Privacy Statement for the Participation Register for SRV’s Shareholders’ Meeting

1       Controller

SRV Group Plc, business ID 1707186-8

P.O. Box 555, Tarvonsalmenkatu 15

FI-02601 ESPOO, FINLAND

2      Contact person for matters related to the filing system

Satu Valkama

P.O. Box 555, Tarvonsalmenkatu 15

FI-02601 ESPOO, FINLAND

Tel. +358 40 500 3610

satu.valkama@srv.fi

3      Name of the filing system

SRV Group Plc’s registration and participation register

4      Purpose and basis of the processing of personal data

The processing of the participant register data for the shareholders’ meeting of SRV Group Plc (hereinafter “SRV”) is based on legislation (chapter 5, sections 6 and 7 of the Limited Liability Companies Act) and on SRV’s legitimate interest. The purpose of the processing of personal data is the organising of a shareholders’ meeting. In other words, personal data is processed for purposes related to participant registration, communication, the verification of identity and eligibility to participate and for the purpose of other meeting arrangements. In addition, the data is used in order to prepare the register of votes and to print out the voting ballots for the shareholders’ meeting, to organise any required voting and to fulfil other obligations and responsibilities as required by the Limited Liability Companies Act and SRV’s articles of association.

5      The information content of the filing system and categories of data subjects

The filing system includes the following types of personal data concerning the registered participants of the shareholders’ meeting (shareholders, their proxies and assistants):

  • Identifying information: name, personal identification number or business ID, the number of the applicable book-entry account, address, phone number, email address
  • The status of the participant (such as shareholder, proxy)
  • The number of shares and votes, voting information
  • Information related to registration and participation, for example, time and means of registration, the person who received the registration and any information on the participant’s requirements related to accessibility or other needs as necessary.

6      Information sources

Personal data is collected from the participants and SRV’s shareholder register, which may be maintained by Euroclear Finland Oy.

7       Disclosure and transfer of data and data transfers to countries outside the EU or EEA.

As a rule, SRV does not disclose to external parties any data included in the filing system.

SRV can use Euroclear Finland Oy, an external service provider, and the company’s registration system for shareholders’ meetings for the technical implementation and maintenance of the participant register and for the processing of personal data. In this case, personal data is transferred to the external service provider to the extent that is necessary in order to provide services. In order to ensure that data is protected, SRV concludes data processing agreements with its subcontractors who process personal data.

Personal data is processed outside the EU and EEA in India by the subcontractors (processors) of Euroclear Finland Oy: Capgemini India Private Ltd and Tata Consultancy Services. The processing is based on a contract between Euroclear Finland Oy and the above-listed processors. The contract takes into account the EU Commission’s standard clauses that comply with the General Data Protection Regulation.

8      Principles for securing the filing system and the retainage period

Only persons who are authorised to process data due to their work tasks have access to the system. Each user has a unique user ID and password for the system. Data is collected into databases that are protected with firewalls, passwords and other technical means. Databases and the related backups are located in locked premises and data can be accessed only by pre-defined persons.

The personal data entered in or attached to the minutes of the shareholders’ meeting is retained as required under the Limited Liability Companies Act as part of the minutes. Other data is erased when it is no longer needed for the preparation of minutes or for verifying the information included in the minutes.

9       Rights of data subjects

Data subjects have the right to check their own information stored in the filing system, and they have the right to demand that data is corrected or erased. Requests concerning the checking and correcting of data must be submitted in person or in writing to the address provided in section 2.

In accordance with the General Data Protection Regulation, data subjects have the right to object to the processing of their data, request that the processing of their data be restricted and lodge a complaint concerning the processing of personal data to the data protection ombudsman.