries, sending annual reports or attending the Annual General Meeting as a guest.

Categories of personal data

Name or company name, address, date of birth or register or number under which the legal entity is registered in its country of origin, registered office of the company, account number, number of shares or share number, e-mail address, copy of a legitimation document (official photo identification for natural persons, current excerpt from the company register, company power of attorney for legal entities)

Recipients of personal data

Affiliated companies that are granted access to your personal data within the scope of the tasks assigned to them for the purpose of maintaining the share register and handling the Annual General Meeting (e.g. for printing and mailing the invitation documents or for holding our Annual General Meeting)
Third parties commissioned by us, e.g. notary public, to prepare the minutes of the Annual General Meeting
We (may) be obligated to transmit your personal data to other recipients, such as public authorities to fulfil statutory notification obligations.

For example, the minutes of the Annual General Meeting are transmitted to the Commercial Court of Vienna. This contains the place and date of the meeting, the name of the notary public, the type and result of the vote and the chairman’s statement on the resolution (Art. 120 Section 2 AktG). Enclosed with the minutes shall be the list of participants (Art. 117 AktG), if applicable a list of persons who participated in the decision-making process by remote voting (Art. 126 AktG) or voting by letter (Art. 127 AktG) and proof that the Annual General Meeting was properly convened. The minutes including attachments shall be submitted to the Commercial Register as a notarised copy (Art. 120 Section 4) and included in the collection of documents (Art. 12 FBG [Company Register Act]), where it can be viewed by everyone (Art. 33 Section. 2 FBG).

Data processing outside the EU/EEA

No personal data is processed in third countries.

Collection of personal data from third parties (Article 14 GDPR)

As a rule, the banks/custodian banks involved in the purchase, sale or custody of the bearer shares will forward to us the mandatory details and other information relevant for your participation in the Annual General Meeting. In the course of the conversion of bearer shares into registered shares, an exchange of information on your securities account will also take place with the relevant credit institutions/deposit banks in this respect.

Storage duration

As a matter of principle, we will delete your personal data as soon as it is no longer required for the aforementioned purposes, the personal data is no longer required for any administrative or legal proceedings, and there are no other statutory (e.g. stock corporation, commercial and/or tax law) obligations to provide evidence and retain data or justification for storage.

The storage period for the data recorded in connection with the Annual General Meeting is regularly at least 7 years.

We must also retain the data stored in the share register after the sale of the shares. Furthermore, we only retain personal data in individual cases if this is necessary, for example, in connection with claims.

Necessity of providing personal data

Only persons who are registered in the share register in accordance with Art. 61 Section 1 ff of the German Stock Corporation Act (AktG), stating their name or company name, address, date of birth or register or number (under which the legal entity is registered in its country of origin), number of shares, share number and account data, shall be deemed to be shareholders in relation to the company. If the shares belong to a person other than the person entered in the share register, the above-mentioned information shall also be entered in respect of this other person. An exception to this rule is if the shareholder is a bank (Art. 61 Section 1 no. 4 AktG). A credit institution entered in the share register which does not own the shares requires a granted authorisation of the person to whom the shares belong. The shareholder is generally obliged to provide the company with this information.

Your rights in connection with personal data

Every data subject has the right of access under Art. 15 GDPR, the right of rectification under Art. 16 GDPR, the right of deletion under Art. 17 GDPR, the right to limit processing under Art. 18 GDPR, the right of communication under Art. 19 GDPR and the right to data transferability under Art. 20 GDPR.

If the processing of data is based on your consent, you are entitled under Art. 7 GDPR to revoke your consent to the use of your personal data at any time. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected. Please also note that we may have to store certain data for a certain period of time in order to comply with legal requirements.

In addition, you have the right of appeal to a data protection authority in accordance with Art. 77 GDPR if you are of the opinion that the processing of your personal data is not lawful. The right of appeal is without prejudice to any other administrative or judicial remedy. Should you make use of the aforementioned rights, the person responsible will check whether the legal requirements for this are met.

Contact details of the Austrian Data Protection Authority:

Österreichische Datenschutzbehörde [Austrian Data Protection Authority] Barichgasse 40-42
1030 Vienna, Austria

Phone: +43 1 52 152-0

E-Mail: dsb@dsb.gv.at