SFC Energy : Information on data protection for SFC Energy AG shareholders and their proxies with regard to data processing for the purpose of the Annual General Meeting

Annual General Meeting of SFC Energy AG on May 16, 2024

Information on data protection for SFC Energy AG shareholders and their proxies with regard to data processing for the purpose of the Annual General Meeting

Protecting your personal data and processing it in compliance with the law is a matter of high priority for us. Therefore, this document contains information on the processing of your personal data by SFC Energy AG in connection with the preparation, execution and follow-up of the Annual General Meeting as well as on your rights under the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG).

We will hold the 2024 Annual General Meeting (AGM) as a meeting in person. There are no plans to facilitate participation in the AGM by remote means.

1. Who is responsible for data processing?

The controller and entity responsible for processing your personal data is:

SFC Energy AG Eugen-Sänger-Ring 7 85649 Brunnthal

Tel: +49 89 67 35 92-0

Email: info@sfc.com

If you have any questions about this data protection information, you can contact SFC Energy AG's Data Protection Officer by post or by email at the following address:

DataCo GmbH Nymphenburger Str. 86 80636 Munich

Email: datenschutz@dataguard.de

2. What personal data do we process?

We process the following personal data of our shareholders or their proxies, where applicable, in connection with our AGM:

• First and last name, and also title, where applicable;
• Contact details (e.g. address and email address);
• Shareholder-relatedand share-related data (e.g. shareholder category - natural person or legal entity, share class, custodian bank, share ownership type, and number of shares); and
• Other data arising in connection with the AGM (e.g. admission ticket number, voting card number, voting behaviour, motions, nominations, or other requests from shareholders or their proxies).

If shareholders or their proxies contact us, we also process the personal data required to respond to the request, such as their telephone number, for instance.

3. Where do we get your personal data from?

We, or the service providers commissioned by us, receive a shareholder's personal data either from the shareholder themselves or, via our registration office, from the credit institutions that the shareholder has commissioned to hold their shares in safe custody ('deposit shares').

If you act as a proxy for a shareholder, we will receive your personal data from the shareholder who has granted you proxy authorisation and directly from you if your conduct at the AGM is affected.

Convenience translation of the German original

4. For what purposes and on what legal basis is your data processed?

We process your personal data in accordance with the GDPR, the BDSG, the German Stock Corporation Act (Aktiengesetz - AktG) and all other relevant legal rules for the following purposes.

a) Preparation, execution and follow-up of the AGM

We process your personal data in order to prepare, execute and perform follow-up work for the AGM and in order to fulfil our legal obligations to shareholders and their proxies in this context, and in particular

• to process the registration and participation of shareholders and their proxies in the AGM (e.g. check right to participate, dispatch admission tickets, check identity, compile the list of partici- pants and make it available for inspection) and
• to enable shareholders and their proxies to exercise their rights in connection with the AGM (in particular, to grant and revoke authorisation and instructions to the Company's Designated Prox- ies and to exercise the right to vote, bring motions, speak and provide information, as well as the right to object to resolutions at the AGM).

Your personal data may also be processed for the purpose of providing Company information and keeping in touch with our shareholders (investor relations).

The legal basis for these processing operations is Article 6 (1) (c) GDPR in conjunction with section 67e (1) AktG and with our obligations under company law pursuant to sections 118 et seq. AktG.

The processing of your personal data is necessary to execute the AGM properly. If you do not provide us with the necessary personal data, we may not be able to allow you to participate in the AGM or exercise certain rights.

In the context of the preparation, execution and follow-up of the AGM, we may also transmit your data to our legal advisers, tax advisers or auditors, as we have a legitimate interest in organising the AGM in accordance with relevant law and in obtaining external advice for this purpose. The legal basis for this processing is Article 6 (1) (f) GDPR.

b) Processing in the context of voting rights notifications

Furthermore, we process data that is communicated to us by you or by other parties under an obligation to disclose it in connection with voting rights notifications under the German Securities Trading Act (Wertpapierhandelsgesetz - WpHG). The relevant German legislation and Article 6 (1) (c) GDPR serve as the legal basis for processing data in these cases.

1. Processing in order to comply with further legal obligations, in particular retention obli- gations

In addition, your personal data may also be processed to fulfil further statutory obligations, such as regulatory requirements and retention obligations under company law, commercial law and tax law. We are required, for example, to record the proxy authorisation granted to the proxy designated by us for the AGM so that it can be verified for a period of three years. Article 6 (1) (c) GDPR, in conjunction with the relevant legislation, also represents the authoritative legal basis in such instances.

d) Processing for the sign-up and execution of the tour of the works premises

If you have signed up for a tour of the works premises following the AGM, we will also process your personal data in order to prepare and conduct the tour of the works premises. We have a legitimate interest in offering a tour of our works premises to interested shareholders who voluntarily sign up for one and in this way strengthen the relationship we have with our shareholders. The legal basis for this processing is Article 6 (1) (f) GDPR.

Convenience translation of the German original

Page 2

5. With what recipients, if any, do we share your data and where do we transfer your data?

We use external service providers to manage the AGM process, e.g. service providers for organising the AGM, for printing and posting the invitation to the AGM and shareholder notifications, and for executing the AGM. However, such service providers only receive the personal data from us that is necessary for the performance of the commissioned service, and they process the data exclusively on our behalf and according to our instructions. All of our employees and all employees of external service providers who have access to and/or process personal data are obliged to treat this data as confidential. In the context of preparing, executing and following up on the AGM, we may also transmit your personal data to our legal advisers, tax advisers or auditors.

In the context of the AGM, your personal data may, under certain circumstances, be disclosed to other properly registered shareholders or their proxies (e.g. by granting access to the mandatory list of participants, by publishing the motions you have submitted, which are subject to publication re- quirements, or other requests via the communication channels described in the invitation to the AGM).

Finally, we may be obliged to transfer your personal data to other recipients, for example in the publication of voting rights notifications under the provisions of the WpHG, or to public authorities to satisfy legal disclosure requirements (e.g. to tax or law enforcement authorities).

Your data will generally be processed in countries that are members of the European Union (EU) or the European Economic Area (EEA). Where shareholders are domiciled in countries outside the EU or the EEA (Third Countries), we will also send information (e.g. the invitation to the AGM) to those shareholders. If such communications also contain personal data (e.g. motions for the AGM stating the name of the person bringing the motion), this data will thus also be transferred to Third Countries. The provisions of the GDPR do not have direct application in Third Countries. In the absence of an adequacy decision by the EU Commission, a lower level of protection for your personal data may apply in such Third Countries. Nevertheless, a transfer is necessary in order to inform all shareholders equally, as we are not allowed to treat shareholders from Third Countries differently when it comes to our duty to provide information. Therefore, such a transfer is made in order to fulfil our contractual obligations. The legal basis for the transfer is Article 49 (1) (b) GDPR.

6. How long do we store your data?

We delete or anonymise your personal data as soon as it is no longer required for the above-mentioned purposes unless we are required to continue to store the data by law under the rules on evidence or data retention (e.g. in accordance with the AktG, the German Commercial Code (Han- delsgesetzbuch - HGB), the German Tax Code (Abgabenordnung - AO) or other legislation). In addition, we also retain data where required in relation to claims asserted by or against our Company or for safeguarding our aforementioned legitimate interests. If you have specific questions concerning the storage period, please contact our Data Protection Officer.

7. What are your rights under data protection law?

Where the relevant legal requirements are met, you have the right, as a data subject, to

• obtain information about the data processing as well as a copy of the processed data (right of access, Art. 15 GDPR),
• obtain the rectification of inaccurate data or the completion of incomplete data (right to rectifica- tion, Art. 16 GDPR),
• obtain the erasure of personal data without undue delay (right to erasure, Art. 17 GDPR),
• obtain the restriction of data processing (right to restriction of processing, Art. 18 GDPR), and
• receive the personal data concerning you that you have provided to a controller, in a structured, commonly used and machine-readable format and, in addition, to transmit the data to another controller without hindrance from the controller (right to data portability, Art. 20 GDPR).

Convenience translation of the German original

Page 3

Insofar as we process your data to protect the legitimate interests of SFC Energy AG or a third party, you are entitled to object to this processing for reasons that arise from your particular situation. In this case we will no longer process your personal data unless we are able to demonstrate the existence of compelling legitimate grounds for processing worthy of protection which outweigh your interests, rights and freedom or that the processing serves the assertion, exercise or defence of legal claims.

You can assert the aforementioned rights by contacting our Data Protection Officer at the address specified under item 1 above. You can also contact our Data Protection Officer if you have a complaint regarding the processing of your personal data and wish to clarify the matter directly with us.

Irrespective of this, as a data subject, you also have the right to complain to a data protection supervisory authority.

The information in this document is valid as of: April 2024

Convenience translation of the German original

Page 4