LEG Immobilien : Data protection information

APPENDIX 1

Data protection information for shareholders and shareholder representatives of LEG Immobilien

SE

On 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, "GDPR") and new German data protection regulations came into force. Among other things, the GDPR provides for information obligations in connection with the collection of personal data (transparency of data processing).

We take data protection for our shareholders very seriously and would like to inform you with the following information about the processing of your personal data by LEG Immobilien SE (the "Company") and the rights to which you are entitled under data protection law.

1. Who is responsible for data processing?
   LEG Immobilien SE Flughafenstraße 99 40474 Düsseldorf Phone 02 11/45 68-0 Fax 02 11/45 68-308
   E-mailinfo@leg-wohnen.de
   The central point of contact for data protection matters is the LEG Group's Data Protection Management, Flughafenstraße 99, 40474 Düsseldorf, e-mailprivacy@leg-wohnen.de.
   The contact person for personal data protection matters and for the supervisory authorities is the LEG Group's Data Protection Officer, Flughafenstraße 99, 40474 Düsseldorf,
   Telephone +49 (0)211/74 07 40-77,e-maildatenschutz@leg-wohnen.de.
2. What categories of data are processed?
   In connection with the handling of Annual General Meetings, the company processes personal data (in particular the name, address, electronic address and other contact details of the shareholder, number of shares, type of ownership of the share, access data for the access-protected InvestorPortal, admission ticket number if applicable, name, address and access data and admission ticket number if applicable of the shareholder representative authorised by the respective shareholder) on the basis of the applicable data protection regulations. In addition to shareholders' personal data stored in the Company's share register, the Company processes data provided by shareholders when registering for the Annual General Meeting or transmitted to the Company by the custodian banks on behalf of shareholders for this purpose (in particular authorisations, instructions, votes cast by postal vote or objections to the minutes of the Annual General Meeting).
   When you visit our InvestorPortal on the Internet, we collect data about access to our InvestorPortal. The following data and device information are logged in the web server log files:

1. Retrieved or requested data; o Date and time of retrieval;
   o Message indicating whether the call was successful; o Type of web browser and operating system used; o Referrer URL (the previously visited page);
   o IP address;
   o Shareholder number and session ID; o Login.

Your browser automatically transmits this data to us when you visit our InvestorPortal.

3. For what purposes and on what legal basis is your data processed? From whom does the Company receive which data?

We process your personal data in compliance with the GDPR, the German Federal Data Protection Act (BDSG), the German Stock Corporation Act (AktG) and all other relevant legal provisions.

The Company's shares are registered shares. Section 67 AktG stipulates that registered shares must be entered in the Company's share register, stating the name, date of birth, address of the shareholder, electronic address and the number of shares or share number. The shareholder is generally obliged to provide the Company with this information. The credit institutions involved in the acquisition or custody of your registered shares in the Company regularly forward the information relevant for maintaining the share register (including, for example, nationality, gender and submitting bank) to the share register on your behalf. This is done via Clearstream Banking AG, Frankfurt, which, as the central securities depository, carries out the technical processing of securities transactions and the safekeeping of shares for the banks. If your shares are sold, we will also be informed of this via Clearstream Banking AG, Frankfurt.

The company uses your personal data for the purposes provided for in the German Stock Corporation Act. These are, in particular, the maintenance of the share register, communication with the custodian banks and shareholders as well as various processes in connection with the organisation of Annual General Meetings (e.g. transmission of access data and information for the Annual General Meeting, identification of shareholders for the processing of enquiries, registration for the Annual General Meeting, documentation of the right to participate and preparation of the list of participants).

Section 67 para. 6 sentence 4 AktG stipulates that the data entered in the share register may only be used to advertise the Company if the shareholder does not object. Shareholders must be informed of their right to object in an appropriate manner (Section 67 para. 6 sentence 5 AktG). The Company fulfils this obligation by, among other things, providing the information on the right to object contained in section 8 of this information. In the event that the data entered in the share register is used to advertise the Company, the processing is carried out on the basis of Art. 6 para. 1 lit. f) GDPR.

Page 2 from 7

In addition, we may use your data for purposes that are compatible with these purposes (in particular to compile statistics, e.g. for the presentation of shareholder development, number of transactions, or for overviews of the largest shareholders). In addition, we also process your personal data to fulfil other legal obligations, e.g. regulatory requirements and retention obligations under stock corporation, commercial and tax law.

The legal basis for the processing of your personal data by the Company is the German Stock Corporation Act in conjunction with Art. 6 para. 1 lit. c) GDPR. In this respect, the GDPR expressly provides that the processing of personal data is also justified on the basis of special legal obligations (outside the GDPR).

In individual cases, the Company may also process your data to protect the legitimate interests of the Company or a third party in accordance with Art. 6 para. 1 lit. f) GDPR. A legitimate interest of the Company exists, for example, if we have to exclude individual shareholders or groups of shareholders from the information on subscription offers in the event of capital increases due to their nationality or place of residence in order not to violate the legal provisions of certain countries. For information on the right to object to the processing of data to protect legitimate interests, see section 7 below.

In connection with the organisation of Annual General Meetings, the Company processes personal data as described above on the basis of the applicable data protection regulations.

The processing of personal data in connection with Annual General Meetings is carried out for the purpose of processing the registration and participation of shareholders in the Annual General Meeting (e.g. checking the right to participate) and enabling shareholders to exercise their rights at the Annual General Meeting (including registration and the granting and revocation of proxies).

When authorising the proxies nominated by the Company for the Annual General Meeting, the declaration of authorisation must be verifiably recorded by the Company and stored for three years in an access-protected manner (Section 134 para. 3 sentence 5 AktG).

We have a legitimate interest in ensuring the orderly conduct of the Annual General Meeting. If you submit countermotions to the proposed resolutions

prior to the Annual General Meeting in accordance with the requirements set out in the notice convening the Annual General Meeting or declare an objection to resolutions of the Annual General Meeting at the Annual General Meeting, we will therefore process the name and address of the shareholder and the shareholder number as well as your email address, if provided, in order to process these. If you authorise a third party to attend the Annual General Meeting, we will also process the name and address of the authorised representative. The legal basis for the processing in these cases is also the respective statutory provisions in conjunction with Art. 6 para. 1 lit. c) GDPR.

Page 3 from 7

If we wish to process your personal data for a purpose not previously mentioned, we will inform you of this in advance in accordance with the statutory provisions.

1. Will your data be transferred to a third country?
   In order to fulfil the above-mentioned purposes, it may be necessary to transfer your personal data outside the European Economic Area (EEA) for one of the above-mentioned purposes. If we transfer personal data to service providers or group companies outside the EEA, the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding corporate data protection regulations or EU standard contractual clauses) are in place.
2. To which categories of recipients do we pass on your data? External service providers:
   For the administration and technical management of the share register and the organisation of the Annual General Meeting, we use external service providers with whom we have concluded contracts for processing on behalf of the Company in accordance with Art. 28 GDPR (e.g. share registrar, IT service provider, AGM service provider, service provider for printing and sending shareholder notifications and legal advisors). Commissioned service providers only receive personal data from the Company that is necessary for the execution of the commissioned service and process this data exclusively in accordance with the Company's instructions.
   Other recipients and joint controllers under data protection law:
   If you attend the Annual General Meeting, we are obliged under Section 129 (1) sentence 2 AktG to enter your name, place of residence and the number of shares represented in the list of participants. This data can be viewed by other shareholders and Annual General Meeting participants during the meeting and by shareholders for up to two years afterwards (Section 129 (4) AktG). In addition, personal data may be made publicly accessible as part of the announcement of shareholder requests for additions to the agenda as well as countermotions and election proposals by shareholders.

If a shareholder requests that items be placed on the agenda (Section 122 (2) AktG), the Company will publicise these items, stating the name of the shareholder, in accordance with the provisions of the German Stock Corporation Act if the relevant requirements are met. The Company will also publish countermotions and election proposals from shareholders on the Internet, stating the name of the shareholder,

if the relevant requirements are met in accordance with the provisions of stock corporation law (Sections 126 (1) and 127 AktG). In addition, we may be obliged to transfer your personal data to other recipients, such as authorities to fulfil statutory notification obligations (e.g. in the case of voting rights notifications).

Page 4 from 7

LEG Management GmbH, Flughafenstr. 99, 40474 Düsseldorf, Germany, will provide services for LEG Immobilien SE in connection with the organisation and handling of the Annual General Meeting, in particular with regard to the fulfilment of legal requirements under the German Stock Corporation Act (AktG). Insofar as personal data is transmitted to LEG Management GmbH in this context, the companies are jointly responsible for data protection within the meaning of Art 26 GDPR. Data subjects can assert their rights against each individual controller.

6. How long will your data be stored?

As a matter of principle, we anonymise or delete your personal data as soon as and insofar as it is no longer required for the purposes stated herein, unless we are obliged to continue storing it due to legal obligations to provide evidence and/or retain data (in accordance with the German Stock Corporation Act, the German Commercial Code, the German Fiscal Code or other legal provisions). The storage period for data collected in connection with Annual General Meetings is generally up to three years.

The data stored in the share register must be retained by us for ten years after the sale of the shares for reasons of commercial and tax law. In addition, we only retain personal data in individual cases if this is necessary in connection with claims asserted against our Company (statutory limitation periods of up to thirty years).

7. Cookies

When using the InvestorPortal, only technically necessary cookies are used. These cookies enable the use of the website and are absolutely necessary for the use of its functions. This means, for example, the storage of log-in data or the language selection by so-called local or session storages (which are deleted when the browser is closed). These are not cookies.

Local Storages used

Storage Keys	Purpose	Storage
duration
LocaL	A session memory is intended for scenarios in which the	Duration of the
ng2Idle.main.expiry	user performs a single action. This is used for automatic
active session
ng2Idle.main.idling	logout after 30 minutes of inactivity.
Session
ServiceStorage	Authentication token, session data,	Duration of the
IVPLanguage	E-mail address (confirmation function)	active session
authorisationData
		Page 5 from 7

hostPortalContext

translationTags

Browser settings

You can refuse the storage of cookies by websites and applications on your end devices or adjust your browser settings if the cookies are not technically necessary. The InvestorPortal only uses technically necessary cookies. By clicking on one of the following links, users can go directly to the manual of the browser used or, if necessary, to the help function of the browser used.

1. Google Chrome

1. Mozilla Firefox

1. Apple Safari

1. MicrosoftEdge

8. What rights do you have under data protection law?

You can request information about the personal data stored about you, correction of your personal data, deletion of your personal data and restriction of the processing of your personal data free of charge from the address of the data protection officer stated in section 1. You also have the right to data portability. A request for deletion may conflict with the Company's statutory retention obligations.

1. Art. 15 GDPR: Right to information of the data subject
   You have the right to obtain information from us about which of your personal data we process.
2. Art. 16 GDPR: Right to rectification
   If the data concerning you is incorrect or incomplete, you can request the correction of incorrect data or the completion of incomplete data.
3. Art. 17 GDPR: Right to erasure
   Under the conditions of Art. 17 GDPR, you can request the erasure of your personal data. Your right to erasure depends, among other things, on whether the data concerning you is still required by us to fulfil our legal or contractual obligations.
4. Art. 18 GDPR: Right to restriction of processing
   Under the conditions of Art. 18 GDPR, you can request the restriction of the processing of personal data concerning you.
5. Art. 21 GDPR: Right to object
   You have the right to object to the processing of your data to protect the legitimate interests of

Page 6 from 7

the Company or a third party by contacting the LEG Group's Data Protection Officer, Flughafenstraße 99, 40474 Düsseldorf, phone +49 (0)211/74 07 40-77,e-mail datenschutz@leg- wohnen.de.

If your particular situation gives rise to reasons that conflict with this data processing, we will terminate this processing unless we can prove that there are compelling legitimate grounds for the processing that outweigh the interests, rights and freedoms of the data subjects, or the processing serves the assertion, exercise or defence of legal claims.

1. Art. 7 para. 3 GDPR: Right to withdraw consent
   You have the right to withdraw your consent to the processing of your personal data at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Do you have any complaints regarding the handling of your data? If you have any complaints regarding

the processing of your personal data, you can contact the company's data protection officer using the contact details provided at the beginning of this document in order to seek clarification directly from the Company. Irrespective of this, you have the right to lodge a complaint with a competent data protection supervisory authority. The data protection supervisory authority responsible for the Company is

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf, telephone +49.211.384240, e-mailpoststelle@ldi.nrw.de.

Status of the information in this document: April 2024

In the event of relevant changes, we will update this information and make it available on our website. We will also check whether there is an obligation to provide other notification in individual cases in the event of any changes to this data protection information and, if so, fulfil this notification obligation accordingly.

Page 7 from 7