Lufthansa : Data protection information for shareholders of Deutsche Lufthansa Aktiengesellschaft

Data protection information for shareholders of Deutsche Lufthansa Aktiengesellschaft

Since 25 May 2018, the EU General Data Protection Regulation (GDPR) applies. One of the core concerns is the transparency of data processing. We take data protection for our shareholders very seriously and therefore provide the following information about the processing of personal data by Deutsche Lufthansa Aktiengesellschaft, Cologne (Lufthansa), and the rights to which you are entitled under data protection law.

Who is responsible for data processing?

The responsible party is

Deutsche Lufthansa Aktiengesellschaft, Cologne.

Address: Venloer Strasse 151-153

50672 Cologne

Our data protection officer can be contacted at: German Lufthansa AG

Corporate Privacy Officer

FRA CJ/C

Airportring - Building LAC

60546 Frankfurt, Germany

or by e-mail at: datenschutz@dlh.de

If you have any questions about data protection in the share register, please contact the shareholder hotline at +49 (0)69 696 28008.

ADEUS Aktienregister-Service-GmbH, Munich, is responsible for managing the Lufthansa share register.

For what purposes and on what legal basis is your data processed? From whom / where do we receive your data?

We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Stock Corporation Act (AktG) and all other applicable laws.

Lufthansa shares are registered shares with restricted transferability. In accordance with Section 67 of the German Stock Corporation Act (AktG) in its currently applicable version and the requirements of the German Aviation Compliance Documentation Act (LuftNaSiG), which is applicable to Lufthansa, the name, date of birth/incorporation, postal address, electronic address, nationality and number of shares acquired are required to add a shareholder to the share register.

The intermediaries involved in the acquisition or custody of Lufthansa registered shares within the meaning of Section 67 (4) of the German Stock Corporation Act (AktG) (e.g. credit institutions)

forward the information of the shareholders to us, which are relevant for the maintenance of the share register (e.g. in addition to the aforementioned data, also gender and submitting bank) and, if applicable, their legal or legal representatives. This is done via Clearstream Banking AG, which, as the technical central depository, is responsible for the technical processing of securities transactions and the safekeeping of shares on behalf of the banks. If you sell your shares, the credit institution also notifies us of the purchaser via Clearstream.

We use this personal data and other information that you provide to us as shareholders and, if applicable, shareholder representatives, in particular via our electronic shareholder portal (e.g. questions or voting instructions for the Annual General Meeting), for the purposes stipulated in the AktG, the Implementing Regulation (EU) 2018/1212 and the German Securities Trading Act (WpHG). These are, in particular, the maintenance of the share register, communication with you as a shareholder and, if applicable, representatives and intermediaries acting on your behalf, as well as the handling of Annual General Meetings; this also includes the preparation of statistics, such as for the presentation of the shareholder structure (pursuant to Section 6 LuftNaSiG) or for overviews of the largest shareholders (compare Section 40 WpHG). The legal basis for the processing of your personal data is §§ 67 to 67e AktG in conjunction with Art. 6 (1) lit. c) GDPR.

In the context of the Annual General Meeting, we process your personal data in order to enable you the exercise of your shareholder rights at the Annual General Meeting. The processing of your personal data is necessary for you to cast your vote or exercise your other shareholder rights in accordance with the provisions of AktG (Section 118 et seq. AktG; Art. 6 (1) lit. c) GDPR).

In addition, we may also process your personal data to fulfill other legal obligations, e.g. due to capital market and other regulatory requirements, obligations under stock corporation, commercial and tax law to retain data, or to compare your data with sanctions lists in order to comply with anti- terrorism legislation (e.g. EU Regulation 2580/2001). In order to comply with stock corporation law, for example, when authorizing the proxies appointed by the Company for the Annual General Meeting, we must record the data used to prove the authorization in a verifiable manner. In this case, the legal basis for processing is Section 134 (3) sentence 5 AktG and Article 6 (1) lit. c) GDPR.

Furthermore, we offer you as a shareholder the opportunity to register for our online service in order to communicate with you electronically. Please refer to section 2.3.3 of our data protection information (https://www.lufthansagroup.com/en/service/privacy.html) for more information on data protection.

Should we wish to process your personal data for a purpose not previously mentioned, we will inform you of this in advance within the framework of the legal provisions.

To which categories of European recipients do we disclose your data, if any?

External service providers:

We partly use external service providers for the administration and technical management of the share register (share register service company, IT service provider) as well as for the handling of the Annual General Meetings (AGM service provider, service provider for printing and dispatching shareholder notifications as well as for Internet transmission and video streaming). Our most important external service provider in this respect is ADEUS Aktienregister-Service-GmbH, Munich. In addition, personal data may be accessible in connection with the Annual General Meeting to the notary public who is recording the minutes of the Annual General Meeting.

Other recipients:

If you attend the Annual General Meeting, other Lufthansa shareholders may inspect any personal data recorded about you during and after the Annual General Meeting in the list of in accordance with Section 129 (4) AktG. If shareholders or their representatives authorize the proxies appointed by the Company, they will receive the personal data required for exercising voting rights in accordance with their instructions. In case of requests for additions to the agenda pursuant to Section 122 (2) AktG and in case of countermotions or election proposals pursuant to Sections 126

1. and 127 AktG (in each case in conjunction with Art. 6 (1) lit. c) GDPR), these will be published by us as stated in the AktG or described in the respective convocation to the Annual General Meeting.
   In the case of statements relating to the agenda of the Annual General Meeting in the form electronic communication, speaking contributions and follow-up questions via video communiaction, we process your data in connection with the transmission and provision of your message on the basis of (Section 130a (5) resp. Section 131 (1d) or (1e) AktG in conjunction with Art. 6 (1) lit. c) GDPR).

We are producing a recording of the Annual General Meeting. This recording will be archived by us for proof and documentation purposes. However, it will not be published. After the end of the legal retention periods, it will be deleted.

In addition, we may transfer your personal data to further recipients, such as authorities for the fulfillment of statutory notification obligations (e.g. when statutory voting rights thresholds are exceeded - BaFin pursuant to Section 33 et seq. WpHG in conjunction with Art. 6 (1) lit. c) GDPR).

How long do we store your data?

As a matter of principle, we anonymize and/or delete your personal data as soon as it is no longer required for the above-mentioned purposes and insofar as we are not obliged by law to continue retaining it (e.g. under AktG, the German Commercial Code (Handelsgesetzbuch), the German Fiscal Code (Abgabenordnung)). For data collected in connection with Annual General Meetings, the retention period is regularly up to 3 years. We must regularly retain the data stored in the share register for 10 years after the sale of the shares. Beyond this, we only retain personal data in individual cases if this is necessary in connection with legal claims asserted against Lufthansa (statutory limitation period of up to 30 years). In this case, we process your data on the basis of a legitimate interest pursuant to Article 6 (1) lit. f) GDPR.

What rights do you have as a data subject?

You may request to see the data stored about you in the shareholder register at www.lufthansagroup.com/hv-service and you can make corrections if needed. In addition, you can request information about the data stored about you by post or e-mail (datenauskunft@dlh.de) at

the above address of the data protection officer. If incorrect personal data about you is processed, you have the right to have this data corrected. In addition, you may, under certain conditions, request the deletion of your data as well as a restriction of processing (e.g. if your data is processed unlawfully). Likewise, you have the right to data portability by making personal data accessible in electronic form. Further information on your data protection rights can be found in Articles 15 et seq. GDPR and Sections 67, 67e AktG.

You have the right to revoke your consent to the publication of your name, which was published on the website in connection with the question that was asked, at any time without affecting the lawfulness of the processing carried out on the basis of the consent until revocation. You can revoke the consent you have given at the e-mail address hv-service@dlh.de.

If the legal basis for the data processing is the legitimate interest according to Art. 6 (1) lit. f) GDPR, you can request further information at the email address investor.relations@dlh.de.

Right to object:

Insofar as your data is processed for the purpose of safeguarding legitimate interests, you may object to this processing at any time at the above address, provided that reasons arise from your particular situation which conflict with this data processing. The data processing will then be terminated unless the Company can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or where the processing serves the purpose of asserting, exercising or defending legal claims.

Would you like to make a complaint about how your data is handled?

You have the option of contacting the address of the data protection officer mentioned above or a data protection supervisory authority. Our responsible data protection regulatory authority is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (State Data Protection and Freedom-of-Information Authority Hessen) Hessen

PO Box 3163

65021 Wiesbaden

Tel.: 0611/1408-0

Fax: 0611/1408-900 / 901

E-mail: poststelle@datenschutz.hessen.de

-------

Translation for convenience only; In case of any discrepancy or ambiguity the German version shall prevail.

Version dated: March 2024.

We will notify you of any relevant changes to this information where necessary.