Last update: August 11th, 2020
PAUL HARTMANN AG
Contact Data Protection:
PAUL HARTMANN AG
Department CFO-DPM / DPO
PAUL HARTMANN AG shares are registered shares with no par value (no-par shares). In the case of registered shares, section 67 of the German Stock Corporation Act (hereinafter referred to as "AktG") stipulates that these must be entered in the company's share register, stating the name, date of birth and address of the shareholder as well as - in the case of no-par-value shares - the number of shares or the share number. You, as a shareholder, are generally obliged to provide PAUL HARTMANN AG with this information.
As a rule, the credit institutions involved in the acquisition, sale or custody of your HARTMANN registered shares forward to us on your behalf the compulsory data and other information relevant to the maintenance of the share register (e.g. in addition to the aforementioned personal data, also nationality, gender and submitting bank). This is done via Clearstream Banking AG, which, as the central securities depository, is responsible for the technical processing of securities transactions and the safekeeping of shares for the credit institutions.
Having said this, we process your personal data in accordance with the provisions of the General Data Protection Regulation (hereinafter referred to as "GDPR"), in particular in connection with the German Stock Corporation Act (AktG), the German Federal Data Protection Act (hereinafter referred to as "BDSG") and other applicable data protection regulations, whereby you as a shareholder are the data subject in the sense of data protection law (in the case of proxy voting at the Annual General Meeting, also the shareholder representative).
2.1 Purposes in the context of legitimate interests of us or third parties (Art. 6 (1) f GDPR)
We process your personal data if it is necessary to protect the legitimate interests of us or third parties, provided that no overriding interests on your part (including fundamental rights and freedoms) speak against such processing. Our purposeful interests can be in particular:
- Mention of your name or the name of the shareholder representative when answering questions at annual general meetings;
- Production and publication of photo and video recordings in the overview in the context of the Annual General Meeting;
- Attendance as a guest at the Annual General Meeting;
- Sending of quarterly information (especially our quarterly information "Inform");
- Sending of business reports of the HARTMANN GROUP if you have requested to receive them;
- Conducting satisfaction surveys;
- Preparation of statistical analyses that are not related to shareholder relationships;
- Ensuring the stability of the servers (e.g. avoiding denial of service attacks);
- Guarantee of (technical) access to the shareholder portal, in particular provision of registration and log-in facilities, use of forgotten password function, etc.
2.2 Purposes within the scope of your consent (Art. 6 (1) a GDPR )
If you have given your consent in our shareholder portal to contact you by way of digital communication in order to receive information from PAUL HARTMANN AG digitally in the future (in particular the invitation to the Annual General Meeting and other information such as the quarterly information "Inform"), we process your personal data (in particular your email address) on the basis of the consent given in each case (Art. 6 (1) a GDPR).
You can withdraw your consent for the future at any time. Processing that took place before the withdrawal is not affected by this and therefore remains lawful. We would like to point out that we will probably no longer be able to provide any of the corresponding services after withdrawal.
The granting of consent is voluntary. You are therefore not obliged to give your consent and you will not suffer any legal disadvantages if you do not give your consent.
2.3 Purposes for the fulfilment of legal requirements (Art. 6 (1) c GDPR in conjunction with in particular § 67e (1) AktG, if applicable also in conjunction with Art. 6 (4) GDPR
We process your personal data in the shareholder relationship with you on the basis of the provisions of statutory regulations, in particular for the following purposes:
- Maintenance of the share register;
- Communication of information to you as a shareholder, e.g. sending financial publications or our quarterly information "Inform";
- Provision of the shareholder portal for cooperation and communication with you as a shareholder, in particular to ensure and enable annual general meeting (AGM) services (e.g. ordering admission tickets and answering contact and service requests), providing certain information (e.g. financial publications or our quarterly information "Inform"), etc.;
- Planning, implementation and follow-up of annual general meetings, which includes in particular the documentation;
- Proof of authorisation of the shareholder representative;
- Making the list of participants available pursuant to § 129 (4) AktG;
- Preparation of statistics related to shareholder relations, e.g. presentation of shareholder development, number of transactions or overview of the largest shareholders;
- Fulfilment of other requirements under stock corporation, commercial and tax law (e.g. compliance with retention periods).
To the extent necessary for the establishment, execution and termination of the shareholder relationship with you, in addition to the personal data we received directly from you, we process any personal data lawfully received from third parties (in particular from intermediaries and Clearstream Banking AG), cf. Art. 14 GDPR.
In particular, we process the following categories of data:
- Basic data (e.g. title, gender, first and last name, title, residential address, country, nationality, date of birth);
- Contact details (e.g. email address, telephone number);
- Share details (e.g. number of shares, class of shares, type of ownership of shares, shareholder number);
- Access data (e.g. e-mail address and password);
- Content data (e.g. text input, photographs, videos);
- Metadata (e.g. log files and IP addresses).
As a matter of principle, we only process your personal data within the company. Within our company, those internal departments or organisational units receive your personal data insofar as they require it to fulfil the purpose and within the scope of processing. Internal data recipients are obliged to use your personal data only to the aforementioned extent.
If we transfer your personal data to other persons, companies or other third parties (such as authorities for the fulfilment of legal notification obligations) or grant them other access to the personal data, this will only be done on the basis of a legal permission. If we commission third parties with the processing of personal data on the basis of a so-called "data processing agreement" (e.g. for the maintenance of the share register, for the dispatch of invitation documents or for the implementation of a virtual Annual General Meeting) and thereby secure for ourselves, among other things, the necessary powers of influence or control with regard to the processing and use of the personal data, this is done on the basis of Art. 28 GDPR. Contractors will therefore only act in accordance with our instructions. We remain responsible to you for the lawfulness of the data processing.
In principle, we process and store your personal data for the duration of the shareholder relationship. Therefore, if we become aware that you are no longer a shareholder of PAUL HARTMANN AG, basically we will only store your personal data for a maximum of 12 months (cf. § 67e (2) AktG).
This does not apply if, among other things, legally prescribed retention periods prevent from erasure (cf. Art. 17 (3) GDPR) and/or another case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.
Incorrect and/or incomplete data will be deleted or - as far as possible - corrected without delay in accordance with Art. 5 (1) d GDPR.
The processing of your personal data only takes place on the territory of the Federal Republic of Germany or in another member state of the European Union or in another state party to the Agreement on the European Economic Area. However, if processing - and thus at the same time transfer - of your personal data to third countries (e.g. USA) is necessary, in particular in connection with the involvement of service providers in the context of processing personal data on behalf, we will ensure that the specific legal requirements for such processing operations are met and thus that an adequate level of data protection prevails in the respective third country. This includes, in particular, checking whether the European Commission has decided that an adequate level of protection exists in a third country (cf. Art. 45 of the GDPR) or whether suitable or adequate safeguards (e.g. standard data protection clauses) are in place and the enforcement of your rights is guaranteed as well as whether sufficient technical and organisational measures are in place to protect your personal data.
Information about the appropriate or adequate safeguards, and how and where to obtain a copy of them, is available on request from Data Protection via the contact channels set out in this Privacy Notice.
- You have the right to withdraw your consent to the processing of your personal data in accordance with Art. 7 (3) GDPR at any time with effect for the future. Processing that took place before the withdrawal therefore remains lawful.
- According to Art. 15 GDPR, you can request information about your personal data processed by us.
- Pursuant to Art. 16 GDPR, you may request the immediate correction of inaccurate or incomplete personal data stored by us.
- Pursuant to Art. 17 GDPR, you may demand the erasure of your personal data stored by us in accordance with the conditions stated therein, unless legally prescribed retention periods prevent from immediate erasure (cf. Art. 17 (3) GDPR) and/or another case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.
- Pursuant to Art. 18 (1) GDPR, you may request the restriction of data processing if one or more conditions pursuant to Art. 18 (1) GDPR lit. a to d are met.
- Pursuant to Art. 20 (1) GDPR, you may receive the personal data processed by us in a structured, common and machine-readable format and transfer this personal data to another controller without hindrance from us.
- Furthermore, you may object to the processing of your personal data pursuant to Art. 21 (1) GDPR. In the event of an objection, we will stop processing your personal data. However, the right to object only applies in the event of special circumstances arising from your personal situation. In addition, compelling legitimate grounds which justify the processing may prevail. In addition, certain processing purposes may conflict with your right to object.
- Pursuant to Art. 21 (2) GDPR, you have the right to object to the processing of personal data concerning you for the purpose of direct marketing at any time without further requirements. This also applies to profiling, insofar as it is connected with such direct marketing. If you object, your personal data will no longer be processed for these purposes (cf. Art. 21 (3) GDPR).
- Without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with the competent supervisory authority (cf. Art. 77 GDPR) if you believe that the processing of your personal data violates data protection provisions. In this context, however, we ask you to first address a possible complaint to the contact details provided under No. 1 above.