AUTO1 : Data privacy information for shareholders and their proxies

CONVENIENCE TRANSLATION. FOR READING PURPOSES ONLY.

Data Privacy Information

for Shareholders and their Proxies

for the (virtual) Annual General Meeting 2024

of

AUTO1 Group SE

Munich

ISIN: DE000A2LQ884 and DE0004ABGG70 // WKN: A2LQ88

AUTO1 Group SE will process personal data of shareholders and their proxies in connection with the virtual Annual General Meeting.

You will find below information on the party responsible under data protection law ("Controller ") and the data protection officer (1.). We also provide you below with the information regarding the processing of personal data (2.) and the rights of data subjects in connection with this processing (3.).

1. Controller and data protection officer

1. Controller
   AUTO1 Group SE Bergmannstraße 72 10961 Berlin Germany
   Tel. +49 (0)30 2016 3836 0 E-Mail:info@auto1-group.com
   AUTO1 Group SE is represented by the members of its Management Board, Christian Bertermann and Markus Boser.
2. Data protection officer
   AUTO1 Group SE Bergmannstraße 72 10961 Berlin Germany
   E-Mail: datenschutz@auto1.com.
   This email address ensures confidential communication with our data protection of- ficer.

43575195 Page 1/6

2. Processing of personal data

2.1. Personal data and its sources

AUTO1 Group SE will process the following personal data of shareholders and their proxies in connection with the virtual Annual General Meeting to enable shareholders and their proxies to exercise their shareholder rights in relation to the virtual Annual General Meeting:

• surname and first name, address, email address,
• number of shares, class of shares, type of ownership of the shares,
• the specific identifier given to the shareholder by the ultimate intermedi- ary, account number of the custody account of the shareholder,
• the access data assigned to the shareholder for the password-protected InvestorPortal of the Company,
• the IP address from which the shareholder or the proxy uses the pass- word-protected InvestorPortal of the Company, other log data that is gen- erated for technical reasons when using the password-protected Investor- Portal of the Company (type and version of web browser, operating sys- tem used, volume of data transmitted, page accessed, page previously visited, date and time of access and potential use of the InvestorPortal until logout, in particular for voting or requesting to speak),
• the electronic exercise of voting rights and the content of votes cast by electronic absentee ballot,
• the participation in the virtual Annual General Meeting and tracking of the complete transmission of the virtual Annual General Meeting in video and audio,
• the content of questions asked by means of video communication and the content of their answers, as well as the content of statements submitted by means of electronic communication,
• the exercise of the right to speak and the right to information as well as the submission of motions and election proposals by means of video com- munication (in particular video and audio data) and the electronic possi- bility of lodging objections against resolutions of the Annual General Meet- ing,
• communication data of the shareholder to check the functionality of the video communication (in particular IP address and potentially video and audio data),
• if applicable, the surname, first name and address of the proxy appointed by the relevant shareholder, the granting of power of attorney to the proxy, including any voting instructions, and their specific identifier given by the ultimate intermediary.

If this personal data has not been provided by the shareholders when registering for the virtual Annual General Meeting or received during conducting the virtual Annual General Meeting including the use of the password-protected InvestorPortal, their depositary bank or their ultimate intermediary within the meaning of section 67c(3) of

43575195 Page 2/6

the German Stock Corporation Act (Aktiengesetz) ("AktG") will send their personal data to AUTO1 Group SE. The access data assigned to the shareholder for the password -protected InvestorPortal of the Company as well as the IP address from which the shareholder or the proxy uses the password-protected InvestorPortal of the Company shall be communicated to the Company by the service provider commissioned by the Company to conduct the virtual Annual General Meeting.

1. Purpose of processing and legal basis
   AUTO1 Group SE will process the data of the shareholders and their proxies to the extent necessary to process the shareholder rights exercised by them in connection with the virtual Annual General Meeting. The legal basis for this processing is Article 6(1) lit. c) of the General Data Protection Regulation ("GDPR") in conjunction with section 67e(1) AktG (compliance with legal obligations).
   AUTO1 Group SE will process the IP address from which the shareholder or the proxy uses the password-protected InvestorPortal of the Company, as well as other log data that is generated for technical reasons when using the password-protected Investor- Portal of the Company, to the extent necessary to provide the password-protected InvestorPortal of the Company and to ensure the security of the IT infrastructure used for this purpose. The legal basis for this processing is Article 6(1)(c) GDPR (compli- ance with legal obligations) in conjunction with Section 67e(1) AktG and Article 6(1)(f) GDPR (balancing of interests). The legitimate interest of AUTO1 Group SE is the provision of the password-protected InvestorPortal of the Company and the guarantee of the security of the IT infrastructure used for this purpose.
   Furthermore, AUTO1 Group SE will store personal data of its shareholders and prox- ies to the extent that this is necessary to comply with statutory obligations to retain data. The legal basis for this processing is Article 6(1)(c) GDPR (compliance with legal obligations) in connection with the respective statutory retention obligations.
   Moreover, AUTO1 Group SE will possibly continue to store personal data of its share- holders and proxies to the extent that this is necessary to establish, exercise or defend legal claims. The legal basis for this processing is Article 6(1)(f) GDPR (balancing of interests). AUTO1 Group AG's legitimate interest is to establish, exercise or defend legal claims.
2. How long do we keep your personal data?
   AUTO1 Group SE will store this personal data for the above purposes only for as long as this is necessary for the above purposes.
   Log data that is technically generated when using the password-protected Investor- Portal of the Company is stored in so-called log files for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack). In the event of a secu- rity-relevant event, log files are stored until the security-relevant event has been elim- inated and fully clarified.
   Otherwise, the storage period for the aforementioned purposes is regularly up to three years.

43575195 Page 3/6

If a shareholder is no longer a shareholder of the Company, AUTO1 Group SE will only store his or her personal data for a maximum of twelve months on the basis of section 67e(2) sentence 1 AktG and subject to other statutory provisions.

Data will only be stored for a longer period on the basis of section 67e(2) sentence 2 AktG and subject to other statutory provisions as long as this is necessary for any possible legal proceedings to establish, exercise or defend legal claims. In this case, AUTO1 Group SE will store the data until the end of the legal proceedings.

2.4. Who else receives your personal data?

The following service provider will process the above data for the above purposes on behalf of AUTO1 Group SE (as so-called 'processor'):

Computershare Deutschland GmbH & Co. KG

Elsenheimerstraße 61

80687 München

Germany

The service provider will only receive personal data from AUTO1 Group SE that is required to perform the commissioned service and will process the data exclusively in accordance with AUTO1 Group SE's instructions.

Otherwise, AUTO1 Group SE will only make the personal data available to shareholders and their proxies as well as to third parties in connection with the virtual Annual General Meeting within the framework of the statutory provisions. In particular, if shareholders and their proxies are to be represented at the virtual Annual General Meeting by a proxy appointed by the Company disclosing their name, AUTO1 Group SE will enter their names, place of residence, number of shares and type of ownership in the list of attendees of the Annual General Meeting to be drawn up in accordance with section 129(1) sentence 2 AktG. All shareholders who are electronically connected to the virtual Annual General Meeting and their proxies can view this data on the password-protected InvestorPortal during the virtual Annual General Meeting and shareholders may also inspect it up to two years later pursuant to section 129(4) sentence 2 AktG. With regard to the transfer of personal data to third parties in connection with the announcement of shareholder requests for additions to the agenda, statements submitted as well as countermotions and election proposals by shareholders, please refer to the explanations in Part III. 11. of the invitation to the virtual Annual General Meeting on 6 June 2024.

If shareholders or their proxies make use of their right to request information pursuant to section 131(1) AktG or otherwise speak, this might be done by stating the name and, if applicable, the place of residence or registered office of the shareholder asking the question and/or his proxy. Requests for information and other requests to speak can only be acknowledged by other participants in the virtual Annual General Meeting. Pursuant to Section 130a(3) AktG, comments submitted will be made available to other users of the password-protected InvestorPortal as described in Part III. 11. of the invitation to the virtual Annual General Meeting. In the case of requests for supplements pursuant to Art. 56 sentence 2 and sentence 3 SE Regulation, Section 50(2) SEAG, Section 122(2) AktG and in the case of countermotions and election proposals pursuant to Sections 126(1), 127 AktG, these will be made publicly accessible as explained in more detail in Part V.no. 7 of the invitation to the virtual Annual General

43575195 Page 4/6

Meeting and, if applicable, be proposed for voting in the virtual Annual General Meet- ing.

1. No transfer of personal data to third countries
   AUTO1 Group SE will not transfer the personal data processed in the context of the virtual Annual General Meeting to countries outside the European Union or the Euro- pean Economic Area (so-called 'third countries').
2. No obligation to provide the data
   Shareholders and their proxies are not obliged to provide AUTO1 Group SE with the abovementioned data in connection with the Annual General Meeting. Provision of the data is not required by law or by contract. The data is also not required for the conclusion of a contract. However, the provision of personal data is absolutely nec- essary to exercise shareholder rights with respect to the Annual General Meeting.
   Insofar, if shareholders and their proxies do not provide the data, AUTO1 Group SE will not be able to enable them to exercise shareholder rights in relation to the Annual General Meeting.
3. No automated decision-making, including profiling
   AUTO1 Group SE will not carry out any automated decision-making, including profil- ing, on the basis of the personal data pursuant to Article 22(1) and (4) GDPR.
4. Use of technically necessary cookies for the password-protected InvestorPortal
   In order to ensure the secure operation of the password-protected InvestorPortal and to enable the use of certain functions, technically essential cookies, in particular so- called session-ID cookies, are used. These are small text files that are stored on the end device of shareholders or their proxies when they use the InvestorPortal. When the InvestorPortal is called up again with the same terminal device, the cookie and the information stored in it can be retrieved. You will be notified about the use of cook- ies when accessing the InvestorPortal (for the first time). Shareholders and their prox- ies can generally prevent the use of cookies via their browser settings. However, com- pletely blocking all cookies may mean that the password-protected InvestorPortal cannot be used under certain circumstances.

3. Rights of data subjects in relation to the processing

The shareholders and their proxies have the following rights with respect to the pro- cessing of their personal data:

• right of access (Article 15 GDPR)
• right to rectification (Article 16 GDPR)
• right to erasure ("right to be forgotten") (Article 17 GDPR)
• right to restriction of processing (Article 18 GDPR)
• right to data portability (Article 20 GDPR)
• right to object (Article 21 GDPR)

43575195 Page 5/6

• right to withdraw consent (Article 7(3) GDPR)

The following right to object under Article 21(1) GDPR is especially highlighted:

Right to object on grounds relating to the data subject's particular situation (Article 21(1) GDPR)

Shareholders and their proxies have the right as data subjects pursuant to Article21(1) GDPR to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on Article 6(1) lit. f)GDPR (see clause 2.2.).

If an objection is raised, AUTO1 Group SE will no longer process the personal data unless AUTO1 Group SE demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the shareholders and theirproxies as data subject or for the establishment, exercise or defense of legal claims.

Data subjects can contact AUTO1 Group SE or its data protection officer using the contact details referred to above in order to exercise their rights. In addition, shareholders and their proxies have a right to appeal to a data protection supervisory authority (Article 77 GDPR). Data subjects can assert this right to appeal in particular to the supervisory authority of the (federal) state in which they have their domicile or permanent residence or the data protection supervisory authority for the nonpublic sector of the federal state of Berlin (Berliner Beauftragte für Datenschutz und Infor- mationsfreiheit), where AUTO1 Group SE has its headquarters.

For more information on the General Data Protection Regulation and the rights of data subjects in relation to the processing of their personal data, please refer to the online information brochure (in German only) of the Federal Commissioner for Data Protection and Freedom of Information (DerBundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI)).

43575195 Page 6/6