Bayer : Privacy Information for Attendees (privacy information for attendees asm2026)

Data privacy information for stockholders and proxy holders applicable to the Annual Stockholders' Meeting of Bayer Aktiengesellschaft

We take the protection of your data very seriously. The information presented below gives you an overview of how we process your personal data and your rights under data privacy law.

1. Who is responsible for the processing of my data and who can I contact about it?

   The data controller is Bayer Aktiengesellschaft, Kaiser Wilhelm Allee 1, 51368 Leverkusen, Germany (referred to in the following as "us", "our" and "we"). You can contact our Group Data Protection Officer at the above address or by email at data.privacy@bayer.com. For data privacy inquiries relating to information in the share register please contact us at the above address or by email at ir@bayer.com.

2. What data is processed, why and on what legal basis?

   We process your personal data in compliance with the EU's General Data Protection Regulation (GDPR), the German Data Protection Act (BDSG), the German Stock Corporation Act (AktG), and all other applicable laws and regulations.

   Shares in Bayer Aktiengesellschaft are registered shares. For registered shares, stock corporation law requires that the shares be recorded in the company's share register with the name, date of birth, postal address, electronic address (email address) and number of shares or the share number, along with the amount for par-value shares. The financial institutions / intermediaries that assist you in purchasing or holding your registered shares in Bayer regularly send us the information required for maintaining the share register and the information concerning your citizenship. This information is transmitted via Clearstream Banking AG, which is the central custodian responsible for the technical processing of securities transactions and keeps custody of the shares for the financial institutions / intermediaries. If you sell your shares, the sale is also reported to us via Clearstream Banking AG.

   We use this personal data for the purposes defined in the AktG, particularly for maintaining the share register and communicating with stockholders. In addition, we may use your data for purposes compatible

   with those listed above (in particular to generate statistics, e.g. to map stockholder trends, to chart the number of transactions, or to create overviews of the largest stockholders). The conditions contained in stock corporation law (particularly Sections 67, 67e AktG), in combination with Art. 6, Paragraph 1 c) and Paragraph 4 GDPR constitute the legal basis for processing personal data.

   Furthermore, we process the stockholder data mentioned above and, where proxy voting rights are conferred, the name and contact details (e.g. address, email address) of the proxy holder when necessary to meet other legal requirements, e.g. regulatory and securities-related requirements and document retention obligations under stock corporation law, commercial and tax law. For instance, in relation to the authorization of the proxy holders appointed by the company for the Annual Stockholders' Meeting, we must retain auditable data documenting the powers of attorney and protect it from access for three years (Section 134, Paragraph 3, Sentence 5 AktG). The legal basis for processing in these cases is the respective regulations read together with Article 6, Paragraph 1 c) of the GDPR.

   In addition, we process the personal data (name, Stockholder Control Number, number of shares held, place of residence, phone number, email address, and timing and content of any contributions as part of exercising their stockholder rights) of the stockholders attending the virtual Annual Stockholders' Meeting, or of their proxy holders, in order to conduct the meeting and fulfill the applicable stock corporation law requirements. This particularly involves enabling participation and maintaining the register of participants, enabling the exercise of stockholder rights (e.g. voting rights, the right to information, the right to speak and the right to object), and meeting publication obligations (countermotions, nominations and positions are published on the https://www.bayer.com/annual-stockholders-meeting internet page, along with the name of the stockholder concerned). The conditions contained in stock corporation law (particularly Sections 67e, 118 et seq. AktG), in combination with Art. 6, Paragraph 1 c) GDPR constitute the legal basis for processing personal data.

   In addition to processing on the basis of legal requirements, we may also process your personal data in order to pursue the following legitimate interests, if applicable, in line with Art. 6 Paragraph 1 f) GDPR:

   • To organize the virtual Annual Stockholders' Meeting and ensure it runs smoothly, insofar as the data processing necessary for this purpose goes beyond the points mentioned above.

   • To inform the public and other stockholders not participating via the Stockholder Portal, we will broadcast audio and video of the entire Annual Stockholders' Meeting, including all contributions by stockholders and their proxy holders, live on the internet (livestream).

   • There is also a legitimate interest in being compliant with non-European securities regulations. This can be relevant, for example, in the event of capital increases, when such regulations require that we exclude individual stockholders from notification about subscription offers on account of their citizenship or place of residence.

   • You can use the chat function to send us messages during the Annual Stockholders' Meeting that go beyond what is covered by the statutory right to information. To enable us to answer your messages either directly in the chat or retrospectively via email, we will process the following personal data: your name, the content of your message, your IP address and your email address.

   Further information about the processing of your data in relation to using our Stockholder Portal can be found in our separate data protection notice regarding the use of the Bayer Aktiengesellschaft Stockholder Portal.

   If we intend to process your personal data for a purpose other than those indicated above, we will notify you in advance of any processing as required by law.

3. Who receives my data?

   Within Bayer Aktiengesellschaft, access to your data is given to persons who need to meet our obligations to you. Service providers and subcontractors engaged by us can also receive data for these purposes. If these service providers have access to our stockholders' data, it will be in the context of what is called "processing on behalf", which is expressly provided for by law (Article 28 of the GDPR). In this case, Bayer Aktiengesellschaft still remains responsible for the protection of your data. Our service providers are carefully selected and work exclusively on our instructions, which we guarantee by contractual provisions, technical and organizational measures and additional controls. Our service providers are companies that fall into the following categories: Service providers for maintaining the share register, IT service providers and service providers who are preparing and conducting the Annual Stockholders' Meeting.

   In addition, we may be obliged to transmit personal data to government authorities, in particular to the German Federal Financial Supervisory Authority (BaFin), for example to comply with legal reporting obligations when the stock ownership thresholds stipulated by law are exceeded. Finally, we transmit personal data to courts, arbitration tribunals or legal advisors if this is required to establish, exercise or defend legal claims.

4. Is my data transmitted to a non-EU country?

   We do not intend to transfer your personal information to a third country outside the European Economic Area (EEA) or to an international organization. In this respect, we do not disclose personal data to service providers outside the European Economic Area (EEA).

5. How long is my data stored?

   As a rule, we anonymize or delete your personal data as soon as it is no longer needed for the purposes indicated above unless we are required to keep it longer to comply with legal verification and document retention obligations (e.g. as required by the AktG, the German Commercial Code, or the German Tax Code). The data collected in relation to Annual Stockholders' Meetings is normally stored for up to three years. We are normally required to retain the data stored in the share register for 10 years after the shares are sold. Beyond this, we only retain personal data in individual cases where retention is required in connection with claims that are brought on behalf of or against our company.

6. As a stockholder, am I required to provide data?

   As a stockholder, you are legally required to provide us with the personal data about you that we need to maintain the share register (see above). The financial institutions / intermediaries involved in the transfer or custody of registered shares are also required to provide Bayer Aktiengesellschaft with the information necessary for maintaining the share register (Section 67, Paragraph 1, Sentence 2 and Paragraph 4 AktG). There is no fundamental requirement to provide any personal data beyond this. Should such further information be required to exercise your stockholder rights, however, withholding this information could make it impossible for you to exercise those rights.

7. What are my rights as a data subject?

You can request information concerning the data stored about you. Upon logging into the Bayer Aktiengesellschaft Stockholder Portal at https://www.bayer.com/en/investors/stockholders-portal, you will find the main identifying information recorded in the share register under the menu item "My profile". You also have a right to the rectification of inaccurate personal data concerning your person. Under certain circumstances, you can also request the deletion of your data or a restriction of processing (e.g. if your data is being processed in violation of the law). If we process your data to pursue legitimate interests, you can object to this processing if there are reasons not to process this data on account of your particular situation. We will then stop such processing unless we can demonstrate compelling, overriding and legitimate grounds. Additional rights include the right to transfer your data and the right to withdraw any consent that may previously have been given at any time, without adversely affecting the legality of the processing prior to the withdrawal of said consent.

If you wish to exercise your rights, you can contact our Group Data Protection Officer at the address indicated above. You also have the right to complain to the data protection oversight authorities. The data protection oversight authority responsible for Bayer Aktiengesellschaft is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen Postfach 20 04 44

40102 Düsseldorf Germany