Management and Insider Privacy Policy

Effective Date: February 8, 2022

We at Fiskars Group are committed to protecting the privacy of our management and insiders’ personal data. “Management and Insiders” means, for the purposes of this Privacy Policy, Fiskars Group Management (members of Fiskars Group’s board of directors; CEO and other senior executives) and Management’s closely-associated persons (including family members), Fiskars Group financial information recipients, project insiders and other individuals whose information is provided to Fiskars Group by the above-mentioned individuals for various purposes (also other persons). This Privacy Policy informs you how Fiskars Corporation (hereinafter both “Fiskars” and “we”) processes your personal data. For the purposes of this Privacy Policy, Fiskars is the controller. This Privacy Policy concerns all collection of management and insiders’ personal data, in connection to which this Privacy Policy is visible, including but not limited to management records.

We recommend that you read this Privacy Policy carefully as it provides important information about personal data and other information that we collect.

Should you have any questions, requests or concerns, you can at any time contact us at: privacy@fiskars.com

1. What data do we use?

We collect personal data directly from you (or indirectly where specifically assigned by you to be provided to us) and we may update it based on third-party registers (where such updates are available).

Data we collect on Management:

  • First name, surname
  • Contact details (both work and personal), such as email address(es), telephone number, postal address
  • Photo
  • Demographic information: gender, citizenship, date of birth, language, title or degree
  • Business ID or equivalent foreign ID (legal entities)
  • Work-related information provided by you: company/employer’s name and contact details
  • Date on which the person became a member of the management
  • Transactions made by the closely associated persons
  • Event information: The tasks related to the managing of a relationship and events as well as the information needed to organise them, such as special diet, allergies and other restrictions
  • Payment and tax details, bank account details and national identity numbers, where required
  • Travel itineraries, passport details and other travel documents
  • Any consents, communications and feedback that you provide to us
  • Any other information based on a freely given, prior consent

Data we collect on Insiders:

  • First name, surname, birth surname (if different from surname)
  • date of birth; national ID number / social security number
  • Contact details (both work and personal), such as email address(es), telephone number, postal address
  • function and the reason for being insider
  • the date and time at which the person obtained access to inside information
  • the date and time at which the person ceased to have access to inside information

Data we collect on Closely-Associated Persons:

  • First name, surname
  • Contact details (both work and personal), such as email address(es), telephone number, postal address
  • Reason the individual has been recorded as a closely-associated person
  • Number of possible shares owned
  • Company name, Business ID or equivalent foreign ID (where applicable)
  • Transactions made by the closely-associated persons
  • Event information: The tasks related to the managing of a relationship and events as well as the information needed to organise them, such as special diet, allergies and other restrictions

Data we collect on Financial Information Recipients:

  • First name, surname
  • Contact details (both work and personal), such as email address(es), telephone number, postal address
  • title or degree
  • the start date and end date for which the person has had access to financial information
  • the scope of their access to financial information

Data we collect on Other Persons:

  • First name, surname
  • Contact details (both work and personal), such as email address(es), telephone number, postal address
  • Company name, Business ID or equivalent foreign ID (where applicable)
  • Event information: The tasks related to the managing of a relationship and events as well as the information needed to organise them, such as special diet, allergies and other restrictions

We may update your data based on public registers, where available.

2. How does Fiskars use your personal data?

We use your personal data for various purposes depending on your status under this privacy policy.

Event and relation management:

In case you are a member of the Management, Closely-Associated Person or Other Person, we may use your personal data for organizing and managing events and other activities we may deem reasonable for creating or nurturing a relationship between you, your company (where applicable) and Fiskars Group; providing you ordinary communications; and maintaining our contact lists. Further, we may use the data for detection, investigation and prevention of unlawful activities as well as to identify users, for example any external persons visiting our premises.

Management of project-specific insider lists:

Insiders’ personal data is used for maintaining a project-specific insider list to comply with the requirements set forth in mandatory laws (e.g. The Market Abuse Regulation (EU) (596/2014)) and using the information to detect, investigate and process non-compliance with the laws. The project-specific insider list is not public.

Compliance with applicable regulations concerning Management transactions, Closely-Associated Persons and Financial Information Recipients:

We will need to collect and maintain personal data of Management, Closely-Associated Persons and Financial Information Recipients for complying with the requirements set forth in mandatory laws (e.g. The Market Abuse Regulation (EU) (596/2014)) and regulation and guidance given by the European Securities Markets Authority or otherwise under MAR, and Finnish legislation, especially the Securities Markets Act (746/2012, as amended) and the Finnish Penal Code (39/1889, as amended), as well as the insider and other guidelines of Nasdaq Helsinki Ltd, and the guidance by the Finnish Financial Supervisory Authority; and using the information to detect, investigate and process non-compliance with the laws. We publicize your personal data only to the extent required by our internal policies or practices on transparency of financial reporting or applicable mandatory laws.

 

3. For how long is your data stored?

Your data is stored as long as

  • It is necessary for the purposes of processing it, including as long as you are a part of the Management, in a position of Closely-Associated Person or Financial Information Recipient
  • We have your valid consent; or as long as we otherwise have a meaningful business relationship or business prospects with you and your company
  • The applicable period for limitation of legal claims endures
  • Any additional periods required or permitted under applicable law

Personal data stored on a project-specific insider list (or specific sections thereof) will be maintained and archived for at least five (5) years from the latest update.

4. In what situations is your personal data disclosed to other parties?

We do not disclose or transfer your personal data to third parties except to approved processors and third parties. We do not sell, lease or rent your personal data. Your personal data is adequately protected if transferred internationally.

 We disclose your personal data only to the parties indicated below and only for the following reasons:

  • Affiliates and third-party processors. We may disclose your personal data to Fiskars Group companies and authorized third party vendors which process the data for us (including, but not limited to Euroclear Oy). All such processing is based on our prior instructions set out in a binding contract that is compliant with the requirements of applicable law and is conducted in accordance with this Privacy Policy. These authorized third parties are not permitted to use your personal data for any purposes other than those described in this Privacy Policy and they are required to keep your personal data strictly confidential.
  • International transfers. Our services may be provided using resources and servers located in various countries, partly outside of the EU/EEA. Therefore, your personal data may be transferred across international borders outside the country in which you are located. If personal data of residents of the EU/EEA is transferred outside the EU/EEA, we will ensure that transfer is based on at least one of the transfer principles and bases provided for in Chapter V, General Data Protection Regulation (GDPR).
  • Requests based on legislation and protection of our interests. We may be required by the binding requirements of applicable law, or for the purposes of responding to legal proceedings or other lawful requests, to disclose your personal data to authorities or third parties. We may also disclose or otherwise process your personal data in accordance with applicable law to defend our legitimate interests (for example, in civil or criminal legal proceedings) and when combating fraud. We may also provide your personal data to law enforcement authorities based on their request.
  • Mergers and acquisitions. In the event of any sale, consolidation or reorganization of our businesses (for example mergers and acquisitions), we may disclose your personal data to prospective or actual purchasers or their advisers, where appropriate.

5. On what lawful basis do we process your data?

Mainly, the personal data is processed based on a legal obligation, such as collecting and maintaining a list of Financial Information Recipients, a List of Management and Closely-Associated Persons or a project-specific insider list.

Further, participation in our activities or otherwise communicating with us creates a co-operation relationship between you and us, and we thereby have a legitimate interest to process your personal data for managing and administrating events and ordinary communication relating to your relationship with Fiskars.

Your data may also be processed based on your consent. We may also have entered into a contract with you, based on which we need to process your personal data.

Please do note that should you be employed by Fiskars Group, data provided by you on the basis of your employment and employment contract is governed under Fiskars Group’s Employee Privacy Policy.

 

6. Do we process the personal data of children?

Closely-Associated Persons and Other Persons may also be minors, such as Management’s family members. Therefore, personal data of minors may be collected where the processing purpose so requires. In that case, appropriate consents are always required.

7. How do we protect your data?

We have implemented a variety of appropriate technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access, and other unlawful or unauthorized forms of processing. The safeguards include, for example, firewall protection of our systems and storing physical documents in locked and fireproof premises. Further, databases and their backup copies can be accessed only by certain pre-designated persons. All persons processing personal data will need to have an individual accreditation. Only our specifically-authorized personnel or authorized third parties are entitled to access our premises or process data. Anyone who is granted access to your personal data is required to keep such data confidential. Different levels of access have been created based on the type of data a person needs to access or process according to his/her job description.

8. What are your rights and options and how can you use them?

We hope to ensure that the personal data we process is accurate at all times and therefore we encourage you to update your information in your own account when any changes occur.

You may access your data
You may request access to, or copies of, your personal data. You may also have information regarding the nature, processing and disclosure of the data.

You may check and edit your personal data
Should you have an online user account, you may edit your personal data directly yourself. If not, you may contact privacy@fiskars.com, which will act upon your request as soon as possible to correct, remove or complete the information which is incorrect, unnecessary, lacking or outdated.

You may request the erasure or restriction of processing your data
Should you believe that your personal data is inaccurate, the processing is illegal, we are not processing your data in accordance with the processing purpose or you want to oppose the processing, you may contact privacy@fiskars.com to request the erasure, or restrictions on the processing, of your data.

You may object the processing of your data
You may have the right to object to, on legitimate grounds, the processing of your personal data.

You may withdraw your consent
You may at any time withdraw your consent to the processing of your personal data. The withdrawal of consent does not affect the lawfulness of any processing performed prior to the withdrawal.

You may have your data transferred to another provider
You have the right to data portability, which means you may have your personal data transferred to another controller in a structured, commonly used and machine-readable format, to the extent applicable. Please contact privacy@fiskars.com to submit a request on data portability.

You may lodge a claim with the supervisory authority
Should you believe that our processing of your personal data infringes your legal rights, you may lodge a claim with your local supervisory authority. Please do see a list for supervisory authorities’ websites here [Link to EU Commission’s website].

Please note that upon exercising any of the rights listed above, you may be requested to provide additional information for identification purposes. Such additional information shall not be used for any other purpose and will be removed after successful identification.

9. Local Terms

No applicable Local Terms.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time and communicate the changes on this site. When we post changes to this Privacy Policy we will modify the “Effective Date” at the top of this Privacy Policy to indicate when such changes have come into effect.