Init innovation in traffic : Data privacy

Data privacy for our shareholders

As the data controller within the meaning of Art. 4 No. 7 of the German Data Protection Regulation ("DSGVO"), init SE processes personal data (surname and first name, address, e-mail address, number of shares, class of shares, type of ownership of the shares and number of the voting card; if applicable, surname, first name and address of the shareholder representative appointed by the respective shareholder) on the basis of the data protection provisions applicable in Germany in order to enable shareholders and shareholder representatives to exercise their rights within the framework of the Shareholders' Meeting. init SE is represented by the members of its Managing Board.

Insofar as this personal data has not been provided by the shareholders within the scope of the registration for the shareholders' meeting, the bank holding their securities account shall transmit their personal data to init SE. The personal data of shareholders and shareholder representatives shall be processed exclusively for the purpose of handling their participation in the Shareholders' Meeting and only to the extent necessary to achieve this purpose. The legal basis for the processing is the German Stock Corporation Act in conjunction with Art. 6 para. 1 lit. (c) DSGVO. init SE shall store this personal data for a period of ten years beginning with the end of the year in which the Shareholders' Meeting took place.

The service providers of init SE, which are commissioned for the purpose of organising the shareholders' meeting, shall only receive personal data from init SE that is required for the execution of the commissioned service and shall process the data exclusively in accordance with the instructions of init SE.

The personal data shall be stored for the duration of the statutory retention periods and then deleted immediately. Automated decision-making including profiling in accordance with Art. 22 DSGVO does not take place on the part of init SE at any time.

With regard to the transmission of personal data to third parties in the context of an announcement of shareholder requests for additions to the agenda as well as countermotions and election proposals by shareholders, please refer to the explanations under the item Shareholders' Rights of the Conditions of Participation.

If you, as a shareholder, make use of the possibility to submit questions in advance of the virtual Shareholders' Meeting and your questions are answered there, this will generally be done by mentioning your name. This can be noted by other participants of the virtual shareholders' meeting. This data processing is necessary to protect our legitimate interest in making the virtual Shareholders' Meeting as similar as possible to a physical meeting and the legitimate interest of the other participants in the Shareholders' Meeting in knowing the name of a questioner. The legal basis for this processing is Art. 6 para. 1 lit. f) DSGVO. You may object to your name being mentioned for reasons arising from your particular situation.

To enable shareholders to vote at the annual general meeting, init SE uses a portal of the external

The information is originally drafted in German. This is a courtesy translation only. In case of doubt, the German version shall prevail

April 2024 / 1 of 4

Data privacy for our shareholders

provider Computershare, Colmarer Str. 5, 60528 Frankfurt am Main, Germany. The portal is available via the init SE website until 6.00 p.m. on the day before the Annual General Meeting. Here, the following processing operations take place:

Local Storage:

Collected information: storage of the login timestamp.

Purposes: A session store is intended for scenarios in which the user performs a single action. This is used for automatic logout after 30 minutes of inactivity.

Session Storage:

Collected information: authentication token, session data, email address (confirmation function).

Purposes: The SessionStorage attribute of the Window object retains key-value pairs for all pages loaded during the validity period of a single tab (for the duration of the top-level browser context). Temporary storage (email address) for automated sending of confirmations.

Server log files:

Collected information: name of the retrieved file, date and time of the retrieval, message whether the retrieval was successful, description of the type of web browser used, referrer URL (the previously visited page), host name of the accessing computer (IP address).

Purposes: browser automatically transmits this data to us for technical reasons in order to establish an electronic connection.

Cookies:

Information collected: name of cookies: X-XSRF-TOKEN, AspNetCore.Antiforgery.8- SwGiRsH58. Token to ensure secure connection between InvestorPortal and Q-Live. Purposes: Two technically necessary cookies that ensure a secure connection between InvestorPortal and Q-Live.

Bank import in CesarNG:

Collected information: ticket number, first name, last name, street, street no, postcode, city, number of shares.

Purposes: The person logging in is matched with the respective existing already submitted evidence from the custodian banks to query the shareholder status.

Login mask:

Collected information: shareholder number or admission ticket number and password.

Purpose: Comparison with shareholder status

Forgotten password:

Collected information: shareholder number and e-mail address (use of e-mail address deposited for e-sending if consent has been given) for registered shares or admission ticket

The information is originally drafted in German. This is a courtesy translation only. In case of doubt, the German version shall prevail

April 2024 / 2 of 4

Data privacy for our shareholders

number, first name, last name, city, number of shares in case of holder. Purposes: production of forgotten password.

Registration in two steps:

Collected information: First name, last name, city, number of shares, email address or/and mobile phone number.

Purposes: Additional security measure to prevent misuse in order to avoid unauthorised access.

To create an admission ticket for a third party or to authorise a third party:Collected information: first name, last name, location of a third party.

Purposes: Creation of the admission ticket in the name of the authorised person.

Method of sending by e-mail:

Information collected: e-mail address.

Purpose: to send the ticket.

Mailing method by post:

Information collected: Address: First name, last name, address suffix, street, house number, city, postcode.

Purposes: Dispatch of the admission ticket produced.

Postal votes / instructions:

Collected information: Votes cast by postal vote or instructions to the proxy.

Purposes: casting of votes.

Session Tracking:

Collected information: meeting key/meeting ID, shareholder number or admission card number; further info on online attendance register (not yet specified in detail); in case of "proxy compulsion" (login with jur. person): First name, last name, place.

Purpose: Participation in the virtual AGM.

Q-Live:

Collected information: shareholder number / admission ticket number, first name, last name, question / demand; email, telephone number if applicable; corrected name, proxy if applicable, objection, questions for the record.

Purposes: asking questions / demands, request to speak, motion, objection, submitting questions for the minutes.

Video upload / viewing:

Computershare itself does not store any information.

The information is originally drafted in German. This is a courtesy translation only. In case of doubt, the German version shall prevail

April 2024 / 3 of 4

Data privacy for our shareholders

Webcast:

Computershare itself does not store any information.

With regard to the processing of personal data, shareholders and shareholder representatives may request init SE to provide them with information on their personal data in accordance with Article 15 of the GDPR, to correct their personal data in accordance with Article 16 of the GDPR, to delete their personal data in accordance with Article 17 of the GDPR, to restrict the processing of their personal data in accordance with Article 18 of the GDPR and to transfer certain personal data to them or to a third party designated by them (right to data portability) in accordance with Article 20 of the GDPR. If shareholders and shareholder representatives have given consent to data processing, you can revoke this consent at any time for the future. Shareholders and shareholder representatives may assert the rights listed above against init SE free of charge via one of the following contact options:

init innovation in traffic systems SE Investor Relations Käppelestraße 4 - 10

76131 Karlsruhe E-Mail:ir@initse.com

You can reach our data protection officer at:

Mr. Georg Biel

Data Protection Officer

E-Mail:georg@biel-it.de

Biel-IT UG

In addition, pursuant to Art. 77 DSGVO, shareholders and shareholder representatives have a right of appeal to the data protection supervisory authority of either the (federal) state in which they are domiciled or have their permanent place of residence or the state of Baden-Württemberg in which init SE has its registered office.

The information is originally drafted in German. This is a courtesy translation only. In case of doubt, the German version shall prevail

April 2024 / 4 of 4