Privacy Notice – shareholders, other investors and analysts

Data ControllerPurposes and legal basis for processingCategories of personal data we collect:Where we collect the personal data fromDisclosure of personal data and categories of recipients of the dataTransfer of a personal data outside EU/EEARetention timeData protectionWhat are your rightsHow you can contact us and exercise your rightsChanges to Privacy Notice

Citycon Oyj and its subsidiaries and other affiliates (later referred to as “Citycon”) respect the privacy of its investors, customers, suppliers and other stakeholders. This privacy notice (later referred to as “Privacy Notice”) describes how Citycon collects and processes personal data of its shareholders, other investors and analysts and how Citycon ensures the privacy and security of information collected and processed by it.

In this Privacy Notice “personal data” means any information that can identify you as an individual either submitted by you and/or obtained through alternative channels.

Data Controller

Citycon Oyj, Piispansilta 21, 02230 Espoo, Finland
tel 020 766 4400

Purposes and legal basis for processing

We process personal data of shareholders and their representatives to maintain a shareholders’ register, to arrange and administer shareholder meetings, to identify shareholders’ identity and right to participate in general meetings, to communicate with them and to pay dividend and to make other equity transactions.

We process personal data of other investors and analysts to fulfil our legitimate interests and to communicate with them.

We need to process personal data of shareholders and their representatives, other investors and analysts to be able to provide information to the public as a company listed on Nasdaq Helsinki Ltd.

We process shareholders’, other investors’ and analysts’ personal data to fulfil our legal obligations. We may also process the data in order to fulfil our legitimate interests to disclose information to the public and to communicate with and to maintain good relationships with our shareholders, investors and analysts. In addition, we may process data when we send invitations to our events, send newsletters, send information on our business and other marketing communications.

Categories of personal data we collect:

Shareholders:
  • contact information, such as name, address, phone number, email address
  • other information, such as personal identity number or other identifying information, nationality, number of shares and voting rights, book-entry account number
  • other information concerning shareholders’ participation in the general meetings (including information on power of attorneys)

Shareholders’ proxy representatives and assistants:
  • name of representatives and personal identity number when the representative represents shareholders in shareholder meetings
  • name of We also collect personal data of proxy representatives and of assistants representing / assisting shareholders in general meetings

Other investors and analysts:
  •  Contact information, such as name, address, phone number, email address

Where we collect the personal data from

We collect personal data from:
  •  Shareholders. We receive information provided to us in notifications of major shareholdings (flagging notifications).
  •  Euroclear Finland Oy (national central securities depository). Euroclear Finland Oy maintains Citycon’s shareholder register and it is the technical provider of the database that we use to manage the shareholder information.
  • Other investors and analysts or companies they represent.

Disclosure of personal data and categories of recipients of the data

Information regarding major shareholders, flagging notifications and list of analysts following Citycon can be found on our website www.citycon.com.

We are required to disclose the list of shareholders to anyone requesting based on applicable laws and regulations (publicity of shareholders’ register).

We may disclose certain data to authorities where we have a legal obligation to do so.

We may also transfer data to our service providers, who process the data on our behalf and in accordance with our instructions.

Transfer of a personal data outside EU/EEA

In some cases, personal data can be transferred outside the EU/EEA (e.g. in case of service providers) in accordance with applicable data privacy laws and regulations and subject to the restrictions set in said laws and regulations.

Retention time

Data will be retained as long as needed under Citycon’s legal obligations as a company listed on Nasdaq Helsinki Ltd. In addition, data can be retained as long as it is necessary for Citycon’s genuine interests and needs or purposes of processing.

Data protection

Citycon has taken appropriate technical and organizational measures to restrict access to the personal data it holds and to protect it against loss, accidental destruction, misuse, and unlawful alteration. Access to personal data is restricted on a need-to-know basis to individuals (Citycon’s employees and service providers) who need to access the data for the purposes it was collected for.

If personal data is transferred outside the EU/EEA to a country, which does not guarantee adequate level of data protection, we will use appropriate safeguards, such as EU Commission’s standard contractual clauses or Privacy Shield Framework, in accordance with applicable data privacy laws and regulations.

What are your rights

Right to object:
  •  You have the right based on your situation to object to profiling and other processing in situations where we process your personal data based on our legitimate interests. These situations can relate to, for example, sending a newsletter or invitation to our events that we assume you are interested in, for example, based on your company's field of operation.

Direct marketing:
  •  You have the right at any time to object direct marketing free of charge. You may do this by contacting Citycon.

Right of access to data:
  • You are entitled to have information concerning your personal data that is processed as well as a copy of such data.

Right to request rectification, erasure or restriction of processing of personal data:
  • You have the right to request that we rectify erroneous data on you. You can also request that we erase certain data on you or request that processing be restricted on the grounds provided by law.

Right to withdraw consent:
  • When processing is based on consent, for a consent to be valid, it needs to be withdrawable, and you have the right for such withdrawal at any time.

Right to data portability:
  •  To the extent that you have provided data to us that is processed based on your consent, you are entitled to obtain such data primarily in a machine-readable format and are entitled to transfer such data to another data controller.

Right to lodge a complaint with a supervisory authority:
  •  You are entitled to lodge a complaint with the competent supervisory authority if you are of the opinion that we have not complied with the data protection regulations applicable to our operations.

How you can contact us and exercise your rights

If you have any questions concerning protection of your personal data in our data processing activities or you wish to exercise your rights, please contact us at privacy@citycon.com.

Data Protection Officer Leena Rentola, Piispansilta 21, 02230 Espoo, Finland, tel 020 766 4528, email leena.rentola@citycon.com.

Changes to Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our operations and/or applicable law. Any changes will be posted here.