Privacy guideline

1. Introduction

Your privacy is important to us. Momentum Group AB processes personal data in several parts of our business – for example, in contact with shareholders, managers, suppliers, investors, analysts and other stakeholders.

This Privacy Policy describes how we collect, use, store, and protect your personal information. The guideline complies with applicable data protection legislation, including the EU General Data Protection Regulation (GDPR), the Market Abuse Regulation (MAR), the Swedish Companies Act and other applicable regulations for companies listed on Nasdaq Stockholm as well as Momentum Group AB’s policy for Personal Data.

2. Data Controller

Momentum Group AB
Org.nr 559266–0699
Östermalmsgatan 87E
114 59 Stockholm

Phone: +46 8 92 90 00
E-mail: info@momentum.group

Momentum Group AB is the data controller for the processing of personal data described in this policy.

3. What personal data we process

The personal data we process depends on your relationship with us. For example, it can be about:

name, address, email address and telephone number
workplace, position and title
social security number (where required for secure identification or legal obligation)
information about shareholdings, if you are a shareholder in Momentum Group AB

The personal data is normally obtained directly from you, but may also come from your employer (e.g. if you are a supplier representative) or from public registers. We may also obtain your personal data from suppliers who provide services on Momentum Group AB’s website for e.g. subscription of financial information and press releases, ownership structure and insider transactions and Euroclear Sweden AB. If we receive your personal data from a source other than yourself, we will inform you in accordance with applicable data protection rules.

4. Purpose and legal basis for the processing

The provision of your personal data is in some cases a statutory or contractual requirement. To the extent that you do not provide your personal data to us, it may affect our ability to fulfil our obligations to you and our obligation to comply with the legal obligations that we have to comply with in relation to you.

Communication and information mailings

We process your personal data in order to:

send financial reports, press releases and other company information;
respond to questions received through our website or email;
provide other information that you have requested.

The processing is based on our legitimate interest in communicating with investors, analysts and other stakeholders, or on your consent if you subscribe to information via our website. Information that you have subscribed to is sent to you via a service provided by Modular Finance AB. Your personal data is deleted at your request or when it is no longer needed for the purpose. In case management, personal data is normally stored for 30 days after the case has been closed.

Contacts with analysts, investors and managers/owners

When you contact us – or when we contact you – in your role as an analyst, investor, shareholder, nominee or representative of an owner, we process personal data such as name, title, contact details and, where applicable, information about your organisation or investment.

The processing is based on our legitimate interest to:

respond to contact requests;
make contact and have dialogues in connection with IR activities,
follow-up meetings and ongoing discussions, and
maintain a good relationship with capital market participants.

The personal data is stored for as long as it is needed to maintain relevant contact and dialogue, or until you request that we terminate the processing.

If you are an analyst, we also process your name, email address and workplace for the purpose of providing information about who follows Momentum Group AB. The processing is based on our legitimate interest in providing transparency and transparency in the company’s monitoring. The personal data is stored for as long as you monitor the company.

Inside information

If you have access to inside information and are therefore to be included on an insider list pursuant to the Market Abuse Regulation, we process your personal data in order to comply with our legal obligations under the Market Abuse Regulation (EU) 596/2014 and the Act (2016:1306) with supplementary provisions to the EU’s Market Abuse Regulation. The data that is processed is name, contact details, workplace and social security number. This processing takes place via a service provided by Modular Finance AB. Personal data is stored for at least five years.

Publication of insider transactions on our website

We process personal data in order to publish information from the Swedish Financial Supervisory Authority’s register for insider transactions on Momentum Group AB’s website. The publication takes place automatically via a service provided by Modular Finance AB. The personal data refers to name and position.

Momentum Group AB has a legitimate interest in publishing such information in accordance with guidelines for listed companies that do not follow from law, for example according to the Swedish Code of Corporate Governance. We also have a legitimate interest in being able to communicate internally and externally with such information relating to Momentum Group AB in order to provide good service, answer questions or to facilitate external contacts. The personal data is stored for five years.

Shareholders and their representatives

If you are a shareholder or represent a shareholder, we process your personal data in order to:

pay dividends,
administer participation in general meetings,
keep a share register, voting list and minutes,
report the largest shareholders in reports, press releases and on our website.

The processing takes place in order to comply with legal obligations under the Swedish Companies Act or on the basis of our legitimate interest in transparency as a listed company.

Personal data in financial statements is stored for ten years. Personal data in press releases is stored for five years. Publication of the largest shareholders on the website takes place automatically via a service from Modular Finance AB and continues as long as you are one of our largest shareholders.

Board of Directors, Management and Nomination Committee

We publish the names and positions of Board members, senior executives and members of the Nomination Committee on our website. The processing is based on our legitimate interest in complying with regulations and guidelines for listed companies that are not binding under legislation or decisions based on legislation for the purpose of increasing transparency and transparency in our operations. The personal data is stored for five years.

Suppliers and their representatives

We process personal data for the administration and follow-up of agreements with suppliers. This includes name, contact details, title and, in some cases, social security number when it is clearly justified with regard to the importance of secure identification. The processing is necessary for the fulfilment of contracts or legal obligations (e.g. under the Accounting Act). The personal data is stored during the contract period and up to ten years after the agreement has ended in accordance with the Limitation Act (1981:130).

Specifically for you as an employee of our accounting firm

The personal data is processed for the purpose of processing recalls, preparing annual reports, preparing an auditor’s report, registering an auditor with a public authority, keeping minutes or other purposes set out in law, including the Swedish Companies Act (2005:551). The personal data relates to name, title, contact details, employer. The processing is necessary to fulfil legal obligations under the Swedish Companies Act. Personal data is stored for as long as required by law or general limitation rules under the Limitation Act (1981:130).

The personal data is also processed for internal and external publication of the auditor’s name and refers to the name and title.

Momentum Group AB has a legitimate interest in complying with regulations and guidelines for listed companies that are not binding according to legislation or decisions based on legislation in order to increase transparency and transparency in our operations. The personal data is stored for five years

Whistleblowing

Momentum Group AB provides a whistleblower service in accordance with applicable law. The service gives people an opportunity to inform about a suspicion of serious misconduct at companies in the Momentum Group group. Personal data processed within the framework of whistleblowing is handled in accordance with our specific whistleblowing policy, available on our website.

5. Who has access to the data

Your personal data may be shared with our suppliers and partners who process personal data on our behalf (so-called data processors). These are:

Modular Finance AB (org.nr. 556920–1998) – services for subscriptions, ownership structure and inside information. The transfer of data from Momentum Group AB’s website to Modular Finance AB takes place through encrypted communication via TLS communication,
Amandus Communication AB (org.nr. 556978-2708) – has access via access to deliver contracted services regarding website administration,
Shibuya AB (org.nr. 556192-0025) has access via access to deliver contracted services regarding internal administration regarding IT services,
Momentum Industrial AB (org.nr. 556547–0134) – has access via access to deliver agreed services regarding internal administration regarding IT services, and
WhistleB Whistleblowing Centre AB (org.nr. 556873-2753) – which provides the WhistleB service for whistleblowing management. The transmission of data takes place through encrypted communication via TLS communication.

All suppliers are bound by agreements and may only process personal data according to our instructions. We may also disclose personal data to authorities or other actors who are independent data controllers for their processing, e.g. The Swedish Financial Supervisory Authority or the Swedish Tax Agency.

6. Transfer to third countries

We and our suppliers mainly process personal data within the EU/EEA. If personal data is transferred outside the EU/EEA, it will only be done when there is either a decision from the Commission that the third country in question ensures an adequate level of protection (such as the DPF) or appropriate safeguards, in the form of standard contractual clauses or binding corporate rules, that ensure that your rights are protected. If you want to know more about our protective measures, you can contact us using the information below.

7. Your rights

Under data protection legislation, you have the following rights when we process your personal data

Right to withdraw your consent (Art. 7(3) GDPR)
Right to certain information when personal data is collected (Articles 13 and 14 GDPR)
Right of access (Article 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (right to be forgotten) and restriction of processing (Articles 17 and 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object to processing (Art. 21 GDPR)
Right not to be subject to automated individual decision-making (incl. profiling) (Article 22 GDPR)

If you have any complaints regarding our processing of your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority that supervises companies’ processing of personal data.

We handle all requests without undue delay. If you would like more detailed information about our deletion policies for specific types of personal data , or if you would like to exercise any of the above rights, please contact us using the details below.

8. Cookies

Momentum Group AB does not use cookies on its website and does not collect any personal data automatically upon your visit. For more information, please see our separate Cookie Policy, which can be found on our website.

9. Technical and organisational security measures

Momentum Group AB takes appropriate technical and organizational security measures to protect personal data against unauthorized access, loss, destruction, manipulation or other unauthorized processing. These measures are adapted to the type of personal data being processed and the risk involved in the processing.

Technical security measures include:

Encryption of data when in transit over TLS and, where applicable, when stored.
Access controls based on permission and role, including two-factor authentication for administrative access.
Logging and monitoring systems to detect and manage unauthorized access or security incidents.
Regular data backups with tested recovery practices. Updating and patching systems and software to counter known vulnerabilities.

Organizational security measures include:

Internal data protection policy and documented procedures for handling personal data.
Data processing agreements with all suppliers who process personal data on our behalf.
Training of staff in data protection and information security.
Impact assessments (DPIAs) for treatments that may entail a high risk to the rights and freedoms of individuals.
Incident response procedures to be able to respond quickly to personal data breaches, including reporting to supervisory authorities.
The principle of data minimisation, which means that only necessary personal data is collected and processed.

These measures are reviewed regularly and updated as necessary to ensure an adequate level of protection in accordance with applicable data protection legislation.

10. Contact information

Momentum Group AB
Östermalmsgatan 87E
114 59 Stockholm