Privacy notice of shareholders’ data processing

Updated on June 3, 2021

AS “Olainfarm” 

PRIVACY NOTICE OF SHAREHOLDERS’ DATA PROCESSING – V2/2021

General information

1. The purpose of this privacy notice (hereinafter – Notice) is in accordance with General data protection regulation (hereinafter – GDPR), Article 12 and 13, is to ensure the information about the processing of personal data of the shareholder or the proxy, the representative of the shareholder (hereinafter – representative), the processing carried out by the Joint Stock Company AS “Olainfarm”, registration No.40003007246 (hereinafter – Company). 

2. The Company highly values the personal data protection requirements and provides information by issuing this Notice in order to ensure the possibility for the shareholder and the representative to understand what, why and in what way is done with the personal data by ensuring the Company’s relationship with their shareholders  monitoring in accordance with the procedures specified in the regulatory enactments. 

3. The terms used in the Notice – “controller”, “processor”, “personal data”, “processing”, “data subject” are used in the meaning as defined in Article 4 of the GDPR.

Controller

4. Controller – the Company. Contact details of the Company with regards of personal data protection:

4.1. Legal address: Rupnicu street 5, Olaine, Olaine Municipality, LV-2114;

4.2.Email address: dataprotection@olainfarm.com;

4.3 Telephone No.+371 28327856.

Personal data processed

5. The following personal data of the shareholder can be processed by the Company:

5.1. name, surname, personal identity code (if a person does not have personal identity code — date of birth, type and number of the identity document and date of issue, state and institution that issued the document) and place of residence;

5.2. information from the identity document; 

5.3. the category, number, nominal value, serial number of the share, if any, and the number of votes arising from the share. Date on which the shareholder paid for the share in full or, if it has not been paid in full, the share payment term;

5.4. information about the representative (if applicable);

5.5. information regarding participation and actions in the shareholders ‘meeting, information regarding voting, including voting before the shareholders’ meeting;

5.6. information related to the shareholder’s communication with the Company;

5.7. other information about the shareholder, which is included in the minutes and in the decisions of the shareholders’ meeting;

5.8. e-mail address, which is obtained, for example, by registering for participation in the shareholders’ meeting or providing remote participation in the shareholders’ meeting; 

5.9. publicly available personal data;

5.10. other personal data transferred to the Company by the shareholder or the representative;

5.11. data obtained during the shareholder’s remote communication with the Company or remote authentication for participation in the shareholders’ meeting (computer or mobile devices and Internet usage data, such as Internet protocol (IP) address assigned to the shareholder’s device (computer), connection time, information to be provided to the Company by the shareholder, authentication data, for example, by authenticating with Internet banking or a secure electronic signature).

6. The following personal data of the representative can be processed by the Company:

6.1. name, surname, personal identity code (if a person does not have personal identity code — date of birth, type and number of the identity document and date of issue, state and institution that issued the document) and place of residence;

6.2. information from the identity document; 

6.3. information regarding the representation, the shareholder who has given the authorization, information regarding the authorization and the activities performed on the basis thereof;

6.4. information regarding participation and actions in the shareholders ‘meeting, information regarding voting, including voting before the shareholders’ meeting;

6.5. information related to the representative’s communication with the Company;

6.6. information regarding the person’s workplace, position;

6.7. other information about the representative, which is included in the minutes and in the decisions of the shareholders’ meeting;

6.8. e-mail address, which is obtained, for example, by registering for participation in the shareholders’ meeting or providing remote participation in the shareholders’ meeting; 

6.9. publicly available personal data;

6.10. other personal data transferred to the Company by the shareholder or the representative;

6.11. data obtained during the remote communication with the Company or remote authentication for participation in the shareholders’ meeting (computer or mobile devices and Internet usage data, such as Internet protocol (IP) address assigned to the device (computer), connection time, information to be provided to the Company by the representative, authentication data, for example, by authenticating with Internet banking or a secure electronic signature).

7. The Company may perform the documentation and video recording of the shareholders’ meeting, including the remote meeting and authentication process for voting and remote participation in the meeting, including preserving the video image and sound recording, thus obtaining a visual image, voice recording, as well as information on actions and communication during the shareholders’ meeting. The Company has imposed a general ban on other persons making video and audio recordings during the shareholders’ meeting and are taking steps to ensure this.

8. The Company may request a sworn bailiff to document a fact, for example during a shareholders’ meeting, and thus a sworn bailiff may, in accordance with the requirements of regulatory enactments, record a fact in a deed, audio recording, video recording, photography.

Source of personal data

9. The Company may obtain personal data in various ways, including from:

9.1. the data subject – the shareholder, the representative (for example, when a person arrives and participates in a shareholders’ meeting or communicates with the Company, authenticates for remote participation in a shareholders’ meeting), or

9.2. the third person, for example, from central securities depository of Latvia, Nasdaq CSD, SE (performing the functions of the central bank of securities – accounting, storing and settling all securities in public circulation in Latvia, including the Company’s shares), which transfers to the Company the personal data of the shareholder under the regulatory enactments. The Company may obtain personal data from the shareholder (about the representative) or from the representative (about the shareholder). The Company may also obtain personal data from a sworn bailiff, who in the case specified in Clause 8 of the Notice submits to the Company information on the fixed facts, including by submitting a deed and an audio recording, video recording, photography.

9.3. publicly available information, for example, in cases specified in regulatory enactments, obtaining information from the register of enterprises regarding the rights of representation.

Purpose and legal ground of the personal data processing

10. The Company processes personal data in order to fulfil the obligations specified in regulatory enactments, including the obligations specified in the Commercial Law, the Financial Instruments Market Law and other regulatory enactments regulating the financial instruments market, for example, to ensure convening, conducting, documenting of the shareholders meeting and to fulfil other shareholders’ rights. The legal ground for the personal data processing is Article 6 (1) c) of GDPR.

11. The Company may also process personal data within the framework of the implementation of its legitimate interests, for example, by responding to a shareholder’s request, proposal, complaint or by recording a legal fact through a sworn bailiff in accordance with Clause 8 of the Notice. The Company, based on its legitimate interests, may document a process, make a video recording during the shareholders’ meeting in accordance with the provisions of Clause 7 of the Notice in order to provide evidence in case a dispute arises regarding the course of the shareholders’ meeting or the minutes of the meeting. In the case of such processing of personal data, the Company has assessed and ensures proportionality between the Company’s legitimate interests and the rights and freedoms of the data subject.

The legal ground for the personal data processing is Article 6 (1) f) of GDPR.

Recipients of personal data

12. The Company may transfer personal data to its processor – it is not a third person, but is a merchant or individual who processes personal data in the name and on behalf of the Company, based on specific instructions of the Company. The processor has a binding obligation to ensure the security of personal data and is permitted to use personal data only for the performance of the activities and purposes specified by the Company. For example, the Company may use a processor to ensure the storage of personal data, video recording during a shareholders’ meeting and the verification and registration of the identity of a participant in a shareholders’ meeting for participation in a shareholders’ meeting. The Company may also use processors to organize the shareholders’ meeting, to organize voting, for example, the platform www.lemejs.lv. The controller, instead of the Company’s processor, is, for example, an electronic signature provider or a credit institution, which internet banking is used by a shareholder to authenticate and prove his / her identity in relations with the Company.

13. The Company may be obliged to transfer personal data in the cases specified in regulatory enactments to a state and / or local government institution that supervises the Company’s activities, such as the Financial and Capital Market Commission, or which needs the Company’s information to perform its duties. The Company may have a legitimate interest in submitting personal data to a state and / or local government institution, such as a court, the State Police, the Register of Enterprises of the Republic of Latvia, in order to protect the Company’s legitimate interests.

14. The Company may have a legitimate interest or an obligation specified in regulatory enactments to provide personal data to other shareholders of the Company.

15. The Company may, on the basis of its legitimate interests, transfer or make available personal data to its professional adviser and sworn bailiff in the case specified in Clause 8 of the Notice.

16. Personal data may be made publicly available in the cases specified in regulatory enactments.

Duration of personal data storage

17. The Company stores personal data in accordance with the GDPR as long as the data are necessary to achieve the legitimate purpose. Personal data are deleted, anonymised or destroyed when the legitimate purpose is achieved.

18. Basically, the Company stores personal data the term specified in regulatory enactments.

19. The Company may, on the basis of its legitimate interests, store personal data longer than required by regulatory enactments if these personal data are necessary for the Company to prove the fulfilment of its obligations, but observing the general limitation period of the claim – 10 years in accordance with the Civil Law of the Republic of Latvia, or three years in accordance with the Commercial Law, or another term, taking into account also the term for filing a claim / submission of an application specified in the Civil Procedure Law.

20. The video recording of the shareholders’ meeting and the information documented of the authentication process for voting and remote participation in the meeting specified in Clause 7 of the Notice may be stored for up to one year from the date of the shareholders’ meeting, considering that the action for annulment of the shareholders’ meeting may be brought within one year from the date of the meeting. This term may be extended if it is necessary to achieve the purpose of obtaining the documented information or video recording, for example, an action has been brought against the Company for annulment of the decision of the shareholders’ meeting.

21. If the processing of personal data has been carried out on the basis of the data subject’s consent, the personal data shall be kept until the consent is revoked, unless a shorter period is specified in the case of the consent or if there is no other legal ground for further processing.

Rights of the data subjects – shareholders, representatives

22. Data subject has the following rights:

22.1. Request a copy of the Notice, request additional information, explanations regarding the information included in the Notice and concerning the processing of personal data by the Company, including detailed information about the storage period, recipients of personal data;

22.2. Request Company`s confirmation as to whether or not data subject personal data are processed;

22.3. Request from the Company the access to the personal data;

22.4. Object the processing of personal data carried out by the Company (for example, against the processing carried out on the basis of the legitimate interests of the Company, if the data subject considers that such processing is disproportionate), request the Company to correct, delete or restrict the processing of personal data.

22.5. If the processing of personal data is carried out on the basis of the data subject’s consent, the data subject has the right to withdraw the consent at any time.

23. Mentioned rights of the data subject in details are regulated in Articles 12 to 21 of the GDPR. These rights are not absolute and its exercise may be restricted, for example, the Company has the right to refuse to stop the processing of personal data if the Company indicates convincingly legitimate reasons for processing that are more important than the interests, rights and freedoms of the data subject.

24. In order to exercise his / her rights, the data subject has the right to address the Company a request by sending it to the e-mail address: dataprotection@olainfarm.com or by sending a letter to the address: Rūpnīcu iela 5, Olaine, Olaines novads, LV-2114, addressing it to AS “Olainfarm”.

25. The activities of the Company regarding the protection of personal data shall be supervised by the Data State Inspectorate of Latvia. In order to resolve any disagreements or questions as soon as possible, we invite the data subject to contact the Company first. As well as, the data subject has the right to submit a complaint to the Data State Inspectorate (contact information is available on website www.dvi.gov.lv).

Changes to the Notice

26. The Company is entitled to make changes to the Notice, if they do not contradict the GDPR, providing data subjects with access to the current version of the Notice.

Privacy notice of shareholders’ data processing