1. General
In this Privacy Notice for Mandatum plc’s shareholders, we describe the information required by the EU’s General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) and other applicable data protection legislation concerning the processing of personal data carried out by the company.
We explain, among other things, the personal data that Mandatum plc (hereinafter also “Mandatum”) processes on its shareholders, the sources of the data, the purposes for which shareholders’ personal data may be processed and to whom we may distribute this data. We update this Privacy Notice from time to time as needed, because we continuously develop our operations and as a result there may also be changes in our processing of personal data.
If you have more specific questions or requests related to this Privacy Notice, the processing of your personal data or your rights as a data subject, you may contact us via the channels mentioned below.
2. The controller and contact details of the controller
Mandatum plc
Business ID: 3355142-3
Street address: Bulevardi 56, FI-00120 Helsinki
Postal address: P.O. Box 627, FI-00101 Helsinki, Finland
Customer service:
0200 31100 (lnc/mnc) Mon-Fri 9am–5pm
3. Contact details of the Data Protection Officer
Mandatum Group’s Data Protection Officer
Email: dpo@mandatum.fi
Postal address: Mandatum, Data Protection Officer, P.O. Box 627, FI-00101 Helsinki.
4. What personal data do we process?
The personal data that we collect and otherwise process can be categorised into the following personal data groups. Examples of personal data are given for these groups. The lists are not exhaustive.
- Basic information about the shareholders, such as their name, personal identity code, date of birth or other identifying information, contact details, language and citizenship.
- Information related to shareholdings, such as the number of shares and votes, and the related rights.
- Information about significant shareholdings, i.e. notification of major shareholdings.
- Information about a shareholder’s guardianship.
- Information about participation in the general meetings of shareholders and our other similar events intended for shareholders and investors.
- Information about proxy representatives and assistants that represent and help shareholders in the general meetings and other investor events, as well as the grounds for representation and the proxy document.
- Other information essential to the organisation of the general meetings, such as identification method, registration date, advance questions, voting information and information about when a person participating in the meeting arrives and leaves.
- General meeting registers, such as other information according to the Limited Liability Companies Act that is included in the shareholder register on the record date and the temporary shareholder register, for example, information about nominee-registered shareholders registered for the general meeting and the number of their shares.
- Information about the exercising of a shareholder’s rights.
- IP address, identification method and log data on general meeting registration and voting required for maintaining and monitoring the technical general meeting service.
- Other additional information that a shareholder may disclose when registering for a general meeting or other investor event.
- Information about marketing-related consent and refusal.
5. Sources of personal data
We may collect your personal data directly from you, from your representative or from the organisation you represent and/or from other data sources, such as the shareholder register maintained by Euroclear Finland Oy and the shareholder database. We may also collect data to the extent permitted by law and if necessary with your consent, e.g. from account operators and public registers.
Information on the general meeting list to be collected in connection with the organisation of general meetings is collected primarily from the shareholder themself, when the person registers for the general meeting and in this context provides the information requested when registering. If a shareholder registers an assistant or grants authorisation to another person to act as their proxy at a general meeting, the shareholder must also provide the required personal data about that person. On the basis of the personal data provided in connection with registration, the number of a shareholder’s shares is retrieved from Euroclear Finland Oy’s shareholder register on the record date for the shareholders’ meeting. Voting instructions of the nominee-registered shareholders represented by account operators at the general meeting are also entered in the information related to the general meeting.
6. Purposes of and legal basis for processing personal data
Our statutory obligations
Our processing of the personal data of shareholders and the parties representing or assisting them is primarily based on compliance with the obligations and requirements laid down for us in legislation, for instance in the Limited Liability Companies Act (624/2006) and the Securities Markets Act (746/2012). In order to comply with these legal obligations, we may process personal data for, e.g. the following purposes:
- Identifying shareholders
- Maintaining a shareholder register in keeping with the obligations laid down in the Limited Liability Companies Act
- Organising and administering general meetings, including maintaining lists of general meetings (e.g. shareholder register on the record date, lists of shareholders registered and participating in a meeting and of their assistants and representatives)
- Other communication with shareholders
- Paying dividends and returns of capital
- Preparing and publishing stock exchange releases
- Publishing information about major holdings and the largest shareholders on Mandatum’s website
- Fulfilling obligations related to other publicly listed companies
In principle, your personal data that is collected in connection with the organisation of a general meeting will only be processed for purposes necessary to organise the general meeting, for example, for verifying the identity of the registrant and their right to participate, for preparing the meeting’s list of participants, register of votes and possible ballots, for organising voting, and for managing possible questions and requests to speak.
Other legal grounds
In addition to our statutory obligations, we may also process your personal data by virtue of the legitimate interest of Mandatum plc or a third party, such as other Mandatum Group companies, or with your explicit consent.
Mandatum has a legitimate interest to process personal data in order to offer and market, including direct marketing, the services of our Group companies. We may market our products and services without separately asking for consent, to the extent permitted by legislation, by phone, mail and electronically. You can object to marketing and other communication based on a legitimate interest either immediately when you receive the marketing in the case of electronic or telephone marketing, or separately by contacting our customer service.
On the basis of a legitimate interest, we can process personal data for, among other things, developing our business and systems; for quality control and risk management; for defending ourselves against complaints, legal cases and other legal claims; and to prepare, present or defend a legal claim. We record phone calls and electronic communication for documentation, quality monitoring and development purposes, among other reasons. Video footage from the surveillance cameras inside and outside our premises may be recorded to ensure the safety of the people visiting our offices and our premises.
In certain situations, we will also ask for your consent to process your personal data. These situations may be, for example, consent to direct electronic marketing if such is required by law. We will provide you with more information about the intended processing of your personal data when we request your consent to the processing in question. If you have given your consent to the processing of your personal data, you also have the right to withdraw your consent at any time, e.g. when you receive a marketing message or by contacting our customer service. Please note that, as described above, in certain situations we can also target direct marketing at you based on our legitimate interest without your separate consent, in which case, however, you also have the right to object to the processing of your data for this purpose.
7. Automated decision-making and profiling
Profiling means automated processing of personal data, involving, for example, the assessment or anticipation of a person’s areas of interest or behaviour. We use profiling to target direct marketing in an effort to offer our products and services that are most suited and relevant to you. In order to target direct marketing, we may use data we receive from you, public registers and other sources as described in Section 5 of this Privacy Notice. You have the right to object to targeting and the marketing based thereon either immediately when you receive the marketing in the case of electronic or telephone marketing, or separately by contacting our customer service.
The profiling carried out in connection with marketing or the other processing of Mandatum plc’s shareholders’ personal data does not include automated decision-making, i.e. decision-making based solely on automated personal data processing, that has significant legal effects or other similar significant impacts.
8. Recipients and transfer of personal data
Disclosure and publication of personal data
Mandatum plc may disclose personal data to third parties as permitted or required by legislation. Before disclosing data, we always make sure that there is a legal basis for the disclosure, and that the disclosure takes place in compliance with the applicable regulatory obligations.
On the basis of the personal data collected in connection with general meetings, we compile summaries of the meeting’s register of votes and the voting, which are appended to the minutes of the general meeting. The register of votes includes the name of the shareholder and name of a possible representative and/or assistant, ballot number (participant number), number of shares by type of share, voting rights, basis for representation and method of participation. According to the Limited Liability Companies Act, Mandatum plc is obliged to keep the minutes of the general meeting, including appendices, available to all shareholders and to also deliver a copy of it to shareholders who request it.
Under the Limited Liability Companies Act, the shareholder register must also be kept available at the general meeting; the register includes the name, municipality of residence and number of shares and voting rights on the meeting’s record date. The register also temporarily includes information on nominee-registered shareholders registered on the shareholder register for the general meeting.
If necessary, personal data processed for the purpose of organising the general meeting can be distributed to third parties who participate in organising the general meeting and require the data for that purpose. Personal data processed in connection with the general meeting is not, however, disclosed for commercial purposes unless the data subject gives their explicit permission thereto.
Mandatum plc also has a legal obligation to publish and make available information about major shareholdings and our largest shareholders on our company’s website. The information to be published is the name of the shareholder, the number of shares, the percentage of all shares, and information on the change in share ownership over a period of one month for our one hundred (100) largest shareholders. We also publish information related to, for instance, notifications of major shareholdings received by Mandatum, and other company events that must be published by law or otherwise.
In addition, data concerning shareholders may be separately disclosed, for instance, to authorities, such as supervisory and tax authorities, as well as within our Group, to other companies belonging to Mandatum Group.
Processors and data transfers outside the EEA
In our operations, we also use subcontractors, who may process personal data on behalf of Mandatum to the extent necessary to produce the service offered by the subcontractor. Such subcontractors are, for instance, our co-operation partners, which we use e.g. to organise general meetings and other events aimed at our shareholders, as well as to produce our IT services.
In that context, personal data can also be transferred outside the European Union or the European Economic Area, provided that the conditions laid down in data protection legislation are met. We base the transfer of personal data on the transfer mechanisms permitted by legislation, such as the European Commission’s determination of whether a recipient country offers an adequate level of data protection (see the latest list of adequacy decisions on the EC’s website) or the European Commission’s standard contractual clauses (see the standard contractual clauses on the EC’s website). We also supplement these as necessary with various additional safeguards, which help appropriately guarantee an adequate level of data protection.
9. Retention periods for personal data
We store your data for as long as necessary in order to comply with our statutory obligations or for as long as the data is otherwise necessary in relation to the purposes for which the data was collected or otherwise processed. We erase or anonymise the data when their retention period expires. Data retention periods may vary depending on the purpose of the processing, the nature of the personal data and the requirements applicable to their processing.
Below are examples of the retention periods of various personal data that is processed in accordance with this Privacy Notice.
- Basic information about shareholders and information related to holdings are stored permanently.
- The minutes of the general meeting and the register of votes appended thereto, which include the names of the participating shareholders, the names of possible proxy representatives and assistants, the number of shares and voting rights, as well as the ballot numbers, are stored permanently.
- Information related to the technical implementation of the registration system for the general meeting, possible advance voting and/or voting during the meeting, and hall bookkeeping will be stored for a maximum of two (2) years after the end of the general meeting.
- Other personal data collected in connection with the organisation of the general meeting will be destroyed when it is no longer necessary for drawing up the minutes of the general meeting or to verify their accuracy.
10. Protection and security of personal data
We use technical and administrative information security means that are necessary, appropriate and in line with the best practices to protect personal data and other information. Such means include, for instance, the use of firewalls, strong encryption technologies and secure IT hardware areas, access control, storage of physical materials in locked rooms, restricted granting of user rights, providing instructions and training to personnel participating in personal data processing and careful selection of subcontractors. In addition to applicable legislation, the subcontractors commit to comply with Mandatum’s data protection principles and guidelines.
The processing of personal data is only allowed for work-related reasons. The user rights for accessing systems that contain personal data are personal, and the use of the rights is monitored. Mandatum’s employees that process personal data are bound by, in addition to the statutory non-disclosure obligation, a separate non-disclosure agreement. Personal data that is no longer needed is erased in a secure manner.
Despite careful protection and appropriate information security, data processing always involves a risk. If, in spite of our measures, a personal data breach occurs that is likely to result in a high risk to your privacy or your other rights, we will contact you as soon as possible.
11. Your rights
You have the right to receive confirmation from Mandatum as to whether we process your personal data. If your personal data is processed, you have the right to receive a copy of the data and to inspect the data. If you make the request electronically, we will provide you the data in a commonly used electronic format unless you request otherwise. Legislation, the rights and freedoms of other individuals and other special grounds may limit your right to access some of the data that pertains to you.
If you consider your personal data that we process to be incorrect or inaccurate, you have the right to request Mandatum for rectification of such personal data and to have incomplete personal data completed.
You also have the right to request Mandatum to erase your personal data and, insofar as the processing of your personal data is based on consent, to withdraw your consent. If you request the erasure of your data, we will erase the data from our systems unless there is another legal basis for the processing of the data or unless we have a statutory obligation to retain the data. Please note, however, that Mandatum’s operations entail numerous statutory obligations to store data, and Mandatum may be under obligation to continue to process your personal data even if you request the erasure of the data. In any case, we will erase your data once the retention period as specified by us or provided for by law has elapsed.
Where the conditions set in legislation are met, you have the right to request that we restrict the processing of your personal data. You also have the right to object to the processing of your personal data for direct marketing and otherwise insofar as the processing is based on the fulfilment of Mandatum’s or a third party’s legitimate interests.
Insofar as the processing of your personal data is based on consent or a contract, you have the right to receive the personal data you have provided us in a structured and commonly used format and the right to have the data transferred to another data controller.
You can exercise your rights described above by contacting our customer service in an online message through Mandatum’s Web Service, by calling +358 200 31100 (lnc/mnc) Mon-Fri 9am–5pm, by mailing Mandatum, Asiakaspalvelu, PL 627, 00101 Helsinki, or by visiting our office nearest you. You can find the contact details and opening hours of our offices on our website.
Right to lodge a complaint with a supervisory authority
In matters related to the processing and protection of your personal data, and if you have any questions, please first contact Mandatum’s customer service as described above, or Mandatum Group’s Data Protection Officer, whose contact details are included above in Section 3 of this Privacy Notice.
If you are dissatisfied with a response you received from us, or if you believe our processing of your personal data does not comply with data protection legislation, you can contact the competent supervisory authority, i.e. the Office of the Data Protection Ombudsman.
Updated 16.9.2024