Hamburger Hafen und Logistik AG (HHLA) attaches great value to the protection of your data and your privacy. In this data privacy statement we inform you about which personal data of our shareholders or their authorised representatives we process in connection with the preparation, execution and follow-up of our virtual Annual General Meeting, and which rights you have according to Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and the Federal Data Protection Act (BDSG) with regard to the processing of your data.
We will hold the Annual General Meeting remotely in 2022 by means of telecommunications (virtual Annual General Meeting) with the opportunity to participate through electronic channels. The shareholders and their proxies therefore cannot participate in the Annual General Meeting in person. However, you can follow audio and video transmission of the entire General Meeting via a password-protected internet service (shareholder portal) which also provides the electronic channel. The shareholder portal will be operated exclusively on our behalf and according to our instructions by our service provider HV AG, Jakob-Oswald-Strasse 4, 92289 Ursensollen, Germany. It can be accessed via the company’s website at www.hhla.de/shareholderportal.
Information on data protection
The responsible body is
Hamburger Hafen und Logistik AG
Bei St. Annen 1, 20457 Hamburg, Germany
Phone: +49 40 3088-0, Fax: +49 40 3088-3355, E-mail: firstname.lastname@example.org
Please contact our data protection officer if you have any questions regarding this information.
Our data protection officer can be contacted either either at the above address or by e-mail at email@example.com
In connection with the execution of our virtual Annual General Meeting, we process the following personal data of our shareholders:
We also process the name and address of any proxy authorised by the shareholder. Whenever shareholders or their proxies contact us, we also process the personal data that is necessary to respond to the respective concern, such as the email address or phone number.
We also process information on motions, questions, follow-up questions, nominations and other requests from shareholders or their proxies that are submitted with regard to the General Meeting, as well as your voting behaviour.
If you take part in our virtual Annual General Meeting as a guest, we will process the following data from you: Name, address, position/function, if applicable, company and individual access data for the shareholder portal (guest card or access number and PIN).
When you visit our online shareholder portal, we collect data on your access to the portal. The following data and device information is recorded in the web server log files: retrieved or requested data; date and time of retrieval; notification of successful retrieval; type of web browser and operating system used; IP address; shareholder number and session ID; and recognition and acceptance of the conditions of use. Your browser transmits this data to us automatically when you visit our shareholder portal.
We process your personal data in compliance with all relevant legal provisions, especially the GDPR, the BDSG, the German Stock Corporation Act (AktG) and the Act Concerning Measures Under the Law of Companies, Cooperative Societies, Associations, Foundations and Commonhold Property to Combat the Effects of the COVID-19 Pandemic (COVID-19 act).
You can follow audio and video transmission of the virtual Annual General Meeting, exercise your voting right, assign proxies, submit questions, follow-up questions or state an objection for the record via the shareholder portal. To use the shareholder portal, you must log in with your shareholder number and the access information we send you, or which you provide yourself, if you are registering or have registered for electronic transmission of documents for the Annual General Meeting. The various options for exercising your rights appear in the form of buttons and menus on the user interface of the shareholder portal.
Our shares are registered. For registered shares, Section 67 AktG stipulates that these must be entered in the company’s share register and include the shareholder’s name, date of birth, address, email address and the number of shares or the share certificate numbers. If you do not provide this data, you cannot be entered in the share register and exercise your shareholder rights. As a shareholder, you are legally obligated to provide us with this information. Its processing is necessary for us to carry out our obligations under stock corporation law. The legal basis for processing is Art. 6 (1) (c) GDPR in conjunction with Sections 67, 67e (1) AktG.
Processing of the aforementioned log-in data and device information in web server log files is necessary for the technical operation of the shareholder portal, and for the detection of misuse, troubleshooting, and smooth administration of the virtual Annual General Meeting. In this respect, we have a legitimate interest in providing you with the shareholder portal as a service for shareholders and their proxies. It enables you to exercise your shareholder rights in a user-friendly way and to participate in the virtual Annual General Meeting by means of telecommunications. With regard to shareholders, the legal basis for this processing is Article 6 (1) (c) GDPR in conjunction with Section 67e (1) AktG and Article 6 (1) (f) GDPR with regard to their authorized representatives.
When you register in the shareholder portal, we process your registration information and log-in data in order to verify your authorisation to join or to take preparatory steps as a shareholder or shareholder proxy. This processing is necessary for us to carry out our obligations under stock corporation law according to Sections 118 et seq. AktG. The legal basis for processing is Art. 6 (1) (c) GDPR in conjunction with Section 67e (1) AktG
We process your personal data to handle access authorisation for the shareholder portal and to allow shareholders and their proxies to join the virtual Annual General Meeting (e.g. verification of eligibility, mailing of log-in data). This allows shareholders and their proxies to exercise their rights in the context of the virtual Annual General Meeting (including the issuance and cancellation of proxies and instructions).
In particular, we also process your voting behaviour should you or your representative exercise your right to vote during the virtual Annual General Meeting – or per postal vote via the voting function in the shareholder portal – in order to guarantee the orderly resolution and evaluation of votes in the General Meeting. In addition, we process information about your objection to resolutions of the General Meeting should you express such an objection during the General Meeting via the appropriate function in the shareholder portal.
The legal basis for this processing is Art. 6 (1) (c) GDPR in conjunction with Section 67e (1) AktG and our obligations under stock corporation law according to Sections 118 ff. AktG and, if applicable, in conjunction with Section 1 (2) No. 2 to 4 of the Covid-19 law.
Processing of your personal data is required for the proper execution of the virtual Annual General Meeting. If you do not provide the necessary personal data, it is possible that we may not be able to give you access to the virtual Annual General Meeting.
In connection with the preparation, implementation and follow-up of the virtual general meeting, we may also transfer your data to our legal advisors, tax advisors or auditors, as we have a legitimate interest in organizing the virtual general meeting in accordance with the relevant legal regulations and to do so externally to get advice. The legal basis for this processing is Article 6 (1) (f) GDPR.
If, as a shareholder or proxy, you make use of the opportunity to submit questions via our shareholder portal in the run-up to the virtual Annual General Meeting and your questions are discussed during the virtual Annual General Meeting, in principle your name is disclosed. It can be seen by other participants in the virtual Annual General Meeting. This data processing is necessary to safeguard our legitimate interests, to align the procedure of the virtual Annual General Meeting with that of an in-person General Meeting to the extent possible, and to satisfy the legitimate interest of other General Meeting participants (including our guests) in knowing the name of the person asking a question. The legal basis for this processing is Art. 6 (1) (f) GDPR.
If you do not agree to such disclosure of your name, you can object to the disclosure of your name for reasons that arise from your particular situation when submitting the question. If possible, please note this by entering a corresponding explanation in the question input mask. In addition, the statements below regarding your rights as a data subject apply.
6. Exercise of the possibility to submit follow-up questions
If you as a shareholder or proxy make use of the possibility to submit follow-up questions to questions you asked in advance to the Annual General Meeting or to the answers given by the Management Board via our shareholder portal during the virtual Annual General Meeting, we will process your follow-up questions as well as the personal data provided together with your follow-up questions in order to check whether and how your follow-up questions are to be answered during the virtual Annual General Meeting. The handling of your follow-up questions in the virtual Annual General Meeting will always be done by mentioning your name. This can be noted by other participants (including our guests) in the virtual Annual General Meeting. This data processing is necessary to protect our legitimate interest in making the virtual Annual General Meeting as similar as possible to a physical Annual General Meeting and the legitimate interest of the other participants in the Annual General Meeting in knowing the name of a questioner. The legal basis for this processing is Art. 6 para. 1 lit. f) DSGVO. If you do not consent to such disclosure of the name, you may object to the disclosure of your name for reasons arising from your particular situation already when submitting the follow-up question. If possible, please note this by entering a corresponding statement in the enquiry input mask. In all other respects, the explanations below regarding your data subject rights apply.
Your personal data may also be processed to provide company information and to maintain contact with you (investor relations). The legal basis for this processing is Article 6 (1) (c) GDPR in conjunction with Section 67e (1) AktG.
We process your data for the creation of statistics, e.g. for the presentation of shareholder developments, the number of transactions or overviews of the company’s key shareholders. The legal basis for the processing of your personal data is Art. 6 (1) (f) GDPR. We have a legitimate interest in compiling statistics so that we are aware of the composition of the shareholder structure of our company.
Likewise, your personal data is used to fulfil possible statutory reporting and disclosure obligations. In these cases, the relevant statutory provisions and Art. 6 (1) (c) GDPR serve as the legal basis for processing the data.
We may also process your personal data for the fulfilment of further statutory obligations where necessary, such as for regulatory requirements with regard to retention obligations under company, commercial or tax law. In order to comply with provisions of company law, for example, we must record in a verifiable format the data provided to document the authorisation of the voting proxies, who are chosen by the company for the Annual General Meeting. In these cases, the legal basis is also Art. 6 (1) (c) GDPR in conjunction with the respective legal regulations forms.
In individual cases, we will also process your data in order to safeguard our legitimate interests such as compliance with the securities legislation of non-European countries. This applies in particular when, in the event of capital increases, we are required to exclude certain shareholders from notifications regarding offers for subscription due to their nationality or place of residence. The legal basis for the processing of your personal data is Art. 6 (1) (f) GDPR in conjunction with Section 67e (1) AktG.
We use session cookies only for the provision of the shareholder portal and for the registration and identification of shareholders. They are critical for the shareholder portal to function properly and are deleted when the browser is closed.
It is necessary for us to set and have access to the data stored in essential cookies, and to be able to process the personal data attached to these cookies. This safeguards our legitimate interest in enabling our shareholders and proxies to visit our shareholder portal. With regard to shareholders, the legal basis for this processing is Article 6 (1) (c) GDPR in conjunction with Section 67e (1) AktG and Article 6 (1) (f) GDPR with regard to their authorized representatives.
If we intend to use your personal data for a purpose not indicated above, we will notify you of this in advance, in accordance with the applicable statutory provisions.
Every shareholder is obliged in principle to provide the information necessary for maintenance of the share register (Name, date of birth, postal address and electronic address of the shareholder as well as number of shares or share number). The intermediaries involved in the purchase or custody of your HHLA registered shares (such as credit and financial services institutes) will normally forward to us the details that are relevant to the maintenance of the register (for example, in addition to the aforementioned data, your nationality, your gender and the remitting bank). This is implemented through Clearstream Banking AG, Eschborn, which, as a central securities depository, is responsible for the technical processing of securities transactions and for the custody of shares on behalf of banks. Should you sell your shares, we will likewise be notified of this through Clearstream Banking AG. Moreover, we, or the service providers we commission, generally receive the shareholders’ personal data from you yourself.
If you act as the proxy of a shareholder, we receive your personal data from the shareholder who has given you authorisation as well as from you directly, provided that it pertains to your conduct in the virtual Annual General Meeting or your use of the shareholder portal.
We use external service providers for the administration and technical management of the share register, e.g. for the organisation of the Annual General Meeting, for printing and mailing Annual General Meeting documents and shareholder announcements, and for the execution of the Annual General Meeting (primarily for the provision of the shareholder portal through which the virtual Annual General Meeting is accessible). The service providers we commission receive only such personal data from us as is necessary for carrying out the commissioned service, and they process the data exclusively on our behalf and at our direction. All our employees, and all employees of external service providers who have access to personal data or who process it, are obliged to treat this data confidentially. In connection with the preparation, implementation and follow-up of the general meeting, we may also transfer your personal data to our legal advisors, tax advisors or auditors.
If a shareholder requests that motions be included in the agenda, we announce this motion in conjunction with the shareholder’s name when the required conditions according to the regulations of the German Commercial Code are met. We will make countermotions and election proposals by shareholders accessible on the company’s website in conjunction with the shareholder’s name when the required conditions according to the regulations of the German Commercial Code are met.
If you, as a shareholder, make use of the opportunity to submit questions (incl. follow-up questions), your questions or follow-up questions will generally be discussed during the virtual Annual General Meeting by stating your name. This can be noted by other participants in the general meeting (including our guests).
We may also be obliged to forward your personal data to further recipients such as authorities in fulfilment of statutory notification obligations (e.g. if the voting rights thresholds prescribed by law are exceeded).
We will anonymise or delete your personal data as soon as it is no longer required for the above-mentioned purposes and provided that we are not obliged to continue to store it on the basis of statutory documentation and retention obligations (e.g. under the Stock Corporation Act, the German Commercial Code or the German Fiscal Code). The data registered in connection with Annual General Meetings will normally be stored for a period of up to three years. Subject to other legal regulations, we will retain the data stored in the share register for up to twelve months after becoming aware of the termination of the shareholder status. A longer storage period takes place as an exception, insofar as this is necessary in connection with legal proceedings in which the company is involved (statutory limitation period of up to thirty years).
In the event that we forward personal data to recipients with headquarters outside the European Economic Area (third country), this will only occur insofar as the European Commission has confirmed that the third country has an appropriate level of data protection or is subject to other appropriate data protection guarantees (e.g. binding internal data protection rules or the European Commission’s standard contract clauses have been stipulated).
You may request detailed information on this and on the level of data protection for our service providers in third countries from our data protection officer.
As affected parties, shareholders and their proxies have the right, when the statutory requirements are present,
Insofar as we process your data to safeguard legitimate interests of HHLA or a third party, you may submit an objection to this processing when there are grounds in your specific situation for not processing data. In this case we will end processing, provided we cannot provide evidence that compelling legitimate grounds exist which outweigh your interests, rights and freedoms, or if processing is necessary for the establishment, exercise or defence of legal claims.
You can assert your rights with our data protection officer at the address provided in Section I. Please note that possible statutory exemptions (e.g. continuing retention requirements) may conflict with the exertion of your rights.
Irrespective of this, as an affected party you have the right to lodge a complaint with a responsible data protection authority in accordance with Art. 77 GDPR. The data protection supervisory authority responsible for HHLA is:
The Hamburg Commissioner for Data Protection and Freedom of Information
20459 Hamburg, Germany
Tel.: +49 (0) 40 42854-4040