ROBIT PLC PRIVACY NOTICE SHAREHOLDERS

ROBIT PLC PRIVACY NOTICE

SHAREHOLDERS

Last Updated 1 June 2021

1. Introduction

This Privacy Notice describes how Robit Plc (hereinafter ”Robit”) processes personal data of the shareholders, including other holders of rights, of Robit. Robit acts as a controller to such personal data.

As a controller, we are responsible for the personal data of the shareholders, and for the processing of such personal data. Protecting your privacy and your personal data is of utmost importance to Robit. We are committed to complying with the requirements of data protection regulation applicable to us in the processing of your personal data. The means and purposes of processing the personal data of the shareholders are described in more detail in this Privacy Notice.

2. Data controller and contact person

Data Controller

Robit Oyj
(Business ID: 0825627-0)
Viikkiniityntie 9
33880 Lempäälä
Tel.: +358 3 3140 3400

Contact Person

Violetta Silver
c/o Robit Plc
Tel.: +358 45 202 0252
Email: violetta.silver@robitgroup.com

3. Legal bases for processing shareholders’ personal data

The EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies to all processing of personal data as a general law. Processing of personal data must always be based on a legal basis set forth in the GDPR.

Processing of shareholders’ personal data is based on the following grounds:

• Robit’s legal obligation
• Data subject’s consent under applicable legislation
• Legitimate interest of Robit

A legitimate interest may be, for instance, Robit’s group-wide information sharing, marketing and administrative activities, prevention of fraud or misuse of IT systems or money laundering, physical as well as IT and network security, as well as potential merger and acquisition activities. The provision of personal data of the shareholder as described in this Privacy Notice is necessary in order for Robit to comply with legal obligations to which Robit is subject.

4. Categories of personal data processed by Robit and purposes of processing

Robit processes the following shareholders’ personal data for the purposes of complying with legal requirements based in particular on the Limited Liability Companies Act (624/2006), for organizing General Meetings as well as collecting meeting participation information.

Shareholders’ personal data processed by Robit:

• identifying information, such as name of the shareholder, guardian or other holders of rights, personal identification number or other identifier, nationality and date of birth
• contact details
• payment and taxation related information
• information related to the shares owned by the shareholder, such number of shares per class of shares and the number and type of dispositions related to the shares
• information related to the shareholder’s participation to the general meetings
• information related to the communications between Robit and the shareholder

Furthermore, Robit may process change data of the above mentioned personal data.

Robit has camera surveillance on its premises. In addition to the foregoing personal data, Robit processes data relating to camera surveillance and other electronic surveillance recordings recorded when the data subject is visiting Robit’ premises.

5. Regular sources of personal data

Robit collects data concerning shareholders from the shareholder him/herself or from other permitted sources, such as from the book-entry register maintained by Euroclear Finland Oy or public sources in accordance with the applicable legislation.

6. Transfer and disclosure of personal data

Robit may transfer shareholders’ personal data to third parties in the following manner in order to fulfil the purposes of processing described in this Privacy Notice. When personal data are transferred to an entity which processes personal data on behalf of Robit (i.e. data processor) Robit has through contractual arrangements ensured that personal data is processed only in accordance with Robit’s written instructions and merely for the purposes described in this Privacy Notice and that access to personal data is allowed only for persons who need access to data based on their tasks. Data processors’ tasks relate, for instance, to provision of data systems and software as well as offering other data processing services.

Some of the data processors used by Robit are located outside the EU or EEA area. Robit has contractually ensured that these entities undertake to apply an appropriate level of data protection in their processing practices, and thus the data transfers are subject to appropriate safeguards. More information on cross border transfers of personal data and on the appropriate safeguards applied thereto from time to time is available from the contact person mentioned under Section 2 of this Privacy Notice.

Robit discloses personal data with the entities belonging to the same group of companies with Robit for a number of different purposes (such as centralized group functions, including without limitation intra-group communication, coordination and reporting). Such an exchange of information involves intra-group transfers of personal data between Robit group entities located in different parts of the world.

Unless otherwise required for personal safety reasons of the shareholder, the following personal data of the shareholder can be viewed on the public access terminal located at Euroclear Finland’s customer service data terminal:

• name and address or home municipality of the shareholder
• date of birth
• nationality
• details of ownership
• number of waiting lists and reason for being on a waiting list
• information on any joint owners

In addition, Robit regularly discloses personal data of the shareholders with Euroclear Finland Oy, for purposes of maintaining the book-entry system. Robit may also disclose personal data to competent authorities when required to do so under applicable laws, to prepare for legal proceedings or to defend a claim within the limits permitted or required by applicable legislation from time to time.

In case of the sale of Robit’s business, or a part of it, or in case Robit conducts other organizational changes to its business, Robit may disclose personal data to the buyers and their advisors in accordance with the then current legislation.

7. Data retention period

Robit or such data processor that processes personal data on behalf of Robit retains personal data in accordance with applicable legislation for at least as long as the shareholder owns Robit’s shares. When Robit no longer needs the data for the purposes described in this Privacy Notice, the data are deleted from Robit’s and/or processors’ data systems and other data files and irrevocably anonymized. Some of the personal data of shareholders, such as personal data included in general meeting minutes, may be retained indefinitely.

Where personal data are collected on the basis of an obligation based on applicable law, the retention time of personal data may also be subject to explicit statutory requirement.

8. Rights of the data subject

The data subject may use the following rights with regard to Robit to the extent Robit acts as the controller to the personal data of the data subject in question. The extent of the data subject rights is subject to the legal basis for processing and exercising your rights requires identification.

• Right of access: The data subject has the right to obtain a confirmation from the controller on whether the controller processes personal data concerning the data subject and the right to access such data. The data controller may ask the data subject to specify his/her access request, amongst others, with regard to the details of the data to be delivered.
• Right to rectification: The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning him/her processed by the controller, or to have incomplete personal data processed by the controller to be completed.
• Right to be forgotten: The data subject has the right to obtain from controller the erasure of personal data related to him/her and the controller has the obligation to erase such data in case there is no longer a legal ground for the processing of such data or, where the legal or contractual obligation binding the controller related to the storing of the personal data has ended or, where the data subject has withdrawn his/her consent to the processing of his/her personal data.
• Restriction of processing: In certain cases, where so prescribed by law, the data subject may have the right to obtain from the controller restriction of processing of his/her personal data.
• Right to data portability: The data subject may, subject to certain conditions prescribed by law, have the right to receive the personal data concerning him/her processed by the controller in a commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the original controller.
• Right to object to processing of his/her personal data: In certain cases, the data subject may have the right to object to processing of personal data concerning him or her. The right to object is applicable in such situations in particular where the processing of personal data is based on the controller’s legitimate interest. In such situations the controller has to follow the data subject’s request, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
• To the extent the processing of personal data has been based on the data subject’s unambiguous consent, the data subject has, at any time, the right to withdraw his/her consent regarding the processing.

The requests shall be directed to the contact person mentioned in section 2 of this Privacy Notice.

In addition, the data subject has the right to lodge a complaint with the supervisory authority on the processing of the personal data by the controller. The complaint shall be made to the competent supervisory authority, in Finland to the Data Protection Ombudsman, in accordance with its instructions. The web-site of the Data Protection Ombudsman can be found here.

9. Changes to this Privacy Notice

Robit may, from time to time, change this Privacy Notice. You can tell when changes have been made to the Privacy Notice by referring to the “Last Updated” legend at the top of this webpage. Robit encourages you to review this Privacy Notice regularly for any changes. If Robit will materially change the ways in which Robit processes the personal data of Robit’s customers’ representatives and contact persons, Robit will post a notice on this webpage or send an e-mail to the data subjects.