Data protection notice for shareholders
properties.trackTitle
properties.trackSubtitle
Information on data protection for shareholders of Munich Reinsurance Company and for shareholder representatives*
A primary objective of the EU General Data Protection Regulation (GDPR) is transparency in data processing. We take data protection very seriously for our shareholders and their statutory or contractual representatives. In the present notice, we would therefore like to explain how your personal data will be processed by Münchener Rückversicherungs-Gesellschaft Aktiengesellschaft in München (“Munich Re” or “we”), and to inform you of your rights under data protection law.
Who is responsible for processing your data?
Münchener Rückversicherungs-Gesellschaft
Aktiengesellschaft in München (Munich Reinsurance Company)
Königinstrasse 107
80802 Munich, Germany
Tel.: +49 (89) 38 91 22 55
Fax: +49 (89) 39 91 7 22 55
Email: shareholder@munichre.com
If you have any questions about this information, you may contact our Data Protection Officer. You can contact the Officer by writing to the above-mentioned postal address to the attention of “Data Protection Officer / Group Compliance & Legal”. Alternatively, you can send an email to datenschutz@munichre.com.
For what purposes, and on what legal grounds, will your data be processed? Who do we receive what data from?
Munich Re shares are registered shares. For registered shares, Section 67 of the German Stock Corporation Act (AktG) provides that the shareholder’s name, date of birth, both a postal and electronic address, and the quantity of shares or share number must be entered into the Munich Re share register. Shareholders are fundamentally obliged to provide this information to Munich Re. The intermediaries within the meaning of Section 67(4) of the AktG (e.g. banks) involved in the acquisition or safekeeping of Munich Re registered shares regularly forward to us the information pertinent to maintaining the share register – more specifically, the relevant information (such as the above-mentioned data as well as citizenship, sex and remitting bank) of shareholders and, where applicable, the information for their statutory or legal representatives. This is done both by the intermediaries in response to inquiries by Munich Re for disclosure of shares held by nominees (Sections 67(4) sentences 2 and 3, and 67d of the AktG), as well as by Clearstream Banking AG, which acts as a central depository that processes securities transactions and holds the shares for the financial institutions. In addition, intermediaries such as Clearstream Banking AG notify us when a shareholder sells their Munich Re shares.
Shareholders who do not exercise their shareholder rights in person may appoint a proxy. The shareholder regularly informs us of the proxy's name and place of residence and, if applicable, their exact address.
We use this personal data, and further information that you communicate to us as a shareholder (proxy), particularly via our electronic shareholder portal (e.g. registration for electronic mailing, or voting instructions for the AGM), for the purposes set out in the AktG, the Implementing Regulation (EU) 2018/1212, and the German Securities Trading Act (WpHG). In particular, this includes maintaining the share register, communicating with you as a shareholder (proxy) and any intermediaries acting on your behalf, as well as preparing, organising and following up on Annual General Meetings. This also includes the compiling of statistics (e.g. for the presentation of shareholder development, number of transactions or for overviews). The legal basis for processing your personal data is the German Stock Corporation Act (AktG, particularly Sections 67 and 67e) in conjunction with Article 6[1]{c} and [4] of the GDPR.
In the context of the Annual General Meeting, we process your personal data in order to enable you to exercise your rights and opportunities at the Meeting. Processing your personal data is necessary for you to vote, or to exercise your other shareholder rights under stock corporation law (Sections 118 ff. of the AktG) ; Art. 6[1]{c} of the GDPR). If you submit a statement as part of a virtual Annual General Meeting, your personal data will be processed on the basis of Section 130a of the AktG in conjunction with Art. 6[1]{c} of the GDPR and, if you register to receive the invitation documents to the Annual General Meeting by email, on the basis of your consent (Section 49(3) of the WpHG, Art. 6[1]{a} of the GDPR). You may withdraw your consent for the future at any time. However, withdrawing consent does not affect the lawfulness of any processing done based on the consent before it was withdrawn.
In addition, we may process your personal data to comply with other legal obligations such as capital-market or other supervisory requirements, document-retention obligations under share, commercial or tax law, or when comparing your data against sanctions lists in order to comply with legal provisions on combating terrorism (e.g. Council Regulation [EC] 2580/2001). To comply with securities law, we must – for example in cases where the AGM proxy nominated by our Company has been authorised by a shareholder to exercise voting rights – transparently and securely record the data serving as proof of the authorisation. In such cases, the legal grounds for processing personal data are the respective statutory regulations and Article 6[1]{c} of the GDPR.
In certain cases, we also process your data to protect our legitimate interests as per Article 6[1]{f} of the GDPR. This is particularly the case if it is necessary to comply with legal requirements outside Europe, e.g. we may therefore have to exclude individual shareholders from the information on subscription offers in the case of capital increases, due to their nationality or place of residence. We record the names and addresses of other parties (e.g. media), who wish to attend our Annual General Meeting, so that we can issue personalised admission cards for authorised access. Without this data, we could not guarantee a safe and secure Annual General Meeting – and no admittance would be possible.
Should we wish to process your personal data for a purpose not listed above, we will inform you of this in advance pursuant to applicable law.
Log data and cookies when using our shareholder portal
When you register for the shareholder portal, we compare your registration data with the data stored with us in the share register/shareholder portal (in particular shareholder number and PIN or self-assigned password) or, if applicable, the data stored with your admission ticket (ticket number and PIN) in order to ensure that only authorised persons have access to the information available in the shareholder portal and can use the services in the shareholder portal. We document your login to, and use of, the shareholder portal as well as the data you enter and your use of the services, in order to document the actions you undertake.
The following data and device information is temporarily logged in the web server log files and only analysed in the event of error analyses and cyber attacks: Retrieved or requested data, date and time of retrieval, notification of whether the retrieval was successful, type of web browser and operating system used, IP address, session ID, login and account service functions as well as acknowledgement and acceptance of the terms of use.
Whenever you use the shareholder portal, “local storage technology” stores small cookie-like files in your browser’s cache – in local storage, in other words. These files are needed to ensure smooth operation and security, thus allowing you to use the shareholder portal and its features. On the one hand, they are similar to cookies and contain a user’s authentication data and session data after they log in to the shareholder portal. This means that you remain logged in even after switching to another page of the portal, and your user-specific configuration of the portal functions (e.g. the selected language) is retained during the session. For security reasons, a second file automatically logs a user out after 30 minutes of inactivity. The files that we use – which are stored temporarily in your browser – are called session cookies. They are automatically deleted when you log out of the portal, or after one day in the case of video transmission.
The legal basis for the use of such cookies is Section 25(2) no. 2 of the German Telecommunications and Telemedia Data Protection Act (TTDSG), as this is necessary to provide the Internet communication you have requested. The further processing of the information collected by means of the strictly necessary cookies is based on legitimate interests in accordance with Art. 6][1]{f} of the GDPR. Our legitimate interest in data processing lies in the reliable operation of our shareholder portal and its features.
You can delete local storage content, including the above-mentioned cookies, while you are still logged in. To do so, delete the cookies in your browser; depending on the browser you use, select the “History” or “Local data” settings. Please note that our shareholder portal might not work as desired if you delete cookies while logged in.
You are not obliged to use our shareholder portal or, by extension, to provide us with your personal data. But if you would like to use the shareholder portal and its features (with regard to the AGM), you must provide the corresponding data to us. Without your data, Munich Re cannot offer these features. We only collect the data that is actually required.
To which categories of recipients do we forward your data?
External service providers and consultants:
We rely in part on external service providers for the administration and technical maintenance of the share register (service company for share register, IT service providers) as well as for managing the Annual General Meeting every year (AGM service providers, operating the shareholder portal, service providers for printing and sending notifications to shareholders, and for internet transmission and video streaming). In this context, our most important external service provider is Computershare Deutschland GmbH & Co. KG, Elsenheimerstrasse 61, 80687 Munich. In addition to the notary who drafts the Annual General Meeting minutes, we may also hire other advisors or lawyers in connection with the AGM, who may have access to personal data.
Additional recipients:
If you take part in the Annual General Meeting as a shareholder or proxy, other Munich Re shareholders or their representatives, as defined in Section 129 of the German Stock Corporation Act (AktG), can view your personal data if it appears in the list of AGM attendees. At virtual Annual General Meetings, a statement submitted by the shareholder (proxy) prior to the Annual General Meeting must also be made available to other shareholders in accordance with Section 130a(3) of the AktG. If a shareholder or proxy authorises the proxies appointed by our Company to exercise voting rights, those proxies will have access to the personal data needed to exercise voting rights as instructed. In the case of requests for additions to the agenda in accordance with Section 122(2) of the AktG, and in the case of countermotions and election proposals in accordance with Sections 126(1) and 127 of the AktG, we will also make these publicly accessible as provided for in the AktG or described in the respective invitation to the Annual General Meeting.
In addition, we may be obliged to disclose personal data to other recipients, for example shareholder data to government agencies to fulfil our statutory reporting duties (for example, if statutory thresholds on voting power are exceeded, or if the supervisory authority requests information under Section 306(1) of the German Insurance Supervision Act (VAG)).
How long will we store your data?
As a rule, we anonymise or delete your personal data as soon as it is no longer necessary for the aforementioned purposes, unless statutory documentation and retention rules (e.g. in the Stock Corporation Act, German Commercial Code (HGB) or Tax code (AO)) require us to keep it for longer. The data collected in connection with Annual General Meetings is routinely stored up to three years. We usually have to retain the data stored in our share register for a period of 10 years after the shares are sold. We will store your personal data for longer than that only in exceptional cases, where necessary in connection with claims asserted against Munich Re (statutory limitation period of up to 30 years).
How do we transmit data to countries outside Europe?
If we need to transfer personal data to service providers outside the European Economic Area (EEA), we will do so only if the European Commission has confirmed that the respective country’s level of data protection is sufficient, or if data protection is otherwise sufficiently guaranteed (for example, through binding corporate rules or the agreement of the European Commission’s standard contractual clauses). You can write to the above-mentioned address to obtain detailed information and to learn more about the level of data protection at our service providers in non-EEA countries. If necessary, we also transfer personal data contained in mandatory notifications to shareholders to third countries on the basis of Art. 49[1]{b} of the GDPR (e.g. in the case of requests for additions to the agenda).
What data protection rights do you have?
At the address indicated above, you may request access to the personal data we process about you. Shareholders can use the shareholder portal (www.munichre.com/register) to access their key personal data that appears in the share register and can write to the above-mentioned address to inform us of any necessary changes. In addition, under certain conditions you may request the deletion of your data (e.g. if your data was processed unlawfully), the restriction of processing, or receipt of the data you provided to us. You will find further information about your data protection rights in Articles 15 ff. of the GDPR and Sections 67 and 67e of the AktG.
Right to object:
If we process your data to protect our legitimate interests, you may, by contacting the address indicated above, object to this processing on grounds relating to your particular situation. We will then stop the processing, unless we have compelling legitimate grounds to do so which override your interests, or it serves the establishment, exercise or defence of legal claims.
Would you like to file a complaint about how your data is being handled?
You may contact our aforementioned Data Protection Officer (see above) or the data protection authorities. The data protection authority responsible for Munich Re is:
Bayerisches Landesamt für Datenschutzaufsicht
(Data Protection Authority of Bavaria for the Private Sector), Promenade 18, 91522 Ansbach, Germany
https://www.lda.bayern.de/de/kontakt.html.
From time to time, changes in technology or the further development of our shareholder portal, among other things, lead to adjustments to our data protection information. Please note the current version when you visit.