1	Item 7.B of Form 20-F requires, among other things, that the Company provides in its annual report on Form 20-F information on certain transactions between the Company and certain parties defined in Item 7.B as “related parties”. Instruction 3 to Item 7.B provides that the recipient of a foreign bank loan does not need to be identified if such disclosure would conflict with privacy laws such as customer confidentiality and data protection laws of the Company’s home jurisdiction.
2	The Company is a stock corporation (Aktiengesellschaft) organized and existing under the laws of Germany. It is licensed as a credit institution (Kreditinstitut) under the German Banking Act (Kreditwesengesetz – KWG). Therefore, Germany is the home jurisdiction of the Company.
3	Under the laws of Germany, a bank – such as the Company – has the duty to maintain confidentiality about any customer-related facts and evaluations known to it. Such duty relates to the business relationship of the bank with its customer in its entirety, including any contract, transaction, negotiation, instruction, declaration or other act or thing made, given or performed thereunder, and survives the termination of such business relationship. Whilst such duty, which is commonly referred to as “banking confidentiality”, is not a codified obligation, it is an ancillary duty of the bank under the banking contract with its customer. Also a number of laws presuppose the duty of German banks to maintain the banking confidentiality such as Section 9 (1) KWG, Article 70 (2) of Regulation (EU) No. 1093/2010 or Sections 383 (1) no. 6 and 384 no. 3 of the German Code of Civil Procedure (Zivilprozessordnung – ZPO). Moreover, Article 2 (1) of the German Constitution (Grundgesetz – GG) protects the right of personality (Persönlichkeitsrecht) which includes the protection of privacy and the right to agree, expressly or impliedly, on confidentiality or secrecy duties. Thus, the so-created privacy of a bank customer is ultimately protected by constitutional law.
	Finally, Article 432 (2) sub-paragraph 3 of Regulation (EU) No. 575/2013 allows credit institutions to not disclose risk related information to the public where it is bound by a duty of confidentiality.
4	Limitations on the banking confidentiality must be based either on a waiver of the relevant bank customer or on an act of German legislation. Examples for such limitations of the banking confidentiality are the statutory audit of the Company’s financial statements (Sections 316 and 317 of the German Commercial Code (Handelsgesetzbuch – HGB), Section 27 KWG), the reporting to the competent bank regulatory authorities (e.g., Sections 13a, 13b, 14 and 44 KWG; Article 394 of Regulation (EU) No. 575/2013; Article 10 of Regulation (EU) No. 1024/2013; Section 43 of the German Anti-Money Laundering Act (Geldwäschegesetz – GWG)), the competent tax authorities (e.g., Section 93 AO; Section 45d of the German Income Tax Act (Einkommensteuergesetz – EStG); Section 33 of the German Inheritance Tax Act (Erbschaftsteuergesetz – ErbStG)) or criminal investigations (Sections 94 (2), 95, 98 and 161a of the German Code of Criminal Procedure (Strafprozessordnung – StPO)). In each case, the recipient of the information is required to keep the information confidential (e.g., Sections 43 (1) and 50 of the Code of Professional Conduct of Auditors (Wirtschaftsprüferordnung – WPO); Section 9 KWG; Section 32 of the Act on the Deutsche Bundesbank (Bundesbank-Gesetz – BBankG); Article 70 (2) of Regulation (EU) No. 1093/2010; Article 27 (1) of Regulation (EU) No. 1024/2013; Section 54 GwG; Section 30 AO). Identification of a bank customer in a public document would not be permitted or supported by any of the statutory limitations of the banking confidentiality. We also note that that the customer referred to in Item 7.B of the Company’s annual report on Form 20-F has not waived application of the aforementioned privacy laws.
5	Regulation (EU) No. 2016/679 (General Data Protection Regulation – GDPR) imposes specific duties on the collection, processing and use of data which directly relate to private individuals or their circumstances or (if collected from a corporation) which allow inference on private individuals or their circumstances. The fact that someone is a customer of a bank or that someone has a loan outstanding is information that is protected under the GDPR. Pursuant to Article 6 (1) GDPR the Company may collect data about its customers only for a previously specified purpose such as performing or preparing a contract with the customer or to comply with a legal obligation under European Union or German law to which the Company is subject (Article 6 (3) GDPR). Data so collected may be processed and used only for such purpose. If data is forwarded to a third party, such third party may process and use them only in compliance with the requirements of the GDPR and instructions of the Company (Article 28 GDPR). Public disclosure of data that is protected under the GDPR is not permitted. A violation of these provisions is an administrative offense and subject to fines (Section 43 of the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)). In certain cases it is even a criminal offense punishable by pecuniary penalty or imprisonment (Section 42 BDSG).
6	Based on and subject to the foregoing, we are of the opinion that identification of the customer referred to in Item 7.B of the Company’s annual report on Form 20-F would conflict with privacy laws such as customer confidentiality and data protection laws of Germany.

/s/ F. Drinhausen	/s/ M. Otto
Prof. Dr. Florian Drinhausen	Dr. Mathias Otto
Group General Counsel	General Counsel of Infrastructure and Regulatory Advice