SPARK : AGM 2021 Data Protection Rights for Shareholders

DATA PROTECTION INFORMATION FOR SHAREHOLDERS OF SPARK NETWORKS SE

We are writing to inform you about the collecting and processing of your personal data by Spark Networks SE, Munich (the "Company"), and the rights granted to you according to data protection law, especially the General Data Protection Regulation (Datenschutz-Grundverordnung).

Who is responsible for personal data processing?

Spark Networks SE Kohlfurter Straße 41/43 10999 Berlin legal@spark.net

Purposes and legal bases of the processing of your personal data and the sources of this data:

The protection of your personal data is important to us. We process your personal data exclusively in compliance with the applicable legal regulations, in particular, the EU General Data Protection Regulation ("GDPR"), the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG), the German Stock Corporation Act (Aktiengesetz - AktG), the Act on Measures in Corpo- rate, Cooperative, Association, Foundation and Condominium Law to Combat the Effects of the COVID-19 Pandemic ("COVID-19 Act") and the Act on the Further Shortening of Residual Debt Relief Proceedings and the Adjustment of Pandemic-Related Provisions in Corporate, Cooperative, Association and Foundation Law and all other relevant legal provisions.

Spark Networks SE shares are registered shares. In the case of registered shares, section 67 AktG requires that information be entered in the share register of the Company, stating the name, date of birth and the address of the shareholder, as well as the number of shares or the share number; and in the case of par-value shares, the amount. Each shareholder is generally obligated to provide the Company with this information.

Furthermore, we process personal data that you provide to us when you register for a shareholders' meeting, or vote via postal vote, or order entrance tickets or voting cards and/or grant power of attorney.

We use your personal data for the purposes set out in the German Stock Corporation Act. These purposes are, in particular, the management of the share register, communicating with you as a shareholder, and various processes when conducting the shareholders' meetings (registration for the shareholders' meeting, documentation of the right to participate and compiling the attendance list). The legal basis for processing your personal data is the German Stock Corporation Act in conjunction with article 6 (1) (c) GDPR.

Section 67 (6) sentence 4 German Stock Corporation Act stipulates that the data entered in the share register may only be used for advertising the Company insofar as the shareholder does not object to this being done. Shareholders are to be appropriately informed on their right to lodge an objection (Section 67 (6) sentence 5 AktG). The Company complies with this obligation, among other things, by providing information on the right to object in section 7 of this document. In the event that

EU-320527 v1

the data entered in the share register is used to advertise the Company, data processing is performed on the basis of Art. 6 (1) f) GDPR.

In addition, we may also process your personal data for purposes that are compatible with these purposes (in particular for the production of statistics, for instance, for the presentation of shareholder development, number of transactions, or overviews of the largest shareholders) and to fulfil other legal obligations; for example, regulatory requirements, as well as stock, commercial and tax legislation retention requirements. In order to comply with the regulations of the German Stock Corporation Act, for example, when authorising the proxies nominated by the Company for the share- holders' meetings, we must keep a verifiable record of such data, which serves as proof of proxy. We must also keep such data access-protected for three years (section 134 (3) sentence 5 AktG). The legal basis for the processing in this case is the respective statutory regulations in conjunction with article 6 (1) (c) GDPR.

We have a legitimate interest in ensuring the orderly conduct of the Annual General Meeting. If, pursuant to section 1 (2) of the COVID-19 Act in conjunction with the provisions laid down in the invitation to the Annual General Meeting, you submit questions via the AGM Portal in connection to the Annual General Meeting or raise an objection to resolutions of the Annual General Meeting at the AGM, we therefore process the shareholder's name, date of birth and address, the shareholder number as well as your e-mail address (if provided) for the purpose of processing these questions. If you authorize a third party to participate in the Annual General Meeting (e.g. to submit questions or exercise voting rights), we also process the name and address of the proxy. In these cases, too, the pertinent legal provisions in conjunction with Art. 6 para 1 c) GDPR serve as the legal basis for data processing. Beyond that, we only use your data if you have given us your consent (for example, to use electronic means of communication). The legal basis for the processing of your personal data in these cases is Art. 6 para. 1 lit. a) GDPR.

Furthermore, we only use your data where you have given consent, which can be withdrawn at any time (for example, to use electronic means of communication), or if processing is necessary for the purposes of the legitimate interests pursued by the Company (in particular, to create statistics, for example, to portray shareholder development, the number of transactions, and an overview of the largest shareholders). The legal basis for processing your personal data is, in these cases, article 6

1. (a) and (f) GDPR. If we intend to process your personal data for a purpose not mentioned above, we will inform you in advance within the scope of the legal provisions.

Categories of recipients of your personal data:

We make use of professional services of so-called contract processors. These are natural or legal persons, authorities, institutions or other bodies that process personal data on our behalf as responsible parties. Since the selection of our processors may change on a regular basis, we have provided the following overview of the categories of potential recipients. If you would like to receive a complete list of our processors at the time of processing your personal data, please reach out to our Data Protection Officer via the below contact information.

• External service providers:
  We use a number of external service providers for the administration and technical man- agement of the share register as well as the handling of shareholders' meetings (for ex- ample, a share register service company, IT service providers, and AGM service provid- ers). Our external service providers process your personal data exclusively on our behalf

and according to our instructions and are contractually bound by applicable data protection law in accordance with article 28 (3) GDPR.

• Other recipients:
  In addition, we may transfer your personal information to other recipients, such as public authorities, to comply with our legal reporting obligations (for example, if you exceed stat- utory voting thresholds). If you participate in the Annual General Meeting, we are obliged according to section 129 (1) sentence 2 German Stock Corporation Act (AktG) to include you in the list of participants, stating your name, place of residence and the number of shares represented. This data can be viewed by other shareholders and AGM participants during the meeting, and by shareholders for up to two years thereafter (section 129 (4) AktG). Furthermore, personal data may be made available to the public at large in connec- tion with an announcement of shareholder requests for additions to the agenda as well as countermotions and election proposals by shareholders.
  If a shareholder requests that items be added to the agenda (section 122 (2) AktG), the Company will publish these items pursuant to the provisions of the German Stock Corpo- ration Act if the relevant requirements are met, stating the shareholder's name. Similarly, the Company will publish countermotions and nominations from shareholders on the inter- net, if the relevant requirements are met, in accordance with the provisions of German stock corporation law, stating the shareholder's name (sections 126 (1), 127 AktG). We may, moreover, be obliged to transmit your personal data to other recipients, such as public authorities to adhere to statutory notification obligations (for example, in the case of voting right notifications).

Retention periods:

As a matter of principle, we anonymize your personal data or delete it when and to the extent that it is no longer required for the purposes stated herein, unless we are obliged to continue to store it on the basis of statutory proof and/or retention obligations (under the German Stock Corporation Act, the German Commercial Code, the German Fiscal Code or other legal provisions). The retention period for data recorded in connection with Annual General Meetings usually is up to three years.

For commercial and tax law reasons, the data stored in the share register must regularly be retained by us for ten years after the shares have been sold. Furthermore, we only retain personal data in individual cases if this is necessary in connection with claims asserted against our enterprise (stat- utory limitation periods of up to thirty years).

Transfer of personal data to non-European countries:

Should we transfer personal data to service providers outside the European Economic Area (EEA), the trans- fer will only take place if the location has been confirmed by the EU Commission to have an adequate level of data protection or other appropriate data protection safeguards (e.g. binding internal data protection regulations or agreement to standard (data protection) contractual clauses of the European Commission). Currently, we transfer personal data to a processor in the USA. You can request detailed information on the level of data protection at our service provider and the appropriate data protection safeguards implemented from the contact information detailed above.

EU-320527 v1

Cookies:

Any data collected by cookies, device IDs and similar procedures is always used by us in an anonymous form and is not merged with any customer or profile data stored by us.

Whenever you visit the AGM portal, we temporarily save the IP address of your internet access and the pages you call up, so that basic services such as authorization assignment work.

We use the latest security standard (256-bit encryption) in our entire offer. Your data is encrypted directly during transmission, and all information relevant to data privacy is stored in encrypted form in a protected database. In order to be able to manage your access, we need a session cookie (which is deleted once the browser is closed).

Cookie	Description	Duration of storage	Classification
PHPSessionID	Standard session identification for PHP	Deleted once the browser is	Necessary
		closed
	Cookie used to store consent to the cookie bar func-
cookieaccepted	tion, and thus to its being concealed in the respective	10 days	Necessary
	view.

Browser settings:

You can refuse to accept the storage of cookies by websites and applications on your terminal devices or adjust your browser settings. In the latter case, users receive a warning before cookies are stored. Users may also adjust their settings so that their browser either rejects all cookies or only those of third parties. Users can also delete cookies that were stored at an earlier point in time. Please note that the settings must be adjusted separately for each browser and on each device used. In the event that users do not wish cookies to be used, we would like to point out that we regret not to be able to guarantee that our AGM Portal will work properly without the use of cookies. Without the use of cookies, some functions of the websites and applications may not be available or certain pages may not be displayed. Users can go directly to the manual of the browser used by clicking on one of the following links.

Chrome

Firefox

Internet Explorer Edge

Safari

Your rights as a data subject:

You have the right to request information about the data stored about you. Additionally, under certain circumstances, you may request a correction or the deletion of your data, as well as the restriction of the processing of your data. You also have the right (under certain circumstances) to object to the processing of your data, or to require that certain of your personal data be transferred to you or a third party. You may revoke your consent to the processing of your data at any time. To exercise these rights, please contact us at the above-mentioned address.

You can contact the Data Protection Officer at the address specified below in order to exercise the following rights free-of-charge:

Art. 15 GDPR: Right of access by the data subject

You have the right to receive information from us about which of your personal data we process.

Art. 16 GDPR: Right to rectification

If your personal data is incorrect or incomplete, you are entitled to have any incorrect information rectified, or to have incomplete personal data completed.

Art. 17 GDPR: Right to erasure

Under the conditions of Art. 17 GDPR, you can request the erasure of your personal data. Your right to request erasure depends, among other things, on whether or not your personal data is still required by us to fulfil our legal or contractual obligations.

Art. 18 GDPR: Right to restriction of processing

Under the conditions of Art. 18 GDPR, you can request that the processing of your personal data be restricted.

Art. 20 GDPR: Right to data portability

Under the conditions of Art. 20 GDPR, you have the right to receive your personal data in a struc- tured, commonly used and machine-readable format.

Art. 21 GDPR: Right to object

You have the right to object to the processing of your data to safeguard the legitimate interests of the Company or of a third party

We shall cease this type of processing if we cannot prove that there are compelling reasons for processing that are worthy of protection and that outweigh the data subjects' interests, rights, and freedoms; or if processing serves to assert, exercise, or defend legal claims.

Art. 7 para 3 GDPR: Right to withdraw consent

You have the right to withdraw at any time your consent to the processing of your personal data. The withdrawal of consent shall not affect the lawfulness of data processing carried out on the basis of the consent until the point in time it was withdrawn.

Data protection officer and right of complaint

You can reach our data protection officer at the following address:

EU-320527 v1