Sixt : Information on data protection

DATA PRIVACY INFORMATION FOR SHAREHOLDERS AND SHAREHOLDER REPRESENTATIVES

IN

CONNECTION WITH THE (VIRTUAL) ANNUAL GENERAL MEETING

This data privacy notice informs you which personal data of the shareholders and their authorised representatives Sixt SE processes on the basis of the applicable data protection provisions in connection with preparing, conducting and following-up the virtual Annual General Meeting, and which rights with regard to the processing of personal data the shareholders and their authorised representatives have pursuant to Regulation EU 2016/679 (General Data Protection Regulation - GDPR) and the German Federal Data Protection Act (BDSG). We will be holding the Annual General Meeting on 12 June 2024 on the basis of § 17 (4) of the articles of association of the company as a virtual Annual General Meeting pursuant to section 118a German Stock Corporation Act (AktG) without shareholders or their authorised representatives being physically present at the venue.

The provisions applicable to stock corporations with their registered office in Germany, in particular those of the German Commercial Code (HGB) and the German Stock Corporation Act (AktG), apply to the Company on the basis of the reference provisions in article 5, article 9 (1) lit. c) ii), article 53 as well as article 61 Council Regulation (EC) No 2157/2001 of 8 October 2001 on the Statute for a European company (SE) (SE Regulation), unless otherwise provided for in more specific provisions of the SE Regulation.

1. Controller

The controller within the meaning of art. 4 no. 7 GDPR for processing personal data is

Sixt SE

Zugspitzstraße 1

82049 Pullach, Germany

Sixt SE is represented by the Management Board.

The data protection officer of Sixt SE can be contacted at the above-stated address or via email at: dataprotection@sixt.com

2. Categories of processed personal data

In the context of the virtual Annual General Meeting, Sixt SE processes the following personal data of shareholders and their authorised representatives:

• first name and surname;
• contact details (e.g., place of residence, address, email address, telephone number);
• share-relatedinformation (number of shares, share class, how the shares are held, shareholder number);
• login information for the Investor portal (number of registration confirmation and password);
• other information collected in connection with preparing and conducting the Annual General Meeting (e.g., votings per postal vote, instructions to proxies, granting of powers of attorney, requests for information, motions, nominations, statements or speeches by way of video communication, oppositions, logging request ).

When you visit our Investor portal on the internet, Sixt SE collects further technical data that is automatically transmitted by the browser of the respective shareholder or their representative when using the Investor portal. The following data and device information are logged in the webserver log files:

• data that has been accessed or requested (including the URL used);
• date and time of the access;
• notification whether the request was successful;
• Description of the type of browser used;

• referrer URL (the page visited before accessing our page), if your browser sends such information;
• IP address;
• actions carried out on the Investor portal;
• individual access information and session ID; and
• login and logout with the corresponding time stamp.

To the extent that this personal data has not been provided by the shareholders or their authorised representatives, in particular in the context of registering for the Annual General Meeting, the custodian bank or, with regard to the authorised representatives, the shareholders will also transmit personal data to Sixt SE or to external service providers commissioned by Sixt SE.

3. Purpose and legal basis for processing

1. Preparing, conducting and following-up the virtual Annual General Meeting

We process the personal data in order to prepare, conduct and follow up the virtual Annual General Meeting and to fulfil our legal obligations vis-à-vis shareholders and their authorised representatives in this context, in particular,

• to process the registration and connection of shareholders and their authorised representatives to the virtual Annual General Meeting (e.g., identity check, verifying if they are entitled to exercise shareholder rights and connect via the Investor portal, preparing the list of attendees and making it available for inspection, sending out registration confirmations); and
• to enable the shareholders and their authorised representatives to exercise their rights within the scope of or in connection with the virtual Annual General Meeting (in particular granting and revoking powers of attorney and instructions and exercising voting rights, the rights to make requests for additions to the agenda, the right to make a statement or to speak at the Annual General Meeting as well as the rights to request information and to lodge objections to resolutions of the Annual General Meeting in the manner described in the respective invitation to the Annual General Meeting).

The legal basis for processing is art. 6 (1) point c) GDPR in conjunction with section 67e (1) of the German Stock Corporation Act (AktG) and our duties under stock corporation law as per section 118 et seqq. German Stock Corporation Act (AktG).

The processing of your personal data is required in order to duly conduct the virtual Annual General Meeting. If you do not inform us of the required personal data, we possibly cannot enable you to exercise your shareholder rights and/or to connect to the virtual Annual General Meeting.

In connection with the virtual Annual General Meeting, we may also transmit the personal data to our legal advisors, tax advisors or auditors, as we have a legitimate interest in organising the virtual Annual General Meeting in accordance with the relevant legal regulations and in seeking external advice to this end. The legal basis for this type of processing is art. 6 (1) point f) GDPR.

1. Meeting the statutory notification and publication obligations (in particular notifications of major holdings) and other statutory obligations, in particular retention obligations

Your personal data is also processed in order to meet statutory notification and publication obligations (especially notifications of major holdings). In addition, your personal data may also be processed in order to comply with other statutory obligations, such as regulatory requirements and obligations to retain data under stock corporation, commercial and tax law. The legal basis for this type of processing is art. 6 (1) point c) GDPR in conjunction with the respective statutory provisions.

c) Other purposes of processing

We process your personal data in order to prepare analyses and reports on the shareholder structure. This serves our legitimate interest to analyse the capital structure of the Company as a basis for entrepreneurial decisions. The legal basis for this type of processing is art. 6 (1) point f) GDPR.

4. Cookies and similar technologies

For the Investor portal, we use cookies that are technically essential and device information in web server log files (collectively called cookie functions). Cookies are small files that are placed on your desktop, notebook or mobile device by a website when you access it. It allows us to see, for example, whether there has already been a connection between your device and our Investor portal, which language you prefer and other settings. Cookies may also contain personal data. You can set your browser so that you are informed when a cookie is set and only allow cookies in individual cases or generally exclude or delete them. If you decide against using cookies, some functions on our Investor portal may not be available to you or certain functions may only be available to you to a limited extent.

The cookie functions we apply are used only for the purpose of making the Investor portal available, allowing shareholders to register and be identified and for detecting misuse, troubleshooting and ensuring the virtual Annual General Meeting runs smoothly.

The legal basis for the use of cookie functions, access to the data stored therein and the processing of this personal data is section 25 (2) no. 2 of the Telecommunications Telemedia Data Protection Act (TTDSG), as this is necessary to provide you with the desired access to the Investor portal. It is necessary to further process the personal data collected by means of the cookie functions in order to safeguard our legitimate interest by enabling our shareholders and their authorised representatives to use our Investor portal. The legal basis for this type of processing is art. 6 (1) point f) GDPR.

Whenever we decide to use cookie functions on the Investor portal that are not absolutely necessary for operating the Investor portal, such as function or performance cookies, we will obtain your prior consent.

5. Storage period

We anonymise or erase personal data if it is no longer required for the above-mentioned purposes and does not conflict with statutory duties to retain and store information (e.g., under the German Stock Corporation Act (AktG), the German Commercial Code (HGB), the German Fiscal Code (AO) or other legislation). The storage period for personal data processed in connection with Annual General Meetings usually amounts to up to three years, unless it is necessary in individual cases to process data for a longer period, e.g., in order to process motions, decisions or legal proceedings in connection with the Annual General Meeting or for other reasons.

6. Categories of recipients of the data

Sixt SE engages external service providers for the purpose of preparing, conducting and following-up the Annual General Meeting (in particular, annual general meeting service provider specialists for the registration and organisation of the Annual General Meeting). These service providers only receive such personal data from Sixt SE as is required to carry out the commissioned service and they may only process the data according to the instructions of Sixt SE. In the context of preparing, conducting and following-up the Annual General Meeting, we may also transmit your personal data to our legal advisors, tax advisors or auditors.

In the context of conducting the Annual General Meeting, your personal data may, under certain circumstances, be disclosed to other duly registered shareholders or their authorised representatives

and, where applicable, members of the public visiting the Company's website or watching the publicly accessible video and audio broadcast of the Annual General Meeting (e.g., by granting access to the legally required list of attendees, by publishing on the Company's website the motions or other requests that you have submitted and that are subject to publication, by making statements stating your name accessible on the Investor portal or in connection with other contributions that you make prior to or during the virtual Annual General Meeting via the communication channels described in the invitation to the Annual General Meeting).

Finally, we may be required to disclose your personal data to additional recipients, such as when publishing notifications of major holdings in accordance with the provisions of the German Securities Trading Act (WpHG), or to authorities in order to comply with statutory notification obligations.

Your personal data is processed in countries that belong to the European Union (EU) and the European Economic Area (EEA). Whenever shareholders are from countries outside the EU or EEA (third countries), we will also send information to these shareholders (e.g., invitations to Annual General Meetings). Should these communications also contain personal data (e.g., motions for an Annual General Meeting stating the name of the person submitting the motion), this data will thus also be transmitted to third countries. The provisions of the GDPR do not apply directly in third countries. Unless there is an adequacy decision by the EU Commission, a lower level of protection for your personal data may exist in these third countries. Nevertheless such transmission is necessary in order to inform all shareholders equally, as we are not allowed to exclude shareholders from third countries from our duty to provide information. By transmitting the information we therefore fulfil our contractual obligations. The legal basis for transmitting the data is art. 49 (1) point b) GDPR.

7. Rights of data subjects

With regard to the processing of personal data, shareholders and shareholder representatives may request from Sixt SE, subject to the relevant legal requirements, to provide information pursuant to art. 15 GDPR, rectification pursuant to art. 16 GDPR, erasure pursuant to art. 17 GDPR as well as restriction of processing pursuant to art. 18 GDPR; furthermore, subject to the relevant legal requirements, there is a right to data portability pursuant to art. 20 GDPR. Shareholders and shareholder representatives may assert these rights free of charge vis-à-vis Sixt SE using the contact details provided in section 1.

Insofar as we process your data to protect the legitimate interests of Sixt SE or a third party, you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you (right to object, art. 21 GDPR). In such cases, we will no longer process your personal data unless we are able to demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

In addition, shareholders and shareholder representatives have a right to lodge a complaint with the data protection supervisory authorities pursuant to art. 77 GDPR.