Data protection notice for shareholders

A primary objective of the EU General Data Protection Regulation (GDPR) is transparency in data processing. We take data protection very seriously for our shareholders, their proxies and visitors to the Annual General Meeting. In the present notice, we would therefore like to explain how your personal data will be processed by Münchener Rückversicherungs-Gesellschaft Aktiengesellschaft in München (Munich Re), and to inform you of your rights under data protection law.

Who is responsible for processing your data?

Münchener Rückversicherungs-Gesellschaft
Aktiengesellschaft in München
Königinstr. 107
80802 Munich, Germany

Phone: +49 (89) 38 91- 22 55
Fax: +49 (89) 39 91 7 22 55
Email: shareholder@munichre.com

If you have any questions about this information, you may contact our Data Protection Officer. You can contact the Officer by writing to the above-mentioned postal address; please include “Data Protection Officer / Group Compliance & Legal 1.5” in the address. Alternatively, you can send an email to datenschutz@munichre.com.

For what purposes, and on what legal grounds, will your data be processed? Who do we receive what data from?

Munich Re shares are registered shares. For registered shares, Section 67 of the German Stock Corporation Act (AktG) provides that the shareholder’s name, date of birth, and address, both postal and electronic, must be entered into the Munich Re share register, as well as the quantity of shares or share number. Shareholders are fundamentally obliged to provide this information to Munich Re. The intermediaries (e.g. banks) involved in the acquisition or safekeeping of Munich Re registered shares regularly forward to us the information pertinent to maintaining the share register – more specifically, the relevant information (such as the above-mentioned data as well as citizenship, sex and remitting bank) of shareholders and, where applicable, the information for their statutory or legal representatives. This is done both by the intermediaries in response to inquiries by Munich Re for disclosure of shares held by nominees (Section 67(4) sentence 2 of the German Stock Corporation Act (AktG)), as well as by Clearstream Banking Frankfurt, which acts as a central depository that processes securities transactions and holds the shares for the financial institutions. In addition, intermediaries such as Clearstream Banking Frankfurt notify us when a shareholder sells their Munich Re shares.

We use this personal data, and further information that you communicate to us, particularly via our electronic shareholder portal (e.g. questions or voting instructions for the AGM), for the purposes set out in the German Stock Corporation Act (AktG) and the German Securities Trading Act (WpHG). The primary purposes are maintaining the share register; communicating with you as shareholder or proxy, and the banks involved on your behalf; and managing the Annual General Meeting (AGM). AGM tasks include compiling statistics that portray shareholder developments, the number of transactions, or overviews of the most significant shareholders. The legal basis for processing your personal data is the German Stock Corporation Act (AktG) in conjunction with Article 6[1]{c} of the GDPR.

In the context of the Annual General Meeting, we process your personal data in order to allow you to exercise your rights at the Meeting. Processing your personal data is necessary for you to attend the Annual General Meeting, to vote, or to exercise your other shareholder rights under stock corporation law (Sections 118 ff. of the German Stock Corporation Act (AktG); Section 1 of the Act on Measures in the Law of Companies, Cooperatives, Associations, Foundations and Condominiums to Combat the Effects of the COVID 19 Pandemic, as amended on December 22, 2020).

Shareholders who are unable to personally attend the Annual General Meeting can authorise a proxy to attend instead. The shareholder usually discloses to us the proxy’s name and place of residence for entering into the list of attendees, and potentially also their exact address for us to directly mail them their access data.

We record the names and addresses of other visitors (guests, media), who participate in our Annual General Meeting so that we can issue personalised admission cards for authorised access. Without this data, we could not guarantee a safe and secure Annual General Meeting – and you would not be granted access to it.

In addition, we may also process your personal data to fulfil further statutory requirements – such as capital-market and other supervisory regulations, or data retention requirements under securities, commercial or tax law. To comply with securities law, we must – for example in cases where the AGM proxy nominated by our Company has been authorised by a shareholder to exercise voting rights – demonstrably and securely retain the data serving as proof of the authorisation. In such cases, the legal basis for processing personal data comprises the respective statutory regulations and Article 6[1]{c} of the GDPR.

In certain cases, we also process your data to protect our legitimate interests as per Article 6[1]{f} of the GDPR. One such instance of this concerns capital increases. We sometimes must exclude individual shareholders – on account of their citizenship or their residence – from rights offerings in order to comply with securities regulations of countries outside Europe.

Should we wish to process your personal data for a purpose not listed above, we will inform you of this in advance pursuant to applicable law.

To which categories of recipients do we forward your data?

External service providers and consultants:

We rely in part on external service providers for the administration and technical maintenance of the share register (service company for share register, IT service providers) as well as for managing the Annual General Meeting every year (AGM service providers, service providers for printing and sending notifications to shareholders). In this context, our most important external service provider is Computershare Deutschland GmbH & Co. KG, Elsenheimerstr. 61, 80687 Munich, Germany. We may also hire advisors or lawyers in connection with the Annual General Meeting, who may have access to personal data.

Additional recipients:

If you take part in the Annual General Meeting as a shareholder or proxy, other Munich Re shareholders as defined in Section 129 of the German Stock Corporation Act (AktG) can see your personal data – provided that it appears in the list of AGM attendees. If a shareholder or proxy authorises the proxies appointed by our Company to exercise voting rights, those proxies will have access to the personal data needed to exercise voting rights as instructed. If there are requests to amend the agenda in accordance with Section 122 para. 2 of the German Stock Corporation Act (AktG) and/or countermotions and nominations pursuant to Section 126 para. 1 and Section 127 of the Stock Corporation Act, we will describe them in the respective invitation to the AGM as specified in the Stock Corporation Act and, if necessary, make them available to the public.

In addition, we may be obliged to share personal data with other recipients, for example the disclosure of shareholder data to government agencies to fulfil our statutory reporting duties (for example, if statutory thresholds on voting power are exceeded).

How long do we store your data?

As a rule, we anonymise or delete your personal data as soon as it is no longer necessary for the aforementioned purposes, unless statutory documentation and retention rules (e.g. in the Stock Corporation Act, German Commercial Code (HGB) or Tax code (AO)) require us to keep it for longer. The data collected in connection with Annual General Meetings is routinely stored up to three years. We usually have to retain the data stored in our share register for a period of 10 years after the shares are sold. We will store your personal data for longer than that only in exceptional cases, where necessary in connection with claims asserted against Munich Re (statutory limitation period of up to 30 years).

How do we transmit data to countries outside Europe?

If we need to transfer personal data to service providers outside the European Economic Area (EEA), we will do so only if the European Commission has confirmed that the respective country’s level of data protection is sufficient, or if data protection is otherwise sufficiently guaranteed (for example, through binding, in-house data protection provisions, or the European Commission’s standard contractual clauses). You can write to the above-mentioned address to obtain detailed information and to learn more about the level of data protection at our service providers in non-EEA countries.

What data protection rights do you have?

At the address indicated above, you may request information about the personal data we have stored under your name. Shareholders can use the shareholder portal (www.munichre.com/register) to access their key personal data that appears in the share register, and can write to the above-mentioned address to inform us of any necessary changes. In addition, under certain conditions you may request the deletion of your data (e.g. if your data was processed unlawfully), the restriction of processing, or receipt of the data you made available to us. You will find further information about your data protection rights in Articles 15 ff. of the GDPR.

Right to object:
If we are processing your data to safeguard our legitimate interests, you may, by contacting the address indicated above, object to this processing on grounds relating to your particular situation.

We will then stop the processing, unless we have compelling legitimate grounds to do so which override your interests, or it serves the establishment, exercise or defence of legal claims.

Would you like to file a complaint about how your data is being handled?

You may contact our aforementioned Data Protection Officer (see above) or the data protection authorities. The data protection authorities responsible for Munich Re are:

Bayerisches Landesamt für Datenschutzaufsicht (Data Protection Authority of Bavaria for the Private Sector), Promenade 27, 91522 Ansbach, Germany, https://www.lda.bayern.de/en/contact.html.