Data protection notice for shareholders

A primary objective of the EU General Data Protection Regulation (GDPR) is transparency in data processing. We take data protection very seriously for our shareholders and their legal representatives (proxies or shareholder representatives) . In the present notice, we would therefore like to explain how your personal data will be processed by Münchener Rückversicherungs-Gesellschaft Aktiengesellschaft in München (“Munich Re” or “we”), and to inform you of your rights under data protection law.

Who is responsible for processing your data?

Münchener Rückversicherungs-Gesellschaft
Aktiengesellschaft in München
Königinstr. 107
80802 Munich, Germany

Phone: +49 (89) 38 91- 22 55
Fax: +49 (89) 39 91 7 22 55
Email: shareholder@munichre.com

If you have any questions about this information, you may contact our Data Protection Officer. You can contact the Officer by writing to the above-mentioned postal address; please include “Data Protection Officer / Group Compliance & Legal” in the address. Alternatively, you can send an email to datenschutz@munichre.com.

For what purposes, and on what legal grounds, will your data be processed? Who do we receive what data from?

Munich Re shares are registered shares. For registered shares, Section 67 of the German Stock Corporation Act (AktG) provides that the shareholder’s name, date of birth, and address, both postal and electronic, must be entered into the Munich Re share register, as well as the quantity of shares or share number. Shareholders are fundamentally obliged to provide this information to Munich Re. The intermediaries within the meaning of Section 67 (4) 2 of the German Stock Corporation Act (AktG) (e.g. banks) involved in the acquisition or safekeeping of Munich Re registered shares regularly forward to us the information pertinent to maintaining the share register – more specifically, the relevant information (such as the above-mentioned data as well as citizenship, sex and remitting bank) of shareholders and, where applicable, the information for their statutory or legal representatives. This is done both by the intermediaries in response to inquiries by Munich Re for disclosure of shares held by nominees (Section 67(4) sentence 2 of the German Stock Corporation Act (AktG)), as well as by Clearstream Banking AG, which acts as a central depository that processes securities transactions and holds the shares for the financial institutions. In addition, intermediaries such as Clearstream Banking AG notify us when a shareholder sells their Munich Re shares. 

Shareholders who do not exercise their shareholder rights in person may appoint a proxy. The shareholder shall regularly inform us of the name and place of residence of the proxy and, if applicable, of the proxy's exact address.

We use this personal data, and further information that you communicate to us, particularly via our electronic shareholder portal (e.g. questions or voting instructions for the AGM), for the purposes set out in the German Stock Corporation Act (AktG), the Implementing Regulation (EU) 2018/1212 and the German Securities Trading Act (WpHG). The primary purposes are maintaining the share register; communicating with you as shareholder or proxy, and the intermediaries involved on your behalf; and managing the Annual General Meeting (AGM). This includes compiling statistics that portray shareholder developments, the number of transactions, or overviews of the most significant shareholders. The legal basis for processing your personal data is the German Stock Corporation Act (AktG), in particular Section 67 and Section 67e of the German Stock Corporation Act (AktG), in conjunction with Article 6[1]{c} and [4] of the GDPR.

In the context of the Annual General Meeting, we process your personal data in order to enable you to exercise your rights and opportunities at the Meeting. Processing your personal data is necessary for you to vote, or to exercise your other shareholder rights under stock corporation law (Sections 118 ff. of the German Stock Corporation Act (AktG); Section 1 of the COVID-19 Measures Act **;  Art. 6 (1) {c} of the GDPR).

In addition, we may also process your personal data to fulfil further statutory requirements – such as capital-market and other supervisory regulations, or data retention requirements under securities, commercial or tax law or in order to check your data against sanctions lists drawn up under anti-terrorism laws (e.g. EU Regulation 2580/2001). To comply with securities law, we must – for example in cases where the AGM proxy nominated by our Company has been authorised by a shareholder to exercise voting rights – demonstrably and securely retain the data serving as proof of the authorisation. In such cases, the legal basis for processing personal data comprises the respective statutory regulations and Article 6[1]{c} of the GDPR.

In certain cases, we also process your data to protect our legitimate interests as per Article 6[1]{f} of the GDPR. This is particularly the case if we need to comply with legal requirements of countries outside Europe, for instance in the case of capital increases, we sometimes must exclude individual shareholders on account of their citizenship or their residence  from rights offerings. 

Should we wish to process your personal data for a purpose not listed above, we will inform you of this in advance pursuant to applicable law. 

To which categories of recipients do we forward your data?

External service providers and consultants:

We rely in part on external service providers for the administration and technical maintenance of the share register (service company for share register, IT service providers) as well as for managing the Annual General Meeting every year (AGM service providers, service providers for printing and sending notifications to shareholders and for Internet transmission and video streaming). In this context, our most important external service provider is Computershare Deutschland GmbH & Co. KG, Elsenheimerstr. 61, 80687 Munich, Germany. In addition to the notary public who prepares the minutes of the Annual General Meeting, we may also hire advisors or lawyers in connection with the Annual General Meeting, who may have access to personal data.

Additional recipients:

If you take part in the Annual General Meeting as a shareholder or proxy, other Munich Re shareholders as defined in Section 129 of the German Stock Corporation Act (AktG) can see your personal data – provided that it appears in the list of AGM attendees. If a shareholder or proxy authorises the proxies appointed by our Company to exercise voting rights, those proxies will have access to the personal data needed to exercise voting rights as instructed. If there are requests to amend the agenda in accordance with Section 122 para. 2 of the German Stock Corporation Act (AktG) and/or countermotions and nominations pursuant to Section 126 para. 1 and Section 127 of the Stock Corporation Act, we will describe them in the respective invitation to the AGM as specified in the Stock Corporation Act and, if necessary, make them available to the public. 

In addition, we may be obliged to share personal data with other recipients, for example the disclosure of shareholder data to government agencies to fulfil our statutory reporting duties (for example, if statutory thresholds on voting power are exceeded).

How long do we store your data?

As a rule, we anonymise or delete your personal data as soon as it is no longer necessary for the aforementioned purposes, unless statutory documentation and retention rules (e.g. in the Stock Corporation Act, German Commercial Code (HGB) or Tax code (AO)) require us to keep it for longer. The data collected in connection with Annual General Meetings is routinely stored up to three years. We usually have to retain the data stored in our share register for a period of 10 years after the shares are sold. We will store your personal data for longer than that only in exceptional cases, where necessary in connection with claims asserted against Munich Re (statutory limitation period of up to 30 years). 

How do we transmit data to countries outside Europe?

If we need to transfer personal data to service providers outside the European Economic Area (EEA), we will do so only if the European Commission has confirmed that the respective country’s level of data protection is sufficient, or if data protection is otherwise sufficiently guaranteed (for example, through binding corporate rules, or an agreement of the European Commission’s standard contractual clauses). You can write to the above-mentioned address to obtain detailed information and also to learn more about the level of data protection at our service providers in non-EEA countries.

What data protection rights do you have?

At the address indicated above, you may request information about the personal data we have stored under your name. Shareholders can use the shareholder portal (www.munichre.com/register) to access their key personal data that appears in the share register, and can write to the above-mentioned address to inform us of any necessary changes. In addition, under certain conditions you may request the deletion of your data (e.g. if your data was processed unlawfully), the restriction of processing, or receipt of the data you made available to us. You will find further information about your data protection rights in Articles 15 ff. of the GDPR and Sections 67, 67e of the German Stock Corporation Act (AktG).

Right to object:
If we are processing your data to safeguard our legitimate interests, you may, by contacting the address indicated above, object to this processing on grounds relating to your particular situation. 
We will then stop the processing, unless we have compelling legitimate grounds to do so which override your interests, or it serves the establishment, exercise or defence of legal claims.

Would you like to file a complaint about how your data is being handled?

You may contact our aforementioned Data Protection Officer (see above) or the data protection authorities. The data protection authorities responsible for Munich Re are:
Bayerisches Landesamt für Datenschutzaufsicht (Data Protection Authority of Bavaria for the Private Sector), Promenade 18, 91522 Ansbach, Germany, https://www.lda.bayern.de/en/contact.html.