1 DATA CONTROLLER AND CONTACT DETAILS
Nightingale Health Plc (”Nightingale”)
Business ID: 1750524-0
Address: Mannerheimintie 164a, 00300 Helsinki, Finland
Phone: +358 20 730 1810
Email of the Data Protection Officer: firstname.lastname@example.org
2 PURPOSE AND LEGAL BASIS FOR PROCESSING OF PERSONAL DATA
The purpose of processing of personal data is to enable the shareholders of Nightingale to register for and participate in the Annual General Meeting of shareholders to be held on 16 November 2023.
The personal data is used only for the purposes necessary to organize the General Meeting, such as verifying of the shareholders’ identity and his/her right to attend the General Meeting, preparing a list of participants and votes, as well as for organizing any polling.
The legal basis for the processing of personal data is, in particular, the compliance with the legal obligations to which Nightingale is subject, based on the Finnish Limited Liability Companies Act (624/2006) and other legislation. Personal data may also be processed on the basis of a legitimate interest of Nightingale or a third party, in which case the legitimate interest is, in particular, justified purposes related to the business of Nightingale, such as administrative activities, ensuring of physical security, protection of property, investigation of misuse, as well as potential merger and acquisition activities.
3 PROCESSED PERSONAL DATA
The processed personal data may include the shareholder’s and his/her representative’s and/or assistant’s (if any) name, date of birth/personal identity number and/or business ID, address, telephone number, email address, number of shares and votes and voting information. Also, the basis of representation of the possible proxy representative and possible proxy attachments are collected through the registration service. Furthermore, votes registered by the participant are collected through the service. For the technical maintenance and monitoring of the service, the authentication method and user’s IP address are also collected. When participating in the General Meeting, time of arrival and departure of each participant as well as log information about the participation and voting of the participants in the General Meeting are recorded.
4 REGULAR SOURCES OF DATA
Personal data is mainly collected from the shareholder himself/herself or from his/her representative in connection with the registration to the Annual General Meeting. The data provided in connection with the registration is compared with the shareholder register of Nightingale maintained by Euroclear Finland Ltd from which the ownership information is extracted.
5 DISCLOSURES AND TRANSFERS OF PERSONAL DATA
A list of participants and votes will be prepared to be attached to the minutes of the Annual General Meeting, consisting of the following personal data of the persons participating in the General Meeting through advance voting or in real time: name of the participating shareholder and his/her potential proxy, advisor or other representative, the number of shares and votes and the participant number.
In accordance with the Finnish Limited Liability Companies Act (624/2006), the following information of each shareholder from the shareholder register on the record date, including the holders of nominee-registered shares temporarily registered into the shareholder register, shall be kept available at the General Meeting: name, municipality of residence, the number of shares broken down by share class and any other differences in the rights and obligations carried by the shares.
Nightingale may disclose personal data to competent authorities when required to do so under the applicable laws, to prepare for legal proceedings or to defend a claim within the limits permitted or required by the applicable laws from time to time. If Nightingale reorganizes its business, personal data may be disclosed to the purchaser candidates and their representatives in accordance with the applicable law from time to time.
Personal data may be transferred to countries outside the EU or the European Economic Area (EEA). In such cases, Nightingale will ensure the adequate level of data protection. Information on transfers of personal data outside the EU or EEA area and on the appropriate safeguards applied thereto is available from the contact details mentioned in Section 1 above.
6 DATA PROTECTION
Nightingale’s internal organization is structured to meet the requirements of Nightingale’s Quality Management System certified according to EN ISO 13485, Information Security Management System certified according to ISO/EIC 27001 and the applicable data protection laws. Nightingale applies the appropriate physical, technical, and administrative safeguards to protect data from misuse. These safeguards include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to the personnel participating in the personal data processing, and risk management related to the planning, implementation, and maintenance of Nightingale’s services. Personal data is processed only by those persons, who need the personal data to perform their job duties.
To ensure the implementation of data protection, Nightingale concludes data processing agreements with its subcontractors who are processing personal data on Nightingale’s behalf.
7 STORAGE TIME OF PERSONAL DATA
Personal data entered into or attached to the minutes of the Annual General Meeting will be retained for an indefinite period of time as defined in the Finnish Limited Liability Companies Act (624/2006) and the Corporate Governance Code for listed companies. Other personal data will be destroyed in a secure manner after they are no longer necessary for the preparation of the minutes or the verification of its validity.
8 RIGHTS OF THE DATA SUBJECT
The data subject may use the rights related to the processing of his/her personal data specified below with regard to Nightingale. The exercise of the rights is a personal right of the data subject and it requires identification.
- Right of access: The data subject has the right to obtain a confirmation from Nightingale on whether Nightingale processes personal data concerning the data subject, as well as the right to access such data. Nightingale may request the data subject to specify his/her request, amongst others, with regard to the details of the data to be delivered.
- Right to rectification: The data subject has the right to obtain from Nightingale the rectification of inaccurate personal data concerning him/her processed by Nightingale, and to have incomplete personal data processed by Nightingale to be completed.
- Right to be forgotten: The data subject has the right to obtain from Nightingale the erasure of personal data related to him/her. Nightingale has the obligation to erase such data in case there is no longer a legal ground for the processing of such data and the legal obligation binding Nightingale related to the storing of the personal data has terminated.
- Right to restriction of processing: In certain cases prescribed by law, the data subject has the right to obtain from Nightingale restriction of processing of his/her personal data.
- Right to object to processing of personal data: In certain cases, the data subject may have the right to object to processing of his/her personal data. The right to object is applicable particularly in such situations where the processing of personal data is based on the controller’s legitimate interest. In such situations, Nightingale has to comply with the data subject’s request, unless Nightingale demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
The written requests to exercise the rights shall be submitted by email or letter to the addresses mentioned in Section 1 above.