Data privacy information for TUI AG shareholders
From 25 May 2018, new data privacy rules will apply as the EU General Data Protection Regulation will take effect. One of the core goals is to ensure transparency in data processing. We take data privacy for our shareholders very seriously. The following information is intended to already explain to you how TUI AG processes your personal data and what your rights are under data privacy law.
Who is responsible for processing the data?
Should you have any questions regarding this information, please do not hesitate to contact our Data Protection Officer. You may contact him by mail at the address shown above or by e-mail at: firstname.lastname@example.org.
For what purposes and on which legal basis is your data processed? Who do we receive what data from?
We process your personal data taking account of the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), the German Stock Corporation Act (AktG) and all other relevant legislation.
TUI AG shares are registered shares. In accordance with section 67 of the German Stock Corporation Act (AktG), registered shares have to be entered in the company’s share register stating the name, date of birth and address of the shareholder, as well as the number of shares or share number. The shareholder is generally obligated to provide that information to the company. The credit institutions participating in the acquisition or custodianship of your TUI AG registered shares regularly provide the company with the necessary information to maintain the share register (alongside the data mentioned above, this includes information on your nationality, gender and remitting bank) to us via Clearstream Banking Frankfurt, the central depository in charge of the technical execution of securities transactions and custody of the shares for the credit institutions. If you sell your shares, we also get notified via Clearstream Banking Frankfurt.
We use your personal data for the purposes set out in the German Stock Corporation Act. These include in particular maintaining the share register, communicating with you as shareholders and convening Annual General Meetings.
We also use your data for purposes consistent with the purposes outlined above (in particular to create statistics, e.g. for the presentation of the development of the shareholder structure, the number of transactions or composition of the largest shareholders). The legal basis for the processing of your personal data is the German Stock Corporation Act (AktG) in combination with Art. 6 (1) lit. c and Art. 4 GDPR.
We may also process your personal data to comply with other legal obligations, e.g. regulatory requirements or retention obligations under the German Stock Corporation Act, commercial law or tax law. In order to comply with requirements of the German Stock Corporation Act, we are, for instance, required to verifiably record the data serving as evidence of proxy authorisation in authorising the proxies designated by the company for the Annual General Meeting. In that case, the legal bases for the processing of the data are the relevant statutory regulations and Art. 6 (1) lit. c GDPR.
In individual cases, we also process your data for the purposes of our legitimate interests in accordance with Art. 6 (1) lit. f GDPR. This is the case, for instance, if we have to exclude individual shareholders from the information about subscription offers in the event of a capital increase due to their nationality or place of residence in order to comply with securities regulations applicable in such non-European countries, or transfer information on our shareholders’ nationality to the national aviation authorities for the air operating certificates of the Group’s airlines.
Should we wish to process your personal data for a purpose not mentioned previously, we shall inform you in advance in the framework of the statutory provisions.
To what categories of recipients will we pass your data on, if necessary?
External service providers:
We use the services of a number of external service providers to manage and technically maintain the share register (share register service company, IT service provider) and to carry out Annual General Meetings (AGM service providers, service providers for printing and dispatch of shareholder communications).
If you take part in the Annual General Meeting, other TUI AG shareholders may inspect the personal data relating to you in the list of participants in accordance with section 129 of the German Stock Corporation Act (AktG). We may also be obliged to transfer your personal data to other recipients, e.g. authorities, in order to meet statutory notification requirements. (e.g. if legally statutory thresholds are exceeded).
For how long do we store your data?
As a matter of principle, we anonymise or delete your personal data as soon as we no longer need it for the purposes listed above, unless we are obliged to retain the data under statutory evidence preservation or retention requirements (e.g. under the German Stock Corporation Act, the German Commercial Code or Fiscal Code). The data captured in connection with Annual General Meetings regularly may be stored for up to three years.
We regularly have to retain the data stored in the share register for ten years after selling the shares. Apart from that, we only store personal data in individual cases in which this is required in connection with claims issued against our company (statutory limitation period of up to thirty years).
How do we transfer data outside the European Economic Area ?
Should we transfer any personal data to service providers outside the European Economic Area (EEA), we will only do so if the EU Commission has confirmed that an appropriate level of data protection exist in the third country or if other appropriate data privacy guarantees (e.g. binding corporate data privacy rules or an agreement to apply the standard data protection clauses adopted by the EU Commission) exist.
What are your data privacy rights?
At the address listed above, you can request information on the stored data relating to your person. You can also request deletion of your data or a restriction of processing under certain circumstances (e.g. if your data is being unlawfully processed).
Right of objection: If we process your data for legitimate purposes, you may object to this processing at the address shown on page 1 if your personal situation gives rise to any specific grounds to the contrary. We will then terminate the processing unless we can invoke overriding and legitimate own interests.
Do you want to complain about the handling of your data?
You may contact our Data Protection Officer at:
Data Protection Officer
Alternatively, you may contact the data protection supervisory authority. TUI AG’s competent data protection supervisory authority is:
The Data Protection Commissioner for Lower Saxony
Status of this information: As of May 2018
If any relevant changes are made regarding this information, we will inform you again if necessary.