1 DATA CONTROLLER AND CONTACT DETAILS

Nightingale Health Plc (”Nightingale”)
Business ID: 1750524-0

Address: Mannerheimintie 164a, 00300 Helsinki, Finland

Phone: +358 20 730 1810
Email of the Data Protection Officer: privacy@nightingalehealth.com

2 PURPOSE AND LEGAL BASIS FOR PROCESSING OF PERSONAL DATA

The purpose of processing of personal data is to enable the shareholders of Nightingale to register for and participate in the Annual General Meeting of shareholders to be held on 28 October 2021.

The personal data is used only for the purposes necessary to organize the Annual General Meeting, such as verifying of the shareholders’ identity and his/her right to attend the Annual General Meeting, preparing a list of participants, a list of votes and ballots, as well as for organizing any polling.

A list of participants will be prepared to be attached to the minutes of the Annual General Meeting, consisting of the following personal data: name of the shareholder present in the Annual General Meeting and his/her proxy, advisor or other representative, and the number of shares and votes.

The legal basis for the processing of personal data is, in particular, the compliance with the legal obligations to which Nightingale is subject, based on the Finnish Limited Liability Companies Act (624/2006) and other legislation. Personal data may also be processed on the basis of a legitimate interest of Nightingale or a third party, in which case the legitimate interest is, in particular, justified purposes related to the business of Nightingale, such as administrative activities, ensuring of physical security, protection of property, investigation of misuse, as well as potential merger and acquisition activities.

The provision of personal data as specified in this Privacy Policy is necessary in order for Nightingale to fulfil its legal obligations. Should the data subject not provide his/her personal data to Nightingale as described in this Privacy Policy, the sending and handling of the shareholder’s registration is not possible, which means that the data subject cannot participate in the Annual General Meeting.

3 PROCESSED PERSONAL DATA

The processed personal data may include the shareholder’s and his/her representative’s (if any) name, personal identity number and/or business ID, address, telephone number, email address, number of shares and votes and voting information. Also, the basis of representation of the possible proxy representative and possible proxy attachments are collected through the registration service. Furthermore, votes registered by and possible questions, in advance, from the participant are collected through the service. For the technical maintenance and monitoring of the service, the authentication method and user’s IP address are also collected.

4 REGULAR SOURCES OF DATA

Personal data is mainly collected from the shareholder himself/herself or from his/her representative in connection with the registration to the Annual General Meeting. Nightingale compares the provided personal data with the shareholder register of Nightingale maintained by Euroclear Finland Ltd on the basis of the provided personal data of the shareholder and extracts the ownership information from the shareholder register.

5 DISCLOSURES AND TRANSFERS OF PERSONAL DATA

Nightingale may disclose personal data to competent authorities when required to do so under the applicable laws, to prepare for legal proceedings or to defend a claim within the limits permitted or required by the applicable laws from time to time. If Nightingale reorganizes its business, personal data may be disclosed to the purchaser candidates and their representatives in accordance with the applicable law from time to time.

Nightingale may use service providers in the processing of personal data described in this Privacy Policy and may transfer personal data to such service providers to the extent necessary in order for them to provide the services agreed to Nightingale. Innovatics Ltd is in charge of the technical implementation of the registration system and voting at the Annual General Meeting.

Personal data may be transferred to countries outside the EU or the European Economic Area (EEA). In such cases, Nightingale will ensure the adequate level of data protection. Information on transfers of personal data outside the EU or EEA area and on the appropriate safeguards applied thereto is available from the contact details mentioned in Section 1 above.

6 DATA PROTECTION

Nightingale’s internal organization is structured to meet the requirements of Nightingale’s Quality Management System certified according to EN ISO 13485, Information Security Management System certified according to ISO/EIC 27001:2013 and the applicable data protection laws. Nightingale applies the appropriate physical, technical, and administrative safeguards to protect data from misuse. These safeguards include, among others, control and filtering of network traffic, use of encryption techniques and safe data centers, appropriate access control, controlled granting of access rights and supervision of their use, giving instructions to the personnel participating in the personal data processing, and risk management related to the planning, implementation, and maintenance of Nightingale’s services. Personal data is processed only by those persons, who need the personal data to perform their job duties.

To ensure the implementation of data protection, Nightingale concludes data processing agreements with its subcontractors who are processing personal data on Nightingale’s behalf.

7 STORAGE TIME OF PERSONAL DATA

Personal data entered into or attached to the minutes of the Annual General Meeting will be retained as defined in the Finnish Limited Liability Companies Act (624/2006) for an indefinite period of time. Other personal data will be destroyed in a secure manner after they are no longer necessary for the preparation of the minutes or the verification of its validity.

8 RIGHTS OF THE DATA SUBJECT

The data subject may use the rights related to the processing of his/her personal data specified below with regard to Nightingale. The exercise of the rights is a personal right of the data subject and it requires identification.

  • Right of access: The data subject has the right to obtain a confirmation from Nightingale on whether Nightingale processes personal data concerning the data subject, as well as the right to access such data. Nightingale may request the data subject to specify his/her request, amongst others, with regard to the details of the data to be delivered.
  • Right to rectification: The data subject has the right to obtain from Nightingale the rectification of inaccurate personal data concerning him/her processed by Nightingale, and to have incomplete personal data processed by Nightingale to be completed.
  • Right to be forgotten: The data subject has the right to obtain from Nightingale the erasure of personal data related to him/her. Nightingale has the obligation to erase such data in case there is no longer a legal ground for the processing of such data and the legal obligation binding Nightingale related to the storing of the personal data has terminated.
  • Right to restriction of processing: In certain cases prescribed by law, the data subject has the right to obtain from Nightingale restriction of processing of his/her personal data.
  • Right to object to processing of personal data: In certain cases, the data subject may have the right to object to processing of his/her personal data. The right to object is applicable particularly in such situations where the processing of personal data is based on the controller’s legitimate interest. In such situations, Nightingale has to comply with the data subject’s request, unless Nightingale demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The written requests to exercise the rights shall be submitted by email or letter to the addresses mentioned in Section 1 above.

Where the data subject deems that Nightingale has processed personal data contrary to the provisions of this Privacy Policy or the applicable laws, the data subject has the right to lodge a complaint with the competent supervisory authority, in Finland the Data Protection Ombudsman, in accordance with its instructions. The website of the Data Protection Ombudsman is available at https://tietosuoja.fi/en/home.