Mister Spex : Data privacy information for shareholders and their proxies

Convenience Translation

Mister Spex SE

Berlin

ISIN: DE000A3CSAE2

WKN: A3CSAE

Annual General Meeting on 7 June 2024

Data Privacy Information

for Shareholders and their Proxies

Mister Spex SE will process personal data of shareholders and their proxies in connection with the virtual Annual General Meeting.

You will find below information on the party responsible under data protection law ("Controller") and the data protection officer (1.). We also provide you below with the information regarding the processing of personal data (2.) and the rights of data subjects in connection with this processing (3.).

1. Controller and data protection officer

1. Controller
   Mister Spex SE Hermann-Blankenstein-Straße 24 10249 Berlin
   Germany
   Telephone: + 49 (0) 800 810 8090
   Email: datenschutz@misterspex.de
   Mister Spex SE is represented by the members of its Management Board, Dirk Graber and Stephan Schulz-Gohritz.
2. Data protection officer
   Mister Spex SE
   FAO the data protection officer Hermann-Blankenstein-Straße 24 10249 Berlin

Page 1/8

Convenience Translation

Germany

Email: datenschutz@misterspex.de

Please note however that if you use this email address, your messages will not be read solely by our data protection officer. Therefore, if you wish to exchange confidential information with our data protection officer, please first request direct contact to our data protection officer via this email address.

2. Processing of personal data

2.1. Personal data and its sources

Mister Spex SE will process the following personal data of shareholders and their proxies in connection with the virtual Annual General Meeting to enable shareholders and their proxies to exercise their shareholder rights in relation to the virtual Annual General Meeting:

• surname and first name, address, email address,
• number of shares, class of shares, type of ownership of the shares,
• the specific identifier given to the shareholder by the ultimate intermediary, account number of the custody account of the shareholder,
• the access data assigned to the shareholder for the password-protected internet service of the Company,
• the IP address from which the shareholder or the proxy uses the password-protected internet service of the Company, other log data that is generated for technical reasons when using the password-protected internet service of the Company (type and version of web browser, operating system used, volume of data transmitted, page accessed, page previously visited, date and time of access),
• the electronic exercise of voting rights and the content of votes cast by electronic absentee ballot,
• the participation in the virtual Annual General Meeting and following the complete transmission of the virtual Annual General Meeting in video and audio,
• the content of questions asked by means of video communication and the content of their answers, as well as the content of statements submitted by means of electronic communication,

Page 2/8

Convenience Translation

• the exercise of the right to speak and the right to information as well as the submission of motions and election proposals by means of video communication (in particular image and sound data) and the electronic possibility of lodging objections against resolutions of the Annual General Meeting,
• communication data of the shareholder to check the functionality of the video communication (in particular IP address, image and sound data if applicable),
• if applicable, the surname, first name and address of the proxy appointed by the relevant shareholder, the granting of power of attorney to the proxy, including any voting instructions, and their specific identifier given by the ultimate intermediary.

If this personal data has not been provided by the shareholders when registering for the virtual Annual General Meeting or received during conducting the virtual Annual General Meeting including the use of the password-protected internet service, their depositary bank or their ultimate intermediary within the meaning of section 67c(3) of the German Stock Corporation Act (Aktiengesetz, AktG) ("German Stock Corporation Act") will send their personal data to Mister Spex SE. The access data assigned to the shareholder for the password-protected internet service of the Company as well as the IP address from which the shareholder or the proxy uses the password-protected internet service of the Company shall be communicated to the Company by the service provider commissioned by the Company to conduct the virtual Annual General Meeting.

2.2. Purpose of processing and legal basis

Mister Spex SE will process the data of the shareholders and their proxies to the extent necessary to process the shareholder rights exercised by them in connection with the virtual Annual General Meeting. The legal basis for this processing is Article 6(1) lit. c) of the General Data Protection Regulation ("GDPR") in conjunction with section 67e(1) of the German Stock Corporation Act (compliance with legal obligations).

Mister Spex SE will process the IP address from which the shareholder or the proxy uses the password-protected internet service of the Company, as well as other log data that is generated for technical reasons when using the password- protected internet service of the Company, to the extent necessary to provide the password-protected internet service of the Company and to ensure the security of the IT infrastructure used for this purpose. The legal basis for this processing is Article 6(1)(c) GDPR (compliance with legal obligations) in conjunction with Section 67e(1) of the German Stock Corporation Act and Article 6(1)(f) GDPR

Page 3/8

Convenience Translation

(balancing of interests). The legitimate interest of Mister Spex SE is the provision of the password-protected internet service of the Company and the guarantee of the security of the IT infrastructure used for this purpose.

Furthermore, Mister Spex SE will store personal data of its shareholders and proxies to the extent that this is necessary to comply with statutory obligations to retain data. The legal basis for this processing is Article 6(1)(c) GDPR in conjunction with section 67e(2) of the German Stock Corporation Act (compliance with legal obligations) in connection with the respective statutory retention obligations.

Moreover, Mister Spex SE will possibly continue to store personal data of its shareholders and proxies to the extent that this is necessary to establish, exercise or defend legal claims. The legal basis for this processing is Article 6(1)(f) GDPR (balancing of interests). Mister Spex AG's legitimate interest is to establish, exercise or defend legal claims.

2.3. How long do we keep your personal data?

Mister Spex SE will store this personal data for the above purposes only for as long as this is necessary for the above purposes.

Log data that is technically generated when using the password-protected internet service of the Company is stored in so-called log files for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack). In the event of a security-relevant event, log files are stored until the security- relevant event has been eliminated and fully clarified.

Otherwise, the storage period for the aforementioned purposes is regularly up to three years.

If a shareholder is no longer a shareholder of the Company, Mister Spex SE will only store his or her personal data for a maximum of twelve months on the basis of section 67e(2) sentence 1 of the German Stock Corporation Act and subject to other statutory provisions.

Data will only be stored for a longer period on the basis of section 67e(2) sentence 2 of the German Stock Corporation Act and subject to other statutory provisions as long as this is necessary for any possible legal proceedings to establish, exercise or defend legal claims. In this case, Mister Spex SE will store the data until the end of the legal proceedings.

Page 4/8

Convenience Translation

2.4. Who else receives your personal data?

The following service provider will process the above data for the above purposes on behalf of Mister Spex SE (as "processor"):

Better Orange IR & HV AG Haidelweg 48

81241 München Germany

The service provider will only receive personal data from Mister Spex SE that is required to perform the commissioned service and will process the data exclusively in accordance with Mister Spex SE's instructions.

Otherwise, Mister Spex SE will only make the personal data available to shareholders and their proxies as well as to third parties in connection with the virtual Annual General Meeting within the framework of the statutory provisions. In particular, if shareholders and their proxies are to be represented at the virtual Annual General Meeting by a proxy appointed by the Company disclosing their name, Mister Spex SE will enter their names, place of residence, number of shares and type of ownership in the list of attendees of the Annual General Meeting to be drawn up in accordance with section 129(1) sentence 2 of the German Stock Corporation Act. All shareholders who are electronically connected to the virtual Annual General Meeting and their proxies can view this data on the password-protected internet service during the virtual Annual General Meeting and shareholders may also inspect it up to two years later pursuant to section 129(4) sentence 2 of the German Stock Corporation Act. With regard to the transfer of personal data to third parties in connection with the announcement of shareholder requests for additions to the agenda, statements submitted as well as countermotions and election proposals by shareholders, please refer to the explanations in Part VI.no. 7 of the invitation to the virtual Annual General Meeting on 7 June 2024.

If shareholders or their proxies make use of their right to request information pursuant to section 131(1) of the German Stock Corporation Act or otherwise speak, this might be done by stating the name and, if applicable, the place of residence or registered office of the shareholder asking the question and/or his*her proxy. Requests for information and other requests to speak can only be acknowledged by other participants in the virtual Annual General Meeting. Pursuant to Section 130a(3) of the German Stock Corporation Act, comments submitted will be made available to other users of the password-protected internet service as described in Part VI.no. 7 of the invitation to the virtual Annual General Meeting. In the case of requests for supplements pursuant to Art. 56 sentence 2 and sentence 3 SE Regulation, Section 50(2) SEAG, Section 122(2) of the

Page 5/8

Convenience Translation

German Stock Corporation Act and in the case of countermotions and election proposals pursuant to Sections 126(1), 127 of the German Stock Corporation Act, these will be made publicly accessible as explained in more detail in Part VI.no. 7 of the invitation to the virtual Annual General Meeting and, if applicable, be proposed for voting in the virtual Annual General Meeting.

1. No transfer of personal data to third countries
   Mister Spex SE will not transfer the personal data processed in the context of the virtual Annual General Meeting to countries outside the European Union or the European Economic Area ("third countries").
2. No obligation to provide the data
   Shareholders and their proxies are not obliged to provide Mister Spex SE with the abovementioned data in connection with the Annual General Meeting. Provision of the data is not required by law or by contract. The data is also not required for the conclusion of a contract. However, the provision of personal data is absolutely necessary to exercise shareholder rights with respect to the Annual General Meeting.
   Insofar, if shareholders and their proxies do not provide the data, Mister Spex SE will not be able to enable them to exercise shareholder rights in relation to the Annual General Meeting.
3. No automated decision-making, including profiling
   Mister Spex SE will not carry out any automated decision-making, including profiling, on the basis of the personal data pursuant to Article 22(1) and (4) GDPR.
4. Use of technically necessary cookies for the password-protected internet service
   In order to ensure the secure operation of the password-protected internet service and to enable the use of certain functions, technically essential cookies are used. These are small text files that are stored on the end device of shareholders or their proxies when they use the internet service. When the internet service is called up again with the same terminal device, the cookie and the information stored in it can be retrieved. Shareholders and their proxies can generally prevent the use of cookies via their browser settings. However, completely blocking all cookies may mean that the password-protected internet service cannot be used under certain circumstances.

Page 6/8

Convenience Translation

3. Rights of data subjects in relation to the processing

The shareholders and their proxies have the following rights with respect to the processing of their personal data:

• right of access (Article 15 GDPR)
• right to rectification (Article 16 GDPR)
• right to erasure ("right to be forgotten") (Article 17 GDPR)
• right to restriction of processing (Article 18 GDPR)
• right to data portability (Article 20 GDPR)
• right to object (Article 21 GDPR)
• right to withdraw consent (Article 7(3) GDPR)

The following right to object under Article 21(1) GDPR is especially highlighted:

Right to object on grounds relating to the data subject's particular situation (Article 21(1) GDPR)

Shareholders and their proxies have the right as data subjects pursuant to Article 21(1) GDPR to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on Article 6(1) lit. f) GDPR (see clause 2.2.).

If an objection is raised, Mister Spex SE will no longer process the personal data unless Mister Spex SE demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the shareholders and their proxies as data subject or for the establishment, exercise or defense of legal claims.

Data subjects can contact Mister Spex SE or its data protection officer using the contact details referred to above in order to exercise their rights. In addition, shareholders and their proxies have a right to appeal to a data protection supervisory authority (Article 77 GDPR). Data subjects can assert this right to appeal in particular to the supervisory authority of the (federal) state in which they have their domicile or permanent residence or the data protection supervisory authority for the nonpublic sector of the federal state of Berlin (Berliner Beauftragte für Datenschutz und Informationsfreiheit), where Mister Spex SE has its registered office.

Page 7/8

Convenience Translation

For more information on the General Data Protection Regulation and the rights of data subjects in relation to theprocessing of their personal data, please refer to the online information brochure (in German only) of the Federal Commissioner for Data Protection and Freedom of Information(Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI)).

Page 8/8