Data protection notice for shareholders
Data protection notice for Munich Reinsurance Company shareholders and Annual General Meeting (AGM) attendees
A key element of the EU General Data Protection Regulation is transparency in data processing. We take protecting the data of our shareholders and AGM attendees very seriously. In the present notice, we would therefore like to explain how your personal data will be processed by Münchener Rückversicherungs-Gesellschaft Aktiengesellschaft in München (Munich Re), and to inform you of your rights under data protection law.
Who will be responsible for processing your data?
Aktiengesellschaft in München
80802 München Germany
Tel.: +49 (89) 38 91- 22 55
Fax: +49 (89) 39 91 7 22 55
If you have any questions about our notice, please contact our Data Protection Officer. You can reach him by regular mail to the aforementioned address, marked for the attention of “Data Protection Of-ficer, Group Compliance & Legal 1.5”, or by email to: email@example.com.
For what purposes, and on what legal grounds, will your data be processed? Who do we receive what data from?
We will process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Stock Corporation Act (AktG) and all other applicable laws.
Munich Re shares are registered shares. For registered shares, Section 67 of the Stock Corporation Act provides that the shareholder’s name, date of birth and address must be entered into the company’s share register, as well as the quantity of shares or share number. The shareholder is required to provide this information to the company. The financial institutions involved in acquiring or holding Munich Re registered shares regularly forward to us the shareholder information (including citizenship, sex, and submitting bank, in addition to the aforementioned data) necessary for maintaining the share register. This is done via Clearstream Banking Frankfurt, the central depository responsible for processing securities transactions and for holding the shares for the financial institutions. When shareholders sell their shares, Clearstream Banking Frankfurt reports this to us as well.
Shareholders who cannot attend the Annual General Meeting personally may nominate a proxy to attend in their stead. The shareholder usually discloses to us the proxy’s name and place of residence for entering into the list of attendees, and potentially also their exact address for us to directly mail them their admission card.
We will use your personal data for the purposes set out in the Stock Corporation Act. They include maintaining the share register, communicating with you as a shareholder, and organising the Annual General Meetings. Beyond that, we will use your data for purposes that are compatible with those mentioned above (particularly to generate statistics – for example, to track shareholder changes, numbers of transactions, or overviews of our major shareholders). The Stock Corporation Act in combination with Articles 6 (1) c) and (4) of the GDPR constitute the legal grounds for our processing of your personal data.
In addition, we may also process your personal data to fulfil further statutory requirements, such as supervisory regulations, or data retention requirements under securities, commercial or tax law. To comply with securities law, we must – for example in cases where the AGM proxy nominated by our Company has been authorised by a shareholder to exercise voting rights – demonstrably and securely retain the data serving as proof of the authorisation. In that case, the processing is allowed by the respective statutory provision and Art. 6 (1) c) of the GDPR.
In certain cases, we will also process your data to safeguard our legitimate interests, as permitted by Article 6 (1) f) of the GDPR. This would be the case, for example, if we had to exclude certain share-holders – based on their citizenship or place of residence in a non-European country – from information about a subscription offer following a capital increase, in order to comply with securities law in such country. For security reasons, we record the names of guests who attend our Annual General Meeting.
Should we wish to process your personal data for a purpose not listed above, we would inform you of this in advance, in accordance with the law.
What categories of recipient might we disclose your data to?
External service providers and advisors:
We use external service providers to perform some administrative and technical tasks related to maintaining the share register (share register service provider, IT service provider) and to organise our Annual General Meetings (AGM service provider, supplier for printing and mailing the shareholder notifications). We may also hire advisors or lawyers in connection with the Annual General Meeting.
If you attend the Annual General Meeting, other Munich Re shareholders will have access to any personal data recorded under your name in the list of attendees, as per Section 129 of the Stock Corporation Act. In addition, we may be obliged to share your personal data with other recipients (for example government agencies) in order to fulfil our statutory reporting duties (for example, if statutory thresh-olds on voting power are exceeded).
How long do we store your data?
As a rule, we anonymise or delete your personal data as soon as it is no longer necessary for the aforementioned purposes, unless statutory documentation and retention rules (e.g. in the Stock Corporation Act, German Commercial Code (HGB) or Tax code (AO)) require us to keep it for longer. The data collected in connection with Annual General Meetings is routinely stored up to three years. We usually have to retain the data stored in our share register for a period of 10 years after the shares are sold. We will store your personal data for longer than that only in exceptional cases, where necessary in connection with claims asserted against Munich Re (Group) (statutory limitation period of up to 30 years).
How do we transmit data to countries outside Europe?
If we need to transfer personal data to service providers outside the European Economic Area (EEA), we will do so only if the European Commission has confirmed that the respective country’s level of data protection is sufficient, or if data protection is otherwise sufficiently guaranteed (for example, through binding, in-house data protection provisions, or the European Commission’s standard contractual clauses). You may obtain more information on this issue, as well as about the level of data protection at our service providers in third countries, at the address indicated above.
What are your data protection rights?
At the address indicated above, you may request information about the personal data we have stored under your name. You can access the main information about your person recorded in the share register, using the shareholder portal on Munich Re’s website (www.munichre.com), and you may also notify us of any changes to your information via the portal or at the aforementioned address. In addition, under certain conditions you may request that your data be erased, or you may request that its processing be restricted (for example, if your data is being processed illegally).
Right to object:
If we are processing your data to safeguard our legitimate interests, you may, by contacting the address indicated above, object to this processing on grounds relating to your particular situation. We will then stop the processing, unless we have compelling legitimate interests to do so which override your grounds.
Would you like to file a complaint about how your data is being handled?
You may contact our aforementioned Data Protection Officer (see above) or the data protection authorities. The authority responsible for Munich Re is:
Bayerisches Landesamt für Datenschutzaufsicht (Data Protection Authority of Bavaria for the Private Sector), Promenade 27, 91522 Ansbach, Germany.