Valid from 2025-06-09
This privacy notice explains how Enity Holding AB (publ) (the “Company”) handles your personal data. Please note that this privacy notice is intended for shareholders or representative of a shareholder, or holder or representative of a holder of other financial instruments that can be converted into, exchanged for, or grant the right to acquire shares (the ”Shareholder”), Enity Bank Group AB (publ) (“Enity”) employees, the Company’s board members, and for visitors to this website. If you are a customer of Enity, please find the privacy notice of your local Enity brand by selecting from the list below:
Bluestep Bank Sweden – Privacy notice
Bluestep Bank Norway – Privacy notice
Bluestep Bank Finland – Privacy notice
60plusbanken Sweden – Privacy notice
Definitions
Data Controller
Enity Holding AB (publ), Organisation number: 556668-9575, Box 23138, 104 35 Stockholm.
A data controller is an entity (such as a company, organisation, or individual) that determines the purposes and means of processing personal data.
Data Subject
A Data Subject refers to an individual whose personal data is collected, processed, stored, or used by an organisation or entity. The Data Subjects affected by this privacy notice are the Shareholders, the Enity employees, the Company’s board members, and visitors to this website.
Data Processor
A Data Processor is an entity (such as a company, organisation, or individual) that processes personal data on behalf of the Data Controller, based on its instructions.
Processing of personal data
Processing related to Shareholders
| Purpose of the processing | Personal data that is processed | Source of the personal data | Lawful ground for processing of personal data | Storage duration |
| Record keeping and distribution of Shareholder-related information in order to fulfil the Company’s obligations in accordance with the Swedish Companies Act (Sw. aktiebolagslagen (2005:551)) or other applicable legislation, or in accordance with the Company’s Articles of Association, such as keeping and distributing copies of the shareholder register and other obligations in connection with general meetings. | Contact details (e.g. name and address); Personal identity number; Organisation number (if it can be linked to an individual); Holdings of shares or other financial instruments; Financial information, e.g. voting rights at general meetings, shareholding, and ownership rights; Information about proxies representing Shareholders; Information about guardians, pledges, pledgees, and other notations in the central securities register. | Data is provided by the Shareholder If the personal data is included in the central securities register, it may also be provided by the central securities depository, Euroclear Sweden AB (publ). | The processing is necessary for the Company to fulfil its legal obligations under the Swedish Companies Act or other applicable legislation. The processing is necessary for the Company’s legitimate interest in fulfilling its obligations under the Swedish Companies Act, other applicable legislation or the Articles of Association. | The personal data collected will not be kept longer than necessary given the purpose of the processing, unless otherwise required or permitted by law. For example, under the Swedish Companies Act, the data in the shareholder register must be stored for 10 years. |
| Record keeping and distribution of Shareholder-related information for the purpose of complying with market abuse and information requirements, and otherwise to inform the market, such as through issuance and publication of press releases. | Contact details (e.g. name and address); Holdings of shares or other financial instruments; Financial information, e.g. voting rights at general meetings, shareholding, and ownership rights; | Data is provided by the Shareholder. If the personal data is included in the central securities register, it may also be provided by the central securities depository, Euroclear Sweden AB (publ). | The processing is necessary for the Company to fulfil its legitimate interest to comply with the Market Abuse Regulation or other applicable legislation. The processing is necessary for the Company’s legitimate interest to promptly and accurately inform Shareholders and other stakeholders about regulatory or other Company-relevant information and to comply with the rules of the stock exchange where the Company’s shares are traded. | The personal data collected will not be kept longer than necessary given the purpose of the processing, unless otherwise required or permitted by law. For example, under the Market Abuse Regulation, press releases must be stored for 5 years after publication. |
Processing related to Enity employees’ and the Company’s board members’ application prior to acquisition or disposal of financial instruments
| Purpose of the processing | Personal data that is processed | Source of the personal data | Lawful ground for processing of personal data | Storage duration |
| Process the Enity employee’s or the Company’s board member’s application prior to acquisition or disposal of financial instruments | Contact details (e.g. name and telephone number of the employee or board member); Financial information, such as the financial instruments the application concerns. | Data is provided by the employee or board member. | Legitimate interest in ensuring that employees comply with the Company’s insider policy and to protect employees from being suspected of insider dealing offences e.g. in a situation where there is undisclosed information of a price-sensitive nature within the Company irrespective of the individual employee’s knowledge of such information. | The personal data will be stored for five years after a decision has been made regarding your application or no later than two years after the employment has ended, whichever occurs first. |
Processing related to administration of the website
| Purpose of the processing | Personal data that is processed | Source of the personal data | Lawful ground for processing of personal data | Storage duration |
| The Company’s website uses cookies. Some of the cookies are necessary in order for the website to function properly, and some cookies are used to provide purpose e.g. to collect statistics, marketing etc. | IP-address | Data is provided by the Data Subject. | The processing of personal data for the cookies that are absolutely necessary for the website to function properly are always active and based on the Company’s legitimate interests to provide a functioning website. All other cookies will only collect personal data based on the Data Subject’s consent. | The storage duration for different types of cookies is specified in the cookie policy |
When the Company processes your personal data under the lawful basis of its legitimate interests, it has carefully assessed and balanced your interests against its own. After this assessment, the Company has concluded that its legitimate interests adequately justify the processing. If you would like more information regarding this assessment, please feel free to contact the Company using the details provided below.
Processing of personal data by third party entities
Data Processors
The Company may need to disclose personal data to third parties, such as other group companies and IT providers. The Company will establish agreements with all Data Processors prior to disclosing personal data.
Other data controllers
The Company may also need to disclose personal data to third parties, such as banks, advisors and other service providers to the Company, public authorities, Shareholders, and the general public, in situations where there is a legal obligation, to fulfil the Company’s commitments towards the Data Subjects or for the Company’s legitimate interests in conducting its business. When personal data is shared with other data controllers, the privacy notice and data handling practices of the respective organisation apply.
For Shareholders
The shareholder register is public, and the Company must provide anyone who requests it with the opportunity to view a current printout or other current representation of the shareholder register. The information in the shareholder register will therefore be disclosed upon request. Furthermore, Shareholder information will be disclosed as required to fulfil the Company’s other legal obligations, such as when submitting a tax return to the Swedish Tax Agency in connection with dividend payments.
Minutes and voting lists from general meetings may be disclosed to Shareholders present at the meeting, as well as to the Swedish Companies Registration Office, auditors, and others to whom the Company has a legal obligation to disclose the minutes or otherwise considers it appropriate to do so. Additionally, minutes from general meetings, excluding the voting list, will be published on the Company’s website.
Information about, among other things, major Shareholders may be disclosed to authorities, advisors, and the public in connection with the preparation of prospectuses, information memoranda, and financial reports, and may also be published on the Company’s website.
Personal data may also be shared with other trusted parties such as suppliers, professional advisors, and auditors.
Transferring of personal data to third countries
No personal data is transferred to countries outsider EU and EEA.
The Data Subject’s rights
The Data Subject has a several rights under the GDPR. This section contains information on how these rights can be exercised.
Request erasure of personal data
You have the right to request erasure of your personal data in the following cases:
-If the data is no longer needed for the purposes for which it was collected
-If the personal data has been processed unlawfully
The Company has the right to retain personal information despite request for erasure if it is necessary to fulfil a legal obligation, according, e.g., to the legal framework on protection of persons who report breaches, or in order to establish, assert or defend legal claims.
If you want to request erasure of your personal data, please send an email to dpo@enity.com. The Company will identify you in order to ensure that it is you who has sent the request.
Request rectification of inaccurate or incomplete information
Information that the Company processes about you must be accurate and up to date. If you notice inaccurate information, you can request the information to be rectified.
If you want to request rectification of your personal data, please send an email to dpo@enity.com.
The right of access
You have the right to know if the Company processes your personal data. If the Company does process your data, you have the right to request a copy of the personal data being processed and information about:
– which categories of personal data are processed,
– how the personal data is used,
– for how long the personal data will be stored,
– who the personal data has been shared with,
– from where the data originates.
If you want to exercise your right to access, please send an email to dpo@enity.com. The Company will identify you in order to ensure that it is you who has sent the request.
Please note that there may be information that you are not allowed to access, for example if it is detrimental to others. You also do not always have the right to receive a copy of the document where your personal information appears. According to chapter 4 section 9 of the Swedish Act on Money Laundering and Financing of Terrorism (Sw: lag (2017:630) om åtgärder mot penningtvätt och finansiering av terrorism), the Company does not have the right to share information on suspicion of money laundering or financing of terrorism or that property otherwise is derived from a criminal activity or if a report has been submitted to the Police Authority.
Right to restriction of processing
In some situations, you can request that the processing of your personal data is restricted, e.g. if you believe that information about you is inaccurate and you have requested rectification of your information. In case of a restriction, the personal data will be flagged so that it may only be processed for certain purposes. When the restriction expires, you will be informed.
If you want to request a restriction of the processing of your data, please send an email to dpo@enity.com. The Company will identify you in order to ensure that it is you who has sent the request.
Right to object to use of personal data
You have the right to object to processing of your personal data if the lawful ground for the processing is the legitimate interest of the controller.
If you want to object to processing of your personal data, please send an email to dpo@enity.com.
Right to data portability
You have the right to request the personal data that Enity processes about you in a structured, commonly used and machine-readable format or ask this data to be transferred directly to another controller if it is technically possible.
If you want to use the right to data portability, please send an email to dpo@enity.com. The Company will identify you in order to ensure that it is you who has sent the request.
Other
Your request will be processed as soon as possible, but no later than one month after your request was received. If necessary, the time limit may be extended by two months, and the Company will inform you of the reason for the delay.
Data protection officer
Enity has appointed a data protection officer who monitors that Enity and the Company complies with the rules on the protection of personal data.
The data protection officer shall fulfil his or her assignment in an independent manner in relation to Enity and the Company.
Enity’s data protection officer can be reached via:
Telephone: 08 501 004 00
E-post: dpo@enity.com
Address: Sveavägen 163, 113 46 Stockholm
For questions or complaints regarding the Company’s personal data processing, please contact: dpo@enity.com.
You can also contact the Swedish Authority for Privacy Protection regarding questions or complaints concerning the processing of your personal data.