Lehto Oyj : Privacy Statement Annual General Meeting

Privacy statement - AGM

Preregistration for the Annual General Meeting 2024 ("AGM")

Unofficial translation, Finnish version of the Privacy Statement shall prevail.

1. Controller
   Lehto Group Plc Voimatie 6 B
   90440 Kempele
   (hereinafter referred to as the "Controller")
2. Contact details in matters concerning the register
   tietosuoja@lehto.fi
   Voimatie 6 B, 90440 KEMPELE puh. 0207 600 900
3. The purpose and legal basis for the processing of the personal data
   In the AGM registration, information necessary for organizing the AGM is collected. The purpose for the collection of the information is to enable the registration of shareholders, their representatives and their counsels to the AGM, the identification of shareholders and their ownership. The processing is based on the legal obligation to organize an AGM according to the Finnish Companies Act. The technical provider of the service is Euroclear Finland Ltd.
4. Personal data processed
   The following categories of personal data may be processed in connection with the registration for the AGM: name, personal identity code or date of birth, address, phone number, email address. The same personal data can be collected of an assistant or authorized representative.
5. Regular sources of information
   The personal data is collected mainly from the shareholder registering, voting and presenting questions for the AGM or from someone acting on the shareholder's behalf.
6. Disclosures of data to third parties
   In the following situations the Controller may transfer and disclose personal data to third parties:
7. • to the provider of the system for the registration for the AGM, Euroclear Finland Oy, and other trusted service provides who act on the Controller's behalf, when needed; and
   • when the disclosure is necessary in order to ensure the rights of the Controller, data subject or others, to investigate potential fraud, or to respond to requests from public authorities.

1. The principles how the data file/register is secured
   The Controller has undertaken appropriate technical and organizational security measures in order to protect the personal data from loss, destruction, misuse and unauthorized access.
   Euroclear Finland Ltd shall be responsible for the maintenance of the register. The connection from a user's browser to the server of Euroclear Finland Ltd is encrypted with SSL-technology. Technical data protection is being used in the application, by which the entered information shall remain unchanged and is available only for the authorized persons.
2. Transfer of data outside the EU or EEA
   Personal data is not transferred to countries outside the European Union or the European Economic Area.
3. Retention period for personal data
   The personal data is only kept for as long as it is necessary for the purposes set out in this statement or for the retention periods set out in legislation. For example, the rules on prescription in the Finnish Companies Act (624/2006) require the Controller to keep the personal data related to AGMs for 3 months after the decision of the AGM. In practice the personal data may be kept for a longer period for purposes required by other legislation.
   When the retention period for personal data has expired or the personal data is no longer necessary or there is no longer legal basis for processing them, the reports containing personal data will be anonymised or erased.
4. Data subject rights and the exercise of rights
   According to the data protection legislation, a data subject has the following rights within the limitations set out in and according to applicable data protection legislation:
5. • the right to request access to personal data concerning the data subject;
   • the right to ask for the personal data concerning the data subject to be rectified or deleted; and
   • the right to request restriction of processing or object the processing.

The data subject has also the right to file a complaint to the data protection authority (in Finland: The Office of the Data Protection Ombudsman, https://tietosuoja.fi/etusivu).

Updated 18.3.2024