Fresenius Medical Care : Data protection information for shareholders and their proxies

- CONVENIENCE TRANSLATION -

Data protection information for shareholders and their proxies

for the Annual General Meeting on 16 May 2024 of

Fresenius Medical Care AG

Hof (Saale)

ISIN: DE0005785802 // WKN: 578580

ISIN: US3580291066 // CUSIP: 358029106

Fresenius Medical Care AG processes personal data of shareholders and their proxies in con-nection with the general meeting.

You will find below information on the controller and the data protection officer(1.). We also provide you below with the information regarding the processing of personal data(2.) and the rights of data subjects in connection with the processing(3.).

• 1. Controller and data protection officer

• 1.1. Controller

  Fresenius Medical Care AG

  Else-Kröner-Straße 1, 61352 Bad Homburg v. d. Höhe, Germany Tel.: +49 (0) 6172 609 0 e-mail:ir@freseniusmedicalcare.com

  The company is represented by its Management Board.

• 1.2. Data protection officer

  Giovanni Brugugnone c/o Fresenius Medical Care AG

  Else-Kröner-Straße 1, 61352 Bad Homburg v. d. Höhe, Germany

  Data protection officer e-mail:datenschutzbeauftragter@freseniusmedicalcare.com

• 2. Processing of personal data

• 2.1. Personal data and its sources

  Fresenius Medical Care AG will process the following personal data of shareholders and their proxies in connection with the general meeting to enable shareholders and their proxies to exercise their shareholders' rights in relation to the general meeting:

-

surname and first name, address, e-mail address,

• - number of shares, class of shares, type of ownership of the shares,

• - the specific identifier given to the shareholder by the ultimate intermediary, account number of the securities account of the shareholder,

• - ticket number,

• - the login details allocated to the shareholder for the company's password-pro-tected proxy authorization and instruction system,

• - the IP address from which the shareholder or his proxy uses the company's pass-word-protected proxy authorization and instruction system, other log data that is generated for technical reasons when using the password-protected proxy author-ization and instruction system (type and version of the web browser, operating sys-tem used, volume of data transmitted, the Internet page previously visited, page, date and time of access).

• - voting at the general meeting,

• - the content of questions asked by the shareholder, their answers, speeches and any objections to resolutions of the general meeting as well as the content of any requests for supplements to the agenda, countermotions and election proposals,

• - if applicable, the surname, first name and address of the respective proxy author-ized by the shareholder, the granting of proxy authority, including any instructions issued to the proxy, and the proxy's specific identifier issued by the ultimate inter- mediary.

To the extent that this personal data was not provided by the shareholders or their prox-ies in the context of the registration for the general meeting or received during the con-duction of the general meeting (including the usage of the password-protected proxy authorization and instruction system), the bank holding the securities account or the re-spective ultimate intermediary within the meaning of section 67c (3) German Stock Cor-poration Act (Aktiengesetz, AktG) will transmit their personal data to Fresenius Medical Care AG.

The login details assigned to the shareholder for the password-protected proxy authori-zation and instruction system of the company as well as the IP address from which the shareholder or his proxy uses the password-protected proxy authorization and instruc-tion system of the company will be communicated to the company by the service provider commissioned by the company to conduct the general meeting.

2.2. Purpose of processing and legal basis

Fresenius Medical Care AG will process the personal data of the shareholders and their proxies to the extent necessary to process the shareholders' rights exercised by them in connection with the general meeting. The legal basis for this processing is Arti-cle 6 (1) (c) General Data Protection Regulation ("GDPR") (compliance with legal obliga-tions) in conjunction with section 67e (1) AktG.

Fresenius Medical Care AG processes the IP address from which the shareholder or his proxy uses the password-protected proxy authorization and instruction system of the company as well as further log data that is generated for technical reasons when using the password-protected proxy authorization and instruction system of the company, to the extent necessary to provide the password-protected proxy authorization and instruc-tion system of the company and to ensure the security of the IT infrastructure used for this purpose. The legal basis for this processing is Article 6 (1) (c) GDPR (compliance with legal obligations) in conjunction with section 67e (1) AktG and Article 6 (1) (f) GDPR

(balancing of interests). Fresenius Medical Care AG's legitimate interest is to provide the password-protected proxy authorization and instruction system of the company and to ensure the security of the IT infrastructure used for this purpose.

Furthermore, Fresenius Medical Care AG will store personal data of its shareholders and their proxies to the extent that this is necessary to comply with statutory obligations to retain data. The legal basis for this processing is Article 6 (1) (c) GDPR (compliance with legal obligations) in conjunction with the respective statutory obligations to retain data.

Moreover, Fresenius Medical Care AG will possibly continue to store personal data of its shareholders and their proxies to the extent that this is necessary to establish, exercise or defend legal claims. The legal basis for this processing is Article 6 (1) (f) GDPR (bal-ancing of interests). Fresenius Medical Care AG's legitimate interest is to establish, ex- ercise or defend legal claims.

• 2.3. Duration of storage of personal data

  Fresenius Medical Care AG will store this personal data for the above-mentioned pur-poses only for as long as this is necessary for the these purposes.

  The storage period for the above purposes is generally up to three years.

  If a shareholder is no longer a shareholder of the company, Fresenius Medical Care AG will only, subject to other statutory provisions, store his/her personal data only for a max-imum of twelve months on the basis of section 67e (2) sentence 1 AktG.

  Data will only be stored for a longer period on the basis of section 67e (2) sentence 2

  AktG, subject to other statutory provisions, as long as this is necessary for any possible legal proceedings to establish, exercise or defend legal claims. In this case, Fresenius Medical Care AG will store the data until the end of the respective legal proceeding.

  Log data that is generated for technical reasons when using the password-protected proxy authorization and instruction system of the company is stored in so-called log files for a maximum of 7 days, unless a security-related incident occurs (e.g., a DDoS attack).

  In the event of a security-related incident, log files are stored until the security-related incident has been eliminated and fully investigated.

• 2.4. Recipients of personal data

  The following service provider will process the above-mentioned data for the above-men-tioned purposes (as processor) on behalf of Fresenius Medical Care AG:

Computershare Deutschland GmbH & Co. KG Elsenheimerstr. 61, 80687 Munich, Germany

The service provider will only receive personal data from Fresenius Medical Care AG that is required to perform the commissioned service and will process the data exclu-sively in accordance with the instructions of Fresenius Medical Care AG.

Otherwise, general meeting Fresenius Medical Care AG will only make the personal data available to shareholders and their proxies as well as to third parties within the framework of the statutory provisions in connection with the general meeting. In particular, if share-holders and their proxies are to be represented at the general meeting by voting proxies appointed by the company disclosing their name, Fresenius Medical Care AG will enter their names, place of residence, number of shares and type of ownership in the list of attendees of the general meeting to be drawn up pursuant to section 129 (1) sentence 2 AktG. Shareholders and their proxies may inspect this data during the general meeting and shareholders may also inspect it for up to two years later pursuant to section 129 (4)

sentence 2 AktG. With regards to the transfer of personal data to third parties in connec-tion with the announcement of shareholder requests for supplements to the agenda as well as countermotions and election proposals by shareholders, please refer to the ex-planations in section III No. 6 lit. a) and No. 6 lit. b) of the invitation to the general meeting of the company.

If shareholders and/or their proxies make use of their right to information pursuant to section 131 (1) AktG, or otherwise speak, this may be done by stating the name and, if applicable, the place of residence or registered office of the shareholder and/or proxy asking the question. Questions dealt with during the general meeting can only be noted by the other shareholder and their proxies attending the general meeting. In the case of requests for supplements to the agenda pursuant to section 122 (2) AktG and in the case of countermotions and election proposals pursuant to sections 126 (1), 127 AktG, these will be made publicly available as described in more detail under section III No. 6 lit. a) and No. 6 lit. b) of the invitation to the general meeting of the company and, if necessary, put to the vote at the general meeting.

• 2.5. No obligation to provide the data

  Shareholders and their proxies are not obliged to provide Fresenius Medical Care AG with the abovementioned data in connection with the general meeting. The provision of the data is not required by law or by contract. The data is also not required for the con-clusion of a contract. However, the provision of personal data is necessary to exercise shareholders' rights with respect to the general meeting.

  Insofar, if shareholders and their proxies do not provide the data, Fresenius Medical Care AG will not be able to enable them to exercise shareholders' rights in relation to the

  general meeting.

• 2.6. No automated decision-making, including profiling

  Fresenius Medical Care AG will not carry out any automated decision-making, including profiling, pursuant to Article 22 (1) and (4) GDPR on the basis of the personal data.

2.7. Use of technically necessary cookies or web storage objects in the password-pro-tected proxy authorization and instruction system

In order to ensure the secure operation of the password-protected proxy authorization and instruction system and to enable the use of certain functions, technically necessary cookies or web storage objects are used. These are small text files that are stored on the device of the shareholders or their proxies during the use of the password-protected proxy authorization and instruction system. When the password-protected proxy author-ization and instruction system is opened again with the same device, the cookie or web storage object and the information stored in it can be retrieved. Shareholders and their proxies can generally prevent the use of cookies or web storage objects via their browser settings. However, entirely blocking all cookies or web storage objects may eventually mean that the password-protected proxy authorization and instruction system cannot be used.

3.

Rights of data subjects in relation to the processing

The shareholders and their proxies have the following rights with respect to the pro-cessing of their personal data as data subjects:

• - right of access (Article 15 GDPR)

• - right to rectification (Article 16 GDPR)

• - right to erasure ("right to be forgotten") (Article 17 GDPR)

• - right to restriction of processing (Article 18 GDPR)

• - right to data portability (Article 20 GDPR)

• - right to object (Article 21 GDPR)

• - right to withdraw consent (Article 7 (3) GDPR)

The following right to object under Article 21 (1) GDPR is especially highlighted:

Right to object on grounds relating to the data subject's particular situation (Ar- ticle 21 (1) GDPR)

At any time shareholders and their proxies as data subjects have the right pursuant to Article 21 (1) GDPR to object, on grounds relating to their particular situation, to pro- cessing of personal data concerning them which is based on Article 6 (1) (f) GDPR (see clause2.2).

If an objection is raised, Fresenius Medical Care AG will no longer process the personal data unless Fresenius Medical Care AG demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the shareholders and their proxies as data subject or the processing serves the establishment, exercise or defense of legal claims.

Data subjects can contact Fresenius Medical Care AG or its data protection officer using the contact details referred to above in order to exercise their rights. In addition, share-holders and their proxies as data subjects have a right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR). Data subjects can assert this right to lodge a complaint in particular to the supervisory authority of the (federal) state in which they have their residence or habitual residence or the data protection supervisory au-thority of the federal state of Hesse (Hessian Commissioner for Data Protection and

Freedom of Information (Hessischer Beauftragter für Datenschutz und Informationsfrei-heit, HBDI), where Fresenius Medical Care AG has its place of business.

For more information on the General Data Protection Regulation and the rights of data subjects in relation to the processing of their personal data, please refer to the online availableinformation bro-chure (in German only) of the Federal Commissioner for Data Pro-tection and Freedom of Information (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI).