The following information is only a non-binding translation of the German data protection declarations and guidelines. Legally relevant and binding are the original declarations in German language only, which can be obtained at the same place on the original German website.

Information on data protection for shareholders of POLIS Immobilien AG

The following notes provide you with information on how your personal data is collected and processed by POLIS Immobilien AG (“POLIS”) and on your privacy rights.

POLIS processes your personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR), the German Stock Corporation Act (AktG) and other applicable legislation.

The purpose of processing the data is to enable shareholders and shareholder representatives to participate in the virtual Annual General Meeting as well as to exercise their rights before and during the virtual Annual General Meeting. This data is both share-specific and Annual General Meeting-specific, and comprises in particular name, place of residence or address, an e-mail address if provided, the respective shareholding (number of shares, classes of share, form of ownership of shares), the admission ticket number  and any voting proxies or instructions issued. Further personal data may also be involved, as the case may be.

The legal basis for data processing is Art. 6 (1) sentence 1 c) of GDPR in conjunction with Section 129 (4) of the German Stock Corporation Act, insofar as necessary to fulfil statutory requirements. POLIS in addition processes personal data on the basis of Art. 6 (1) f) GDPR to properly prepare, conduct and follow up the virtual Annual General Meeting.

You have the right, at any time, to

• Demand information on whether we process your personal data, and if so what data, Art. 15 GDPR,
• Demand the correction, deletion and restriction to processing of your personal data, Art. 16 – 18 GDPR

Please address requests regarding the above to the address stated in Section 1.

Additionally, you have the right to complain to a data protection supervisory authority under Art. 77 EU GDPR.

You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data on the basis of Art. 6 (1) f) GDPR (upholding of legitimate interests).

In that case we will then cease to process it unless we can demonstrate overriding, compelling legitimate interests.

Status: July 2023

Privacy policy for this website

As you visit our website, various data will be collected. The reason is to give you convenient and secure access to our information and offers. We also pursue economic interests that will strengthen both our image and our sales within our website. For reasons of fairness and transparency, we will inform you about this as defined by EU GDPR (EU General Data Protection Regulation) in the following:

1. Responsible for data processing

Who is responsible for the collection of data?

We as a website operator are responsible for the personal data that has been used as you visit our website because we are also responsible for the techniques and for what purpose it is used on our website.

How do we collect your data?

First of all your personal data will be stored when you inform us of your personal data. For example the data you give us as you fill in our form.

Secondly other data will be automatically stored through our IT system as soon as you visit our website. This means in particular technical data (e.g. internet browser, operating system or the time of the page impression). The collection of this data takes place automatically as soon as you enter our website.

What do we use your data for?

Some of the data is collected to ensure an error-free provision of the website. Other data may be used to analyze your user behaviour and to improve our service to you.

What rights do you have regarding to your data?

At any time, you have the right to receive at no charge information about the origin, recipient and purpose of your personal data that has been stored. You also have the right to demand the correction, suspension or deletion of your data. Furthermore you have the right to complain to the responsible authority. For more information and privacy, you can always contact us at the address provided in the imprint.

SSL or TLS encryption

This website uses SSL or TLS encryption for security purposes and to protect the transmission of confidential content, such as orders or requests you send to us as the website operator. An encrypted

connection is indicated by the browser’s address bar switching from “http: //” to “https: //” and the lock icon in your browser bar. Data that you transmit to us cannot be read by third parties.

2. General and mandatory information

The operators of these pages take the protection of your personal data very seriously. When you use our website, various personal data that could identify you as a person will be collected. We treat your personal data (as defined in Art. 4 Para.1 GDPR) confidentially and in accordance to the legal data protection regulations. This privacy policy explains what will be collected through us, for what use and purpose.

We point out that the transfer of data on the internet, even with the best possible security (e.g. through communication by e-mail) may have security vulnerabilities. Complete protection against access to your personal data by third parties is impossible.

Note to the responsible contact

The responsible contact (Art. 4 Para.7 GDPR) for data processing on this website can be found in the imprint.

3. Your contact to our Data Protection Officer

We have set up www.mb-datenschutz.de as Data Protection Officer. Please contact the Data Protection Department via e-mail: datenschutz@polis.de

4. Data collection on our website

Cookies

Our website uses so-called cookies. These are necessary to make our offer more user-friendly, effective and secure. Cookies are small text files that are stored in the browser on your device. Cookies do not harm your computer nor contain viruses. Most of the cookies we use are so-called “session cookies”. They are automatically deleted after your visit. Other cookies remain on your device until they are deleted by you. These cookies enable us to recognize your browser the next time you visit our website and to apply the settings you yourself have made.

You can set up your browser in such a way that you are informed about the setting of cookies and that you only allow the acceptance of cookies for certain cases or in general, as well as activate the automatic deletion of cookies when closing the browser.

If you deactivate those cookies, the function of this website may be restricted. Cookies that are required for the electronic communication process are based on Art. 6 Para. 1 lit. f GDPR. The website operator’s legitimate interest in storing those cookies is based on technical error-free and optimized provision of its services. Insofar as other cookies (e.g. to analyze your surfing behaviour) are stored, they are treated separately in this privacy policy.

Server log files

The provider of our website collects and stores information automatically in so-called server log files, which your browser automatically transmits to us. This log file data includes:

• Referrer URL (the web page you are coming from)
• Browser type, browser version and language
• Operating system and its interface
• IP address (anonymized)
• Server request time
• Http status code – access status
• The amount of data transferred
• The storage period is 7 days

This data will not be combined with other data sources.

The legal basis for data processing is Art. 6 Para. 1 lit. f GDPR, which permits the processing of data for the optimal presentation and security of the website based on our legitimate interests, without predominating your interests in an exclusion of the data collection.

5. Visitors interaction with the website

Contact form

If you send us inquiries via the contact form, those details, including the contact details that have been provided by you, will be stored for the purpose of processing the request and in case of follow-up questions.

We do not share this information with third parties without your consent.

The regulation of the processing of the data via the contact form has its legal basis in Art. 6 Para. 1 lit. b GDPR (contract initiation or implementation). Your data will remain with us until you ask us to delete it or the data storage purpose is removed (for example, after the processing of your request has been completed – but only if we do not have to observe any retention periods).

6. Plugins

Google Maps

Our website has an interface with map data from Google Maps. This is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. To use it, your IP address is transmitted to Google servers. Google Maps is used only with your consent (Art. 6 (1) a) GDPR). To obtain your consent prior to transmission, there is a plugin installed on our website.  This means the “iframes” for Google Maps are blocked and equipped with an automatic button. Your IP address is not transmitted and Google Maps is not ready for use until this button is activated. For more information on how user data is handled, please refer to Google’s privacy policy: https://policies.google.com/privacy.

Wordfence (Security Plugin)

The security plugin Wordfence is used on this website. Wordfence is provided by the company Defiant Inc., 800 5th Ave., Suite 4100, Seattle, WA 98104, USA.
Our company uses Wordfence for protection against viruses, malware and attacks. To continue protecting our website against brute-force and DDoS attacks or comment spam, IP addresses identified as problematic are saved and queried on our servers and on the Wordfence servers.
Protecting our website and your data constitutes a legitimate interest within the meaning of the legal basis of Art. 6 (1) f GDPR.
Our company has concluded a Data Processing Agreement with Defiant / Wordfence in accordance with Art. 28 GDPR.
Further data protection information from Defiant is available here: https://www.wordfence.com/privacy-policy/

7.  What rights do you have under EU GDPR?

The aim of EU GDPR is to assure you, as the data subject, the greatest possible control over your personal data. Personal means all data that is directly or indirectly available to you as a person. In order for you to exercise effective control over your data, you have the following rights:

• The right to information under Article 15 of EUGDPR,
• The right to make corrections under Article 16 of EU GDPR,
• The right to cancellation under Article 17 EU GDPR,
• The right to restriction of processing under Article 18 of EU GDPR
• The right to object under Article 21 EU GDPR.

In addition, you have the right to appeal against us at a data protection supervisory authority under Article 77 of EU GDPR if you believe that we are processing your data unlawfully. A list of all supervisory authorities can be found here: www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links- node.html

The right to data portability according to Art. 20 EU GDPR is only relevant when you visit our website, if you have the option to create a profile (e.g. applicant profile, member profile, etc.) or to enter the corresponding information about yourself.

Status: August 2020

Information about the gathering of personal data in the context of the lease contract

POLIS is responsible for the processing of your personal and individual data and has the obligation to inform you as a result of the new EU General Data Protection Regulation (EU GDPR).Therefore and according to Art. 13 EU GDPR we inform you about the following points:

1.  Responsible for data processing

For further information about the responsible body for data processing on this website, please refer to the imprint.

2.  Contact details for our data protection officer

datenschutz@polis.de

www.mb-datenschutz.de

3. Purpose of the processing of your personal data

Arranging and establishing a lease agreement, tenant management incl. risk monitoring, maintenance of rental properties, removal of defects, satisfaction surveys, property inspections, property monitoring if necessary and video surveillance if available.

4. Legal basis for the processing of tenant data

EU GDPR Art. 6 Para.1 a) allows us on the basis of your consent to process your personal data for specific purposes, e.g. our tenant surveys in the context of our quality management

• EU GDPR Art. 6 Para. 1 b) includes data processing that is necessary for the implementation of a contract and for pre-contractual measures.
• EU GDPR Art. 6 Para. 1 c) allows us to process your personal data based on a legal obligation, e.g. retention requirements under financial and tax law.
• EU GDPR Art. 6 Para.1 f) allows us to process your personal data as long as POLIS or a third party has a legitimate interest in this processing and as long as your interests, fundamental rights or fundamental freedoms will not be affected, e.g.:
• Video surveillance of our rental properties to secure our property rights and for the maintenance of rental properties
• Obtaining credit reports for establishing lease agreements and for risk monitoring

5. Duration of data storage

Generally: After the purpose of data processing has been eliminated and if the statutory retention periods have been expired, your personal data will be deleted. Companies are obligated to storage those data for 6 up to 10 years.

6. Special storage periods

• Credit reports:
  • Unsuccessful rental requests: immediately after termination of negotiations
  • Tenants as part of our risk monitoring: we always retain the latest information als well as the previous status
• Rental documents for 6 years after the end of the lease
• Accounting documents 10 years
• Video recordings 10 years

If storage is based on your consent, e.g. in newsletters etc., we will delete your personal data as soon as you withdraw your consent.

7. Recipient of your personal data

Only our company’s employees have access to your personal data to the extent they need to perform their duties.

Our appointed service providers may also receive your personal data to perform their duties, only and as long as they fulfil the confidentiality requirements for the same purpose as described above.

These may be companies or persons of the following categories:  property manager, craftsmen, marketing service providers, security service providers, meter reading service …

Your details will be shared with the SCHUFA credit bureau (private and commercial tenants) as part of arranging the lease agreement and in the event of non-contractual or fraudulent behaviour.

Your details will be shared with the CREFO credit bureau (commercial tenants) as part of arranging the lease agreement and in the event of non-contractual or fraudulent behaviour.

Your data will not be passed on any further than the borders of the European Union (EU / EEA).

Information we receive about you from third parties:

Information on your creditworthiness from the Crefo credit bureau. As part of ongoing risk monitoring activities we receive current creditworthiness reports for our top 20 tenants every three months from the Crefo credit bureau.

8. Your privacy rights

Under Article 15 EU GDPR you have the right to receive information about which personal data has been stored, under Article 16 EU GDPR you have the right to have your personal data corrected, under Article 17 EU GDPR you have the right of cancellation of your personal data, under Article 18 EU GDPR you have the right to restrict processing and Article 21 EU GDPR gives you the right to enter an objection. Additionally, you have the right to complain to a data protection supervisory authority under Article 77 EU GDPR.

Status: July 2021

Data protection information on the collection of personal data in the context of applicant management

POLIS is responsible for the processing of your personal and individual data and has the obligation to inform you as a result of the new EU Data Protection Regulation (EU GDPR).

According to Art. 13 & 14 EU GDPR we inform you about the following points:

1. Responsible for data processing

For further information about the responsible body for data processing on this website, please refer to the imprint.

2. Data protection officer / contact person

datenschutz@polis.de

www.mb-datenschutz.de

3. Purposes of processing your personal data

Applicant management.

4. Legal basis for the processing of personal data

Section 26 BDSG (1) covers data processing that is necessary for the establishment, implementation and termination of an employment relationship and for the detection of offences in the employment relationship.

Section 26 BDSG (2) allows us to process your data on the basis of voluntary written consent that is given by you and is revocable at any time in the future. Furthermore you will not be disadvantaged in our employment, e.g. the inclusion of your application documents in our applicant pool.

Section 26 BDSG (3) allows us to process your sensitive data (e.g. health data, trade union membership) to the extent necessary to exercise rights or to fulfil legal obligations under labour law, social security law and social protection and provided your defending interests will not be affected.

Art. 6 Para. 1 f) EU GDPR allows us to process your personal data if we or third parties have legitimate interests in this processing and do not affect your interests, fundamental rights or fundamental freedoms, e.g.:

• Video surveillance of our company premises to exercise our property rights,
• Assertion, exercise or defence of legal claims

5. Duration of data storage

Generally: as soon as the purpose of data processing has been eliminated and the statutory retention periods have expired, your personal data will be deleted. There are retention obligations of 6 or 10 years (if granted) for companies.

Application documents are deleted no later than 6 months after rejection.

If storage is based on your consent, we will delete your personal data if you revoke your consent.

6. Recipients of your personal data

In our company only employees who require your personal data gain access to it to the extent that is necessary to fulfil their duties.

Employed service providers may receive your information for the same purposes as described above if they comply with privacy-related confidentiality requirements. In this case we mean the applicant portal operator.

Public social insurance agencies and the tax offices receive your personal data during the submission of social security contributions and taxes.

The transfer of your data outside the EU/EEA does not take place. Data that we receive from third parties about you:

In the event that you have been referred by a to us by a staffing service as a potential employee, we will receive your application documents from your provider.

7. Your privacy rights

 Under Article 15 EU GDPR you have the right to receive information about which personal data has been stored, under Article 16 EU GDPR you have the right to have your personal data corrected, under Article 17 EU GDPR you have the right of cancellation of your personal data, under Article 18 EU GDPR you have the right to restrict processing and Article 21 EU GDPR gives you the right to enter an objection. Additionally, you have the right to complain to a data protection supervisory authority under Article 77 EU GDPR.

Status: May 2019