Notice regarding the processing of personal data to shareholders and shareholder representatives in relation to the virtual Annual General Meeting

We take the protection of your personal data very seriously. Your privacy is very important to us, and we would thus like to inform you how we will process your data in our Company for the Annual General Meeting and for the use of the online service and how you can exercise your rights.

1. Who is responsible for data processing and how can you get in touch with our Data Privacy Officer?

The entity responsible for processing your personal data is RWE Aktiengesellschaft, RWE Platz 1, 45141 Essen, Germany. You can reach our Data Privacy Officer at the aforementioned address or via e-mail at dataprotection@rwe.com.

2. Participation in the Annual General Meeting

2.1 Which of your personal data will be processed and why?

If you register for the Annual General Meeting, we will process such data as your name, surname, address, where applicable your e-mail address, and information concerning your shares (number and type of share ownership) as well as your log-in data for the online service, in order to enable you to exercise your rights as shareholder in connection with the Annual General Meeting.

If you authorise another person to exercise your rights pertaining to the Annual General Meeting, we will process such data as their name, surname, address and, where applicable, their e-mail address in order to ensure the orderly conduct of the Annual General Meeting. 

When we receive requests for supplements to the Agenda, countermotions or candidate nominations, we are obliged to publish some of your personal data to comply with German stock corporation law. Further personal information we receive from you may be processed in this context.

If you submit a statement prior to the Annual General Meeting, with regard to a potential publication of your statement, your name will be published in the online service for shareholders which is only accessible for shareholders.

If you exercise your right to vote, speak and ask questions, your voting decisions will be recorded and the data from the microphone and video camera of your device will be processed to enable the display of video and the playback of audio. For the purpose of following up on the event, the contributions made by you will be processed in transcribed form. 

Shareholders connected to the Annual General Meeting or shareholders represented by authorized representatives and authorized representatives connected to the General Meeting are included in the participants register mandated by law.

2.2 What sources does the data come from?

We will process personal data that we receive from you or via intermediaries. If you are acting as an authorized representative of a shareholder, we will receive the personal data from the shareholder. As a rule, shareholders are obligated to provide the data required to conduct the Annual General Meeting.

2.3 What is the legal basis for processing the data?

RWE Aktiengesellschaft will process your personal data only for the following purposes:

  • exercise of your shareholder rights before and during the Annual General Meeting,
  • fulfilment of requirements under German stock corporation law (e.g. compilation of the participants register) and
  • fulfilment of further statutory obligations, e.g. monitoring regulations and archiving obligations.

The legal basis for this data processing can be found in Article 6, Paragraph 1, Sentence 1(c) of the General Data Protection Regulation (‘GDPR’) in conjunction with the provisions of the German Stock Corporation Act and the Introductory Act to the German Stock Corporation Act.

Furthermore, we may process your personal data in accordance with Article 6, Paragraph 1, Sentence 1 (f) GDPR to safeguard justified interests such as

  • organisation and orderly conduct of the Annual General Meeting,
  • defence in litigation and
  • statistics (e.g. shareholder development and an overview of the major shareholders).

2.4 Who will receive your personal data?

In connection with the conduct of the Annual General Meeting, RWE Aktiengesellschaft commissions various external service providers and advisors which process your personal data on behalf of RWE Aktiengesellschaft solely within the EU (’Contracted Data Processing Entities’). These Contracted Data Processing Entities act solely upon instructions from RWE Aktiengesellschaft and will only receive the personal data required for them to meet their contractual obligations vis-à-vis RWE Aktiengesellschaft. 

In certain cases, personal data will also be made available to public authorities and publication media on the basis of statutory provisions and to shareholders and shareholder representatives via the participants register in accordance with section 129 of the German Stock Corporation Act. 

Upon request, every shareholder has the right to inspect the participants register for up to two years after the Annual General Meeting. 

You may request further information and copies of the relevant agreements at any time. You can reach us and the Data Privacy Officer via the contact information provided in Item 1.

2.5 How long is your personal data stored?

Personal data regarding the Annual General Meeting is generally stored for up to three years. Personal data in connection with the submission of questions or statements is generally stored for up to one year. This personal data is usually deleted after this period.

Moreover, personal data is stored, if so required, to meet legal obligations to discharge the company's burden of proof and archive the data. Such obligations arise under, inter alia, the German Commercial Code, the German Fiscal Code or the German Money Laundering Act. In certain cases, the Company might have a justified interest in prolonging the storage period, for instance in connection with litigation and out-of-court disputes concerning the Annual General Meeting. 

3. Operation of the online service

3.1 Provision of the online service and log files

In the following, you will learn how we process your personal data in connection with the provision of the online service and the creation of log files.

3.1.1 Which of your personal data do we use?

Each time our online service is accessed, our system automatically collects data and information from the operating system of the accessing device. In addition to non-personal data (e.g. the domain name of the website from which you came; the websites you visited in our offer; the names of the files accessed; the date and time of an access; the name of your internet service provider; as well as, if applicable, the operating system and browser version of your device; the host name of the accessing computer; language settings), your IP address is processed in the process.

3.1.2 What are the sources of the data?

The data is collected from you by being automatically transmitted from the device you are using to our system.

3.1.3 What do we process your data for and on what legal basis?

The data is initially collected in order to be able to provide the online service technically. In this case, the legal basis is our legitimate interest. In addition, we store the data - in pseudonymised form in log files - for security purposes, in particular to detect and counteract attacks on our online service, for statistical purposes and to optimise our online service. In these cases, the processing is based on our legitimate interest in ensuring the purposes just mentioned.

3.1.4 Who do we share your data with?

We use external service providers who also receive personal data as part of their task performance. In these cases, we ensure that the processing of your personal data is carried out in accordance with the provisions of the GDPR and the German Data Protection Act or the respective national data protection laws. 

As a matter of principle, your data will not be passed on to other third parties unless we are obliged to do so due to statutory or administrative orders.

3.1.5 How long is your data stored?

We store the data for a period of 30 days.

3.1.6 Is there an obligation to provide your data?

There is neither a legal nor a contractual obligation to provide the data. However, if you do not provide the data, it will not be possible to use the online service.

3.2 Optimisation of the online service through cookies 

We use cookies in our online service. Cookies are text files that contain a characteristic string of characters and enable unique identification of the device. They are stored in the internet browser or by the internet browser in your operating system when you access the online service. When the website is accessed again, the operating system can be identified in this way and certain information can be transferred automatically. 

The information stored via cookies can fulfil different functions. In our online service, we only use necessary cookies that serve the technically flawless operation and ensure its stability:

Name cookie Purpose Service Provider Storage time
WebSessionID Support error analysis / investigation cyber attacks ADEUS
Session
JSESSIONID
Required to identify the user during navigation steps within the application
ADEUS Session
HideCookieNotice Required to control the hiding of the cookie banner ADEUS Six months

 

When accessing our online service, you will be informed about the use of cookies by the info banner. The legal basis for this processing is § 25 para. 2 no. 2 of the Telecommunications Telemedia Data Protection Act (TTDSG) and Art. 6 para. 1 sent. 1 lit. f GDPR.

The data collected via cookies on the use of the online service is anonymised and not combined to form shareholder or profile data.

There is no obligation to provide the data. However, the required cookies are necessary for the online service to function properly.

4. What data privacy rights do you have?

You can exercise the following rights in compliance with the following statutory regulations:

  • Article 15 GDPR: right to information as well as right to receive a copy of the data processed;
  • Article 16 GDPR: right to request corrections to erroneous data;
  • Article 17 GDPR: right to request deletion of your data if there are no legal grounds for its continued storage;
  • Article 18 GDPR: right to request a limitation of processing;
  • Article 20 GDPR: right to transmission of all data provided to us by you. This means that we provide them to you in a structured, customary and machine-readable format; and 
  • Article 21 GDPR: right to object to data processing pursuant to Article 6, Paragraph 1, Sentence 1(f) GDPR if substantiated by your specific situation.

To exercise these rights, please get in touch with us via the contact information provided in Item 1.

Without prejudice to other legal recourse, you are entitled to file a complaint with a regulatory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement. 

The competent regulatory authority for RWE Aktiengesellschaft:

The Officer for Data Protection and Freedom of Information of the State of North Rhine-Westphalia

P.O. Box  20 04 44
40102 Düsseldorf
Germany
T: +49 211 38424 – 0
F: +49 211 38424 – 999
E-mail: poststelle@ldi.nrw.de

5. Automatic decisions and profiling

No automatic decisions will be taken and no profiling will be performed.