Information about data protection for BASF SE shareholders
Data protection is something BASF SE (hereinafter also referred to as “we”) takes very seriously. As you know, we are legally obligated to maintain a share register. In the following, we will inform you about how we process your personal data when you provide us with personal data for the share register via our website www.basf.com/asm-service, in writing or by email, or if you inform us about changes to your personal data that is stored in the BASF SE share register. We would also like to inform you about your data protection rights (information according to Art. 13 and Art. 14 GDPR).
Information about your personal data that we collect and retain when you visit our website can be found here.
Who is responsible for processing the data?
The controller in accordance with data protection policies is:
67056 Ludwigshafen, Germany
Phone: +49 (621) 60-0
Our Data Protection Officer can be reached by post at the above mailing address (please add “Data Protection Officer Alexandra Haug” as the recipient) or by email at firstname.lastname@example.org
For what purposes and on what legal basis do we process your personal data and where does this data come from?
We process your personal data in accordance with the E.U. General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), the German Stock Corporation Act (Aktiengesetz, AktG) and all other relevant legislation.
BASF SE’s shares are registered shares. According to Section 67 of the German Stock Corporation Act, registered shares are to be recorded in the Company’s share register listing the name, date of birth and address of the shareholder as well as the number of shares held. The shareholder is obligated to provide this information to the Company. Your personal data is therefore in general collected directly from you.
The credit institutions through which you purchase or hold your BASF SE registered shares regularly pass on information to us on your behalf which is relevant for the maintenance of the share register (e.g., also nationality and, where applicable, the sector in which you work). This occurs via Clearstream Banking Frankfurt, the central depositary that carries out the technical settlement of securities transactions and holds the shares on behalf of the credit institutions. If you sell your shares, the new owner’s credit institution will inform us of this.
Prior to the Annual Shareholders’ Meeting of BASF SE, you can inform us via our website about any changes in your address, email address or, if applicable, your proxy and instructions. In these cases, we receive your personal data from the above-mentioned credit institutions and process them exclusively for the purposes of maintaining the share register, communicating with you as a shareholder and conducting the Annual Shareholders’ Meeting and properly paying the dividend in accordance with E.U. sanctions. The legal basis for the processing of your personal data is the German Stock Corporation Act as well as relevant E.U. regulations (e.g. Council Regulation (EU) No 269/2014 of 17 March 2014) in conjunction with Art. 6 (1) c) GDPR.
Via our website you have the possibility to inform us of address changes, e-mail addresses or, if necessary, submit your proxy and instructions to BASF SE prior to the Annual Shareholders’ Meeting.
If you make use of this possibility, we will process the personal data you provide only for the purpose of updating our share register with this information, or of offering you the possibility of issuing or revoking a proxy or of submitting evidence of authorization and of enabling the proxy to exercise the voting right in the Annual Shareholders’ Meeting. The legal basis for processing the personal data are Sections 67e (1), 134 (3) sentence 4 of the German Stock Corporation Act in conjunction with Art. 6 (1) lit. c) GDPR.
Should we want to process your personal data for a purpose not mentioned above, we will inform you in advance in accordance with the statutory provisions.
To which categories of recipients will we potentially pass on your data?
External service providers:
We sometimes use external service providers and credit institutions for the administration and technical management of the share register (share register service company, IT service provider) as well as for processing the Annual Shareholders’ Meeting (annual meeting service provider) and for fulfilling our statutory obligations.
Possible other recipients:
Furthermore, we may transmit your personal data to other recipients, such as public authorities in order to meet statutory disclosure obligations (e.g., when legally defined voting rights thresholds are exceeded) or external law firms to fulfill our statutory obligations or to safeguard our legal interests.
How long will we store your data?
We delete your personal data as soon as it is no longer needed for the abovementioned purposes. However, we may need to store personal data for the period during which claims can be made against our Company (statutory limitation period of three years or as long as 30 years). As a rule, we save your personal data to the extent we are required to do so by law. The obligations to provide and retain supporting documents arise from the German Commercial Code, the German Fiscal Code and the German Money Laundering Act, among others. These establish storage periods of up to 10 years.
How do we transmit data to non-European countries?
We do not intend to transmit your data to a third country outside of the European Economic Area (EEA) or an international organization. In the event that we transmit personal data to service providers outside of the European Economic Area (EEA), the transmission only occurs if the European Commission has confirmed that the third country offers an adequate level of data protection or if other appropriate safeguards (e.g., making use of binding corporate rules on data protection or standard data protection clauses adopted by the European Commission) are in place. Detailed information about this as well as about data protection at our service providers in third countries can be obtained via the contact information listed above.
What rights do you have as a data subject?
Right of rectification: If your personal data is incorrect or incomplete, you have the right to rectification;
Right to deletion: Based on the so-called "right to be forgotten", you can request the deletion of your personal data, unless there is a storage obligation. The right of deletion is not an exclusive right. For example, we have the right to continue processing your personal data if such processing is necessary to comply with our legal obligations or to assert, exercise or defend legal claims;
Right to limit processing: This right includes the right to limit the use or the way in which the data is used. This right is limited to certain cases and exists in particular if: (a) the data is inaccurate; (b) the processing is unlawful and you refuse to delete it; (c) we no longer need the data, but you need the data to assert, exercise or defend legal claims. If the processing is restricted, we may continue to store the data but not use it. We will maintain a list of those who have exercised the right to restrict processing in order to ensure such restriction;
Right to data transferability: This right implies that we transfer your personal data in a structured, common and machine-readable format for your own purposes, as far as technically possible;
Right to information: you have the right to be informed, in clear and easily understandable language, of how we process your personal data.
The exercise of these rights is free of charge for you. You must, however, prove your identity with two factors. We will make reasonable efforts in accordance with our legal obligations to transfer, correct or delete your personal data in our file systems.
To exercise your rights, make a complaint or submit any other requests, please contact us by e-mail or write to us. We will endeavour to reply to you within 30 days.
If we receive a complaint, we will contact the person who made the complaint to investigate the complaint. If we are unable to resolve a complaint immediately, we will cooperate with the authorities, especially the data protection authorities, as necessary.
Do you have a complaint about the handling of your data?
You have the possibility to contact the abovementioned Data Protection Officer or a data protection supervisory authority. The data protection supervisory authority responsible for us is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Hintere Bleiche 34
55116 Mainz, Germany