Castellum’s processing of your personal data

Castellum AB (“Castellum”) cares about your privacy and protecting the personal data we process about you. All processing of personal data takes place in accordance with the provisions of the General Data Protection Regulation and other applicable data protection legislation. We present below a description of how we compile, process and share your personal data in connection with your relationship with Castellum as a shareholder or as a contact person for a company that is a shareholder.

Which personal data will be processed?

Castellum compiles and processes the following data: names, addresses, telephone numbers, personal ID numbers, shareholdings (directly owned or nominee-registered), voting rights, shareholder representatives, proxies, food preferences, as well as any other personal data which you personally provide to us in your communication with us (your “personal data”).

Why do we process your personal data?

Castellum processes your personal data in order to administer notices of attendance at, and the holding of, annual general meetings (e.g. to investigate whether a shareholding is directly owned or nominee-registered and to take measures as a consequence thereof; to administer the annual general meeting, including refreshment, etc.) and to be able to take the measures we are obliged to take within the scope of administration of the share register (e.g. to be able to present it and the information therein at the request of a shareholder). We may also process your personal data in order to send news about our business, such as interim reports and annual reports, if you have requested to receive such news. In addition, we may process your personal data in order to handle communication with you and related matters which you initiate as a shareholder or contact person for a shareholder company, and in certain cases demand that we take additional measures depending on the nature of the matter. In certain cases, where you are a major shareholder in Castellum, we will also process your personal data through publication of your name and shareholding in interim reports, in annual reports, on the website, etc.

We may also, in certain cases, wish to process your personal data by publishing photographs in interim reports, annual reports, on the website, etc. If we wish to process your personal data for such a purpose, you will receive separate information about the resulting processing of personal data and to provide us with separate consent to our processing of your personal data for such purpose.

From where do we obtain personal data?

The personal data is compiled directly from you and from Euroclear Sweden AB (which administers our share register).

Who has access to your personal data?

We have taken appropriate technical and organisational security measures to protect your personal data against, for example, loss and unauthorised access. The number of individuals who have access to your personal data is limited. Only persons at Castellum who need to process the personal data in accordance with the purposes above have access to your personal data.

We may also share your personal data with our providers and other cooperation partners who perform services on our behalf. The personal data you provide to us may primarily be shared with the central securities depository Euroclear Sweden AB as well as our IT providers, for the supporting and the maintenance of our IT systems.

How long is your personal data stored?

Your personal data which is processed in respect of your participation at the annual general meeting (such as name and food preferences) will be stored for one month after the close of the annual general meeting.

According to law, data which is processed concerning your shareholding must be stored for ownership history for at least 10 years.

Data which is processed for administering communication with you and related issues which you have initiated as a shareholder or contact person for a shareholder company will be stored for such time as is relevant in relation to the communication and the matter concerned.

Data which is processed to send news to you will be stored for such time as you wish to continue to receive such news.

Data which is published in an annual report will be stored for at least 10 years.

What right does Castellum have to process your personal data?

The processing of your personal data for administering notifications of attendance at, and the holding of, annual general meetings and for administering the share register is based on our statutory obligation to process your personal data for these purposes.

The processing of your personal data for sending you news about our business or invitations to events, for administering refreshment and addressing food preferences at the annual general meeting, any publication of information about you in an annual report or suchlike, and for administering matters which you personally initiate as a shareholder or contact person for a shareholder company takes place based on a balancing of interests. Castellum considers itself entitled to process your personal data since the processing is necessary for purposes which involve Castellum’s legitimate interests. If the matter which you personally initiate requires that we take additional measures, this may entail that we will perform additional personal data processing, which might possibly be based on a legal ground other than a balancing of interests.

This is our reasoning

Castellum’s legitimate interest as regards the processing of contact data for sending you news or invitations to events or for administering refreshment and addressing food preferences at the annual general meeting is to keep you updated as to what is happening in our business and to maintain a continued good relationship with you as a shareholder. Castellum has weighed its legitimate interest against any encroachment on privacy that Castellum’s processing might entail. Castellum makes the assessment that the risk of encroachment on privacy is restricted since it is also in your interests to have the correct food served at the annual general meeting and to receive information about the company in which you personally, or the company for which you act as contact person, owns shares.

Castellum’s legitimate interest as regards the processing of personal data in those matters that you have personally initiated as a shareholder or contact person for a shareholder company is to facilitate communication with you and to assist you in those matters. Here too, Castellum has weighed its legitimate interests against any encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that the risk of encroachment on privacy is limited since the processing of personal data takes place due to the matter that you have personally initiated.

The personal data which is processed is also restricted to what is needed to perform the purposes for which the processing of personal data takes place. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data.

What happens if you do not provide your personal data?

It is necessary that you provide the personal data stated above to enable Castellum to contact you and take measures as stated above. If the data stated above which is obtained from you is not provided, the aforementioned measures cannot be taken by Castellum.

Your rights

You are entitled to request access to the personal data that Castellum processes about you. You are entitled to have incorrect personal data about you rectified and may request that personal data be erased. You are also entitled to object to certain processing of your personal data and to request that the processing of personal data be restricted.

If you request that Castellum restricts or erases your personal data, this may have the consequence that Castellum is unable to perform its duties. You are also entitled to request to receive your personal data in a machine-readable format with the aim of transmitting the data to another controller (referred to as data portability).

If you are dissatisfied with the way in which Castellum processes your personal data you may complain to the supervisory authority regarding Castellum’s processing of personal data.

If you have any questions concerning the way in which your personal data is processed, you are welcome to contact Castellum’s data protection team on gdpr@castellum.se.

Contact details to Castellum:

Postal address: Castellum AB, reg. no. 556475-5550, med adress Box 2269, 403 14 Gothenburg