In the following we wish to provide you with information on how we handle your personal data when you use our Website.

1. Accessing our Website
When you access our Website, your browser will transfer certain data to our web server. This is done for technical reasons and required to make the requested information available for you. To facilitate your access to the Website, the following data are briefly processed: the IP address of your computer and the browser request as well as the time. In addition we collect the status and the transferred data amount. Furthermore we collect product and version number of your browser and operating system, the referrer and your internet service provider.

The legal basis for the handling of your personal data results from the fact that such handling is required pursuant to Art. 6 b) GDPR to make available the functionalities of the Website requested by you.

Moreover, to protect our legitimate interests in accordance with Art. 6 f) GDPR, we will store such data for the limited period of seven days in access- and error-logs in order to ensure the functionality of the website, to optimize the website, to detect misuse, to troubleshoot and thus to ensure the security of our information system. This data will not be stored together with other user data.

2. Use of our order service
On our Website, you may order information about the company as well as the annual report in the section «order service». Therefore, we collect Data that is necessary for delivering the offered information (Art. 6 Abs. 1 b) GDPR).

Type of data:

For sending you the requestetd information, at least the following mandatory field must be completed:

• Email-adress

You are welcome to provide us with the following optional information when ordering:

• Company
• Title, name
• Professional group (Journalist, Investor etc.)

Further information:

Additionally, in order to prevent any misuse of your personal data, we will log your IP address when subscribing and the time of your subscription and confirmation.

The order form is a service provided by EQS (EQS Group AG, Karlstrasse 47, 80333 Munich). Thus, the above-mentioned data is transferred to this company as our data processor (Art. 28 GDPR).

We process the information provided by you via the order form exclusively for the processing of your specific request. User data is deleted as soon as it is no longer required for the intended purpose. At any time you have the right to cancel or modify the order and your stored data.

For subscription to our newsletter we use the so-called double opt-in procedure. After subscribing to the newsletter on our Website, a message will be sent to the indicated email address asking for your confirmation. If you do not confirm your subscription, your subscription will automatically be deleted.

3. Google reCAPTCHA
We use a service called reCAPTCHA provided by Google. We are currently including the reCAPTCHA in our investor relations order form. With reCAPTCHA a JavaScript element is integrated into the source code, that will load and analyse user behaviour in the backround. From these user actions a so-called Captcha Score can be derived. The Score will be calculated before any input is made to the captcha itself. However, the information that is derived from this score is mainly to verify that you are very likely a human. Please note, this means that Google uses and analyses data even before you click on the "I am not a robot" checkbox.

The Captcha shall help to differentiate whether the input is made by a human being or by automated machine processing (e.g. bots). In our case, the main purposes is the prevention of mass sent messages (SPAM). We have a legitimate interest in preventing the misuse of our systems and forms (Art. 6 Art. 1 f) DSGVO).

Type of data:

• Previous websites (referrer URL)
• IP address
• Operating system
• Cookies
• Scrolling and mouse clicks on the page
• Date and language settings
• Screen resolution

Further information:

Your IP address and possibly other data will be shared with Google. However, your IP address will be shortened by Google and will not be merged with other data over there. Google also uses your data for its own purposes, in particular to improve the Captcha service.

Provider of the reCAPTCHA service:

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland.
Further information on data protection at Google can be found here: https://www.google.com/policies/privacy/.
Google Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
To exercise your right to deletion regarding data stored directly by Google, please contact Google support at https://support.google.com/?hl=de&tid=331578294933. If you intend to give as little information as possible about you or your behavior to Google we suggest logging out of your Google account, as well as to delete any cookies relating to Google services, before visiting the order form or use the reCAPTCHA software.

In addition to the data on this website, we process personal data of shareholders of our company or their legal or authorised representatives, in particular during the implementation and in the context of our Annual General Meeting.

We receive your personal data primarily through the registration office of the credit institution that you have commissioned to hold your bearer shares in custody (so-called custodian bank). In some cases, we may also receive data directly from you.

If you act as a proxy of a shareholder, we will receive your personal data from the shareholder who gave you the power of attorney and directly from you, for example, if it concerns questions and contributions at the (virtual) Annual General Meeting.

Purpose
We use the personal data of our shareholders and, where applicable, shareholder representatives for the following purposes:

• For the purposes provided for in the German Stock Corporation Act, communication with you as a shareholder and the handling and organisation of our (virtual) Annual General Meetings
• To compile statistics, e.g. for the presentation of shareholder development, number of transactions or for overviews of the largest shareholders
• To comply with other legal obligations, such as regulatory requirements or retention obligations under stock corporation, commercial and/or tax law. In order to comply with the provisions of stock corporation law, for example, when authorizing the proxies appointed by the Company at the Annual General Meeting, we must record the data that serves as proof of the authorization in a verifiable manner.
• To enable access to the Annual General Meeting services, including the following of a General Meeting by means of electronic connection, as well as for individual registration and electronic registration on the online shareholder portal
• For the service in the online shareholder portal. Here you can follow the Annual General Meeting live, cast your votes by postal vote, grant power of attorney to third parties or issue powers of attorney and instructions to the Company's proxies. In addition, it is possible there
• Submit questions or object to a resolution of the Annual General Meeting
• To document your online registration for the Annual General Meeting (log files), for the documentation of online orders (in particular for admission tickets), for the documentation of votes cast by you by postal vote, for your representation by proxy and your instructions, if any, and for contacting you in the event of contact and service enquiries.

Rechtsgrundlagen
Art. 6 Abs. 1 lit. c DSGVO:
For the preparation and conduction of the Annual General Meeting we process data according with the German Stock Corporation Act, in particular Sections 118 et seq.

We are also entitled to process personal data of shareholders in accordance with Section 67e (1) of the German Stock Corporation Act (AktG) for the purposes of identification, communication with shareholders, companies and intermediaries, exercising the rights of shareholders, maintaining the share register (Section 67 AktG) and for cooperating with our shareholders.

In addition, the other regulatory requirements as well as retention obligations under stock corporation, commercial and/or tax law apply.

Art. 6 Abs. 1 lit. f DSGVO:
The processing of additional data in the event of a virtual Annual General Meeting, the online portal, and the general organisation and follow-up of the Annual General Meeting, for statistical purposes and for the processing of your contact and service enquiries is carried out within the scope of our legitimate interest.

Type of Data
Essentially, the following data is processed by you as our shareholder:

• Name and surname, title if applicable
• Address, place of residence / location
• E-mail address
• Information on the granting of any (voting) proxies
• Number of shares, class of shares and type of ownership of the shares
• Ticket number and registration information

When you visit our shareholder portal on the Internet, data is also collected about access there. These are in detail:

• Retrieved or requested data within the portal
• Date and time of retrieval
• Message whether the retrieval was successful
• Type of web browser and operating system used
• IP address
• AGM ticket number and session ID
• Login and password reset
• Acknowledgment and acceptance of the Terms of Use

In addition, we also process information on questions submitted to the Company via the shareholder portal, on countermotions and nominations and other requests from shareholders or their proxies submitted in relation to the Annual General Meeting, as well as on your voting behaviour.

Storage period
As a matter of principle, we anonymise or delete your personal data as soon as it is no longer required for the aforementioned purposes, the personal data is no longer required for any administrative and judicial proceedings and there are no other statutory obligations to provide evidence and retention (e.g. under stock corporation, commercial and/or tax law) or justification grounds for storage. After the expiry of the retention obligations, the data will be deleted.

Further Information
We also commission subprocessors (in particular Meet2Vote AG) as well as affiliated companies from our undertaking to process data, especially in connection with our Annual General Meeting. They receive from the company and the banks or the registrar only such personal data as is necessary for the execution of the respective order. Insofar as they process your personal data, they work for us by way of order processing in accordance with the provisions of Art. 28 GDPR.

In addition, personal data will be made available to shareholders and shareholder representatives within the framework of the statutory provisions, on the basis of inspection rights, in the list of participants, as part of the minutes of the meeting and, for example, in the case of requests to speak, motions or nominations in the (virtual) meeting, and can be viewed during the virtual Annual General Meeting. This also applies to questions that shareholders or shareholder representatives may have asked in advance.

In accordance with Section 129 of the AktG, shareholders of 1&1 AG or shareholder representatives may inspect any personal data recorded in the list of participants up to two years after the Annual General Meeting.

1. Data processing by data processors
For the processing of your data we will use specialized service contractors to some extent. Such service contractors are carefully selected and regularly monitored by us. Based on respective data processor agreements, they will only process personal data upon our instruction and strictly in accordance with our directives.

2. Processing of data outside the EU / the EEA
In part your data will also be processed in countries outside the European Union ("EU") or the European Economic Area ("EEA"), which may have a lower data protection level than European countries. In such cases, we will ensure that a sufficient level of protection is provided for your data, e.g. by concluding specific agreements with our contractual partners, or we will ask for your explicit consent to such processing.

3. Non-disclosure of personal data to third parties
We do not disclose your personal data to third parties, unless you have consented to sharing personal data or it is required or permitted by law, by administrative or by judicial order, in particular as regards the purpose of forwarding the personal data referred to prosecution proceedings, hazard prevention or the enforcement of intellectual property rights.

1. Information regarding your rights as a data subject
Every data subject has the following rights that he or she can exercise against us:

• Information about your personal data in accordance with Art. 15 GDPR
• Correction of your personal data in accordance with Art. 16 GDPR
• Deletion of your personal data in accordance with Art. 17 GDPR
• Restriction of processing of your personal data in accordance with Art. 18 GDPR
• Transfer of certain personal data to you or a third party designated by you in accordance with Art. 20 GDPR

You also have the right to lodge a complaint with the responsible data protection supervisory authority (Art. 77 DSGVO i.V.m. § 19 BDSG).

For questions regarding telecommunication services
Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Straße 153
53117 Bonn

For questions regarding our webpage as well as general data protection topics
State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate
Postfach 30 40
55020 Mainz

The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.

Withdrawal of consent
You have the right to withdraw your given consent at any time (Art. 7 Abs. 3 DSGVO). The withdrawal will only affect future processing, which means it does not affect the legality of the data processed until the withdrawal.

Individual objection (Art. 21 I DSGVO)
You can object to the processing of your personal data in accordance with Art 6 I e) or f) GDPR at any time, on grounds relating to your particular situation

Objection against direct marketing (Art. 21 II DSGVO)
According to Art. 21 II GDPR, data processing for direct marketing, as well as for profiling associated with direct marketing, can also be objected to.

Your withdrawals and objections can be addressed to the contact details below at Section “2. Contact”.

2. Contact
Would you like to exercise one of your rights or support around data protection issues? Please feel free to contact our data protection officer Dr. Julia Zirfas and the data protection team.

Please send a letter to:
Group Data Protection Officer
1&1 AG
Elgendorfer Straße 57
56410 Montabaur

Or send an email to:
datenschutz@1und1.de

3. Right to amend the data protection statement
We reserve the right to alter this data protection statement at any time with or without notice with future effect. The current version is available on the webpage. You should therefore check back to the data protection statement regularly when visiting our website.