Processing of personal data - Shareholders

Which personal data will be processed?

Castellum compiles and processes the following data: names, addresses, telephone numbers, personal ID numbers, shareholdings (directly owned or nominee-registered), voting rights, food preferences, as well as any other personal data which you personally provide to us in your communication with us (your ‘personal data’).

Why do we process your personal data?

Castellum processes your personal data in order to be able to take the measures we are obliged to take within the scope of administration of the share register (e.g. to be able to present it and the information therein at the request of a shareholder). We may also process your personal data in order to send news about our business, such as interim reports and annual reports, if you have requested to receive such news. In addition, we may process your personal data in order to manage communication with you, and in related matters which you initiate as a shareholder or as a contact person for a shareholder company, which may require us to take additional measures in certain cases, depending on the nature of the matter. In certain cases where you are a major shareholder in Castellum, we will also process your personal data through publication of your name and shareholding in interim reports, in annual reports, on the website, etc.

We may also, in certain cases, wish to process your personal data by publishing photographs in interim reports, annual reports, on the website, etc. If we should wish to process your personal data for such purposes, you will receive specific information about the data processing it entails and be asked to consent specifically to our processing of your data for the purpose in question.

From where do we obtain personal data?

The personal data is compiled directly from you and from Euroclear Sweden AB (which administers our share register).

Who has access to your personal data?

We have taken appropriate technical and organisational security measures to protect your personal data against, for example, loss and unauthorised access. The number of individuals who have access to your personal data is limited. Only persons at Castellum who need to process the personal data in accordance with the purposes above have access to your personal data.

We may also share your data with our suppliers who perform services on our behalf. The personal data you provide to us may primarily be shared with the central securities depository Euroclear Sweden AB, with authorities, as well as with our IT providers for the purposes of supporting and maintaining our IT systems.

How long is your personal data stored?

According to law, data which is processed concerning your shareholding must be stored for ownership history for at least 10 years.

Data which is processed for administering communication with you and related issues which you have initiated as a shareholder or contact person for a shareholder company will be stored for such time as is relevant in relation to the communication and the matter concerned.

Data which is processed to send news to you will be stored for such time as you wish to continue to receive such news.

Data which is published in an annual report will be stored for at least 10 years.

What right does Castellum have to process your personal data?

The processing of your personal data for administering the share register is based on our statutory obligation to process your personal data for these purposes.

The processing of your personal data for sending you news about our business or invitations to events, any publication of information about you in an annual report or suchlike, and for administering matters which you personally initiate as a shareholder or contact person for a shareholder company takes place based on a balancing of interests. Castellum considers itself entitled to process your personal data since the processing is necessary for purposes which involve Castellum’s legitimate interests. If the matter which you personally initiate requires that we take additional measures, this may entail that we will perform additional personal data processing, which might possibly be based on a legal ground other than a balancing of interests.

In the event that we request information about your dietary preferences, which could include personal data concerning your health which falls under a specific personal data category, we base the data processing on consent. You always have the right to withdraw your consent by contacting us.

This is our reasoning

Castellum’s legitimate interest as regards the processing of contact data for sending you news or invitations to events is to keep you updated as to what is happening in our business and to maintain a continued good relationship with you as a shareholder. Castellum has weighed its legitimate interest against any encroachment on privacy that Castellum’s processing might entail. Castellum makes the assessment that the risk of encroachment on privacy is restricted since it is also in your interests to receive information about the company in which you personally, or the company for which you act as contact person, owns shares.

Castellum’s legitimate interest as regards the processing of personal data in those matters that you have personally initiated as a shareholder or contact person for a shareholder company is to facilitate communication with you and to assist you in those matters. Here too, Castellum has weighed its legitimate interests against any encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that the risk of encroachment on privacy is limited since the processing of personal data takes place due to the matter that you have personally initiated.

The personal data which is processed is also restricted to what is needed to perform the purposes for which the processing of personal data takes place. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data.

What happens if you do not provide your personal data?

It is necessary that you provide the personal data stated above to enable Castellum to contact you and take measures as stated above. If the data stated above which is obtained from you is not provided, the aforementioned measures cannot be taken by Castellum.

Will third country transfer take place?

Castellum endeavours not to transfer data to countries or companies located outside the EU/EEA. If such data transfer should nevertheless be necessary, Castellum will take suitable safeguarding measures to optimally protect your personal data.

Your rights

When your personal data are processed, you have the below rights under the General Data Protection Regulation (GDPR). More information is available on the website of the Swedish Authority for Privacy Protection (IMY) www.imy.se/privatperson/dataskydd/dina-rattigheter/.

Right to be informed (register extracts)

You have a right to be informed by us of whether we are processing your personal data and, if so, to request access to this personal data in the form of a register extract. You also have the right to receive the following information:

1. the purpose of the processing,
2. the types of personal data processed,
3. who the personal data has been shared with, including third country transfers, and the protective measures taken,
4. data retention period,
5. your rights,
6. the source of the personal data, and
7. whether automated decision-making occurs.

If you ask to access personal data that we process about you, you will receive a copy of these data. If you request extra copies, you may be charged a fee for administrative costs. If you request your personal data electronically, we will normally provide the copy of the personal data in electronic format, unless otherwise requested.

Right to rectification

If any of the personal data we process about you are incorrect, you have a right to request that we rectify them without undue delay. Depending on the purpose of the processing, you also have a right to amend any incomplete personal data.

Right to erasure

You have a right to request that we erase your personal data without undue delay if:

1. the data are no longer necessary for the purposes for which they were collected,
2. you have withdrawn your consent, and your consent was the lawful basis for processing the data,
3. you object to the processing of data which relied on legitimate interests as the legal basis for processing, and there is no overriding legitimate interest to continue our processing,
4. you have objected to direct marketing,
5. the processing is unlawful, and
6. erasure is necessary in order to comply with legal obligations.

We have a right to refuse your request for erasure if processing is necessary in order to comply with a legal obligation or for the establishment, exercise or defence of legal claims.

If the data are erased at your request, we have an obligation to inform any parties whom we have shared the data with that you have requested to have your personal data erased. 

Right to restrict processing

You have a right to request to have your personal data processing restricted under certain circumstances.

The right to restrict processing applies if:

1. you contest the accuracy of your personal data (during the time that we are verifying the accuracy of the data),
2. the data have been unlawfully processed and you oppose erasure and request restriction instead,
3. we no longer need the personal data but you need the data in order to establish, exercise or defend a legal claim, or
4. you have objected to processing of data which relied on legitimate interests as the legal basis (during the time that we are investigating whether our legitimate grounds override your grounds for having the data erased).

If we have restricted processing of your data, we will notify you before restriction of the processing ceases.

Right to object

You have a right to object at any time to processing of your personal data on the basis of legitimate interests. If our grounds do not override your grounds, we are no longer allowed to process your data after you have objected.

If you object to direct marketing, we may no longer process your data for such purposes.

Right to data portability

If our processing of your data is automated and based on consent or on the performance of a contract, you have a right to receive the data in a structured, commonly used and machine readable format. You also have a right to transmit the data to another data controller.

If it is possible, you also have a right to request that we transmit your data directly to another data controller.

Contact details

You have a right to lodge a complaint to the Swedish Authority for Privacy Protection if you think that we are processing your personal data in violation of the GDPR. The contact details of the Swedish Authority for Privacy Protection are available at www.imy.se.

Castellum AB is the data controller for processing of your personal data. If you have any questions about how your personal data are processed, do not hesitate to contact Castellum’s data protection officer at dso.castellum@insatt.com.

Contact details for Castellum:

Castellum AB, co. reg. no. 556475-5550, postal address Box 2269, 403 14 Gothenburg, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se