Q beyond : Information about data protection for shareholders and their representatives

Information for shareholders and their representatives

on data protection pursuant to Art. 13, 14 GDPR

This data protection notice informs you about the processing of your personal data by q.beyond AG in connection with your position as a shareholder or shareholder representative and the rights to which you are entitled under data protection law.

Who is the data processing controller?

The data processing controller is q.beyond AG, Richard-Byrd-Straße 4, 50829 Cologne, e- mail: info@qbeyond.de, Tel.: +49 221 669-8000.

The data protection officer of q.beyond AG can be reached at Datenschutzbeauftragter der q.beyond AG c/o migosens GmbH, Wiesenstr. 35, 45473 Mülheim an der Ruhr, e-mail: datenschutzbeauftragter@qbeyond.de.

For what purposes and on what legal basis are the data processed?

q.beyond AG processes your personal data in accordance with the provisions of the EU General Data Protection Regulation ("GDPR"), the German Federal Data Protection Act ("BDSG") and the German Companies Act ("AktG") as well as all other relevant legal provisions.

The shares of q.beyond AG are no-par value registered shares. Section 67 AktG stipulates that such shares must be entered in the Company's share register, stating the name, date of birth and a postal address as well as an electronic address of the shareholder and the number of shares or the share number. The shareholder is generally obliged to provide the Company with this information. If you do not agree to provide this information, you cannot be entered in the share register and cannot exercise your rights as a shareholder. The intermediaries involved in the acquisition, custody or sale of your shares (e.g. credit institutions) regularly forward this information as well as other information relevant for the maintenance of the share register (e.g. nationality, gender and submitting bank) to the share register on your behalf. This is done via Clearstream Banking AG, Frankfurt am Main, which, as central securities depository, carries out the technical settlement of securities transactions and the safekeeping of shares for the intermediaries (e.g. credit institutions).

q.beyond AG processes your personal data for the purposes stipulated in the German Companies Act. This includes keeping the share register, communicating with shareholders and handling annual general meetings. The access data for the password-protected AGM portal is also processed.

In connection with the Annual General Meeting, q.beyond AG processes your personal data for the purpose of processing the registration and participation of the shareholders in the Annual General Meeting (e.g. checking the right to participate) and to enable the shareholders to exercise their rights within the framework of the Annual General Meeting (including the granting, revocation and verification of proxies and instructions). Without the provision of the relevant data, your participation in the Annual General Meeting and the exercise of voting rights and other meeting-related rights is not possible. This includes the following processing operations:

Within the scope of a shareholder's registration for the Annual General Meeting, q.beyond AG processes the required data stored in the share register as well as the data provided by the shareholder or transmitted by the shareholder's custodian bank for this purpose (in particular first names and surnames, place of residence or address, e-mail address, number of shares, class of shares, admission ticket number and type of ownership).

1

Insofar as the participation in the Annual General Meeting is carried out by a proxy, q.beyond AG processes the personal data of the shareholder specified in the granting of the power of attorney as well as the first and last name, place of residence or address and e-mail address of the proxy. In the event that power of attorney and instructions are issued to the proxies appointed by q.beyond AG, the instructions issued are also processed and the declaration of power of attorney is recorded by the Company in a verifiable manner for three years.

In accordance with Section 129 AktG, a list of participants with the following personal data is kept at the Annual General Meeting: admission ticket number, first name and surname as well as place of residence of the attending or represented shareholder and if applicable the shareholder's representative, number of shares, class of shares, number of voting rights and type of ownership.

If a shareholder requests that items be placed on the agenda, q.beyond AG will publish these items, stating the name of the shareholder, on condition that the requirements under the provisions of the German Companies Act are met. Likewise, q.beyond AG will make countermotions and election proposals by shareholders available on the website of q.beyond AG, stating the name of the shareholder, if the requirements under the provisions of the German Companies Act are met (Sections 122 (2), 126 (1), 127 AktG).

In addition to processing within the scope of maintaining the share register and conducting the Annual General Meeting, q.beyond AG also processes your personal data to fulfil other legal obligations, such as regulatory requirements and obligations to retain data under companies, commercial and tax law.

The legal basis for the data processing operations described above is in each case Section 67e AktG in conjunction with Art. 6 (1) Subparagraph 1 lit. c) GDPR.

In individual cases, the Company may also process your data to protect the legitimate interests of the Company or a third party in accordance with Art. 6 (1) Subparagraph 1 lit. f) GDPR.

This is the case, for example, if q.beyond AG has to exclude individual shareholders or groups of shareholders from information on subscription offers due to their nationality or place of residence, for example in the case of increases in capital, so as not to violate legal regulations in certain countries. In addition, we use your personal data to compile internal statistics (e.g. for the presentation of shareholder development, number of transactions or for overviews of the largest shareholders). In the AGM portal, you can voluntarily choose to have the AGM invitation with agenda sent to your e-mail address. In this case, we will process your e-mail address in order to store it in the file register and send you the AGM invitation and agenda by e-mail in the future. The legal basis for this is your consent pursuant to Art. 6 (1) lit. a) GDPR. You can revoke this consent at any time without giving reasons with effect for the future by contacting us at the above address.

If we intend to process your personal data for another purpose, we will inform you in advance in accordance with the statutory provisions.

We do not use any purely automated decision-making procedures pursuant to Article 22 GDPR or profiling.

We use cookies to ensure the operation of the AGM portal.

Cookies are small text files that are placed on your end device when you access a website. We only use cookies that are necessary for the use of the AGM portal and are deleted when the browser is closed (so-called "session cookies").

2

The following cookies are used when operating the AGM portal:

	Cookie			Description			Storage period			Classification
	PHPSessionID		Standard session			Deletion by closing		Required
				identification for PHP			the browser

You can prevent cookies from being set by configuring your Internet browser so that it does not allow such text files to be saved on your end device. Please note that blocking all cookies may hinder the smooth operation of the AGM portal. Without the use of cookies, some functions and applications of the AGM portal may not be available or certain pages may not be displayed.

In addition, we store information in our server log files that your browser automatically transmits to us for technical reasons. These are

• Name of the retrieved file,
• Date and time of access,
• Amount of data transferred,
• Notification of whether the retrieval was successful,
• Description of the type of web browser used,
• Referrer URL (the previously visited page),
• Host name of the accessing computer (IP address)

All data collected via cookies, device identifiers and similar procedures are always used by us in anonymised form and are not merged with customer or profile data stored by us.

To which categories of recipients will your data be passed on, if any?

In the following, we inform you about the categories of recipients to whom we pass on your personal data:

External service providers: For the administration and technical management of the share register as well as for the organisation of the Annual General Meeting (including the production of video and audio recordings), we use external service providers who process your personal data according to our instructions in accordance with Art. 28 GDPR.

Shareholders/third parties: Within the scope of the statutory right to inspect the list of participants in the Annual General Meeting, shareholders may, upon request, inspect the data that may have been recorded about them in the list of participants for up to two years after the Annual General Meeting. The list of participants will also be made available to all participants at the Annual General Meeting. Your personal data will be published in accordance with the statutory provisions in the context of requests for additions to the agenda, countermotions or election proposals that require publication.

Other recipients: Within the framework of legal regulations, we may be obliged to transmit your personal data to further recipients, such as authorities and courts (e.g. in the case of the publication of notifications of voting rights in accordance with the provisions of the Securities Trading Act and the notification to authorities for the fulfilment of legal notification obligations).

It is not intended to transfer personal data to a recipient in a third country (countries outside the European Union and the European Economic Area). If we wish to transfer your personal data to a third country, you will receive separate information about this beforehand.

3

For how long are your personal data stored?

In principle, we delete or anonymise your personal data as soon as and insofar as it is no longer required for the aforementioned purposes, unless statutory obligations to provide proof and/or to retain data (in accordance with the German Companies Act, the German Commercial Code, the German Fiscal Code or other legal provisions) oblige us to continue to store it. Data in connection with annual general meetings are regularly deleted or anonymised after three years. The data stored in the share register is regularly retained for ten (10) years after the sale of the shares. Beyond this, we only retain personal data if this is necessary in individual cases in connection with claims asserted against q.beyond AG or on the part of q.beyond AG (statutory limitation period of up to 30 years).

Which rights do you have?

Insofar as we process personal data relating to you, you are entitled to the following rights with regard to the processing of your personal data under the statutory conditions:

• Right to information about the data stored by q.beyond AG about you (Art. 15 GDPR);
• Right to rectification of incorrect data stored about you (Art. 16 GDPR);
• Right to have your data deleted, in particular if it is no longer necessary for the purposes for which it was originally collected (Art. 17 GDPR);
• Right to restriction of processing (blocking), in particular if the processing of your data is unlawful or the accuracy of your data is contested by you (Art. 18 GDPR);
• Right to object to the processing of your data, insofar as the processing is carried out solely to safeguard the legitimate interests of the Company (Art. 21 GDPR);
• Right to lodge a complaint: for complaints regarding the processing of your personal data, our data protection officer is available at the contact details provided. Independently of this, you have the right to lodge a complaint with the competent data protection authority.

4