>

Posti register on the executives and their circle of acquaintances



Processing of personal data in Posti register on the executives and their circle of
acquaintances is the responsibility of Posti Group Corporation

Posti Group Corporation (business ID: 1531864-4)
PO Box 1, FI-00011 POSTI, Finland
Street address: Postintaival 7 A, Helsinki
Tel. +358 20 4511

Data Protection Officer: tietosuoja@posti.com

Purpose and legal basis of personal data processing
Posti Group Corporation’s register on the executives and their circle of acquaintances
contains information about the executives referred to in the market abuse regulation of
the European union, their circle of acquaintances and their business operations.
The purpose of the register is to comply with the control referred to in article 19 of the
regulation on market abuse ((EU) 596/2014) regarding the business operations of the
executives and their circle of acquaintances. The processing of data is thus based on the
fulfillment of Posti’s statutory obligations.

Data processed in the register and its retention

In terms of the executives and their circle of acquaintances, the following information is
to be marked in the register:
- The executive's position
- For the circle of acquaintances: grounds for being included in the circle of
acquaintances
- Name of the natural or legal person, a form of identification if delivered (date of
birth, business ID)
- Start date of position or relationship as an executive or acquaintance
- Contact details (telephone, e-mail, mailing address)
- Business notifications received from the registered party and published
Data in the register will be retained only for as long as necessary to implement the
purposes defined in this data protection statement, unless otherwise required by
legislation.

Regular sources of data

The executive and their circle of acquaintances and public sources of data, such as the
Trade Register and the Business Information System.

Safe disclosure of data
Information can be disclosed by parties referred to in the market abuse regulation and
the related control measures. The parties may include legality control authorities in the
EU area, such as the Financial Supervisory Authority and the police in Finland.

Data is regularly transferred to Posti Group Corporation's countries of operation outside
the EU. Due to the technical processing of data, some of the data may be physically
situated on external subcontractor servers or hardware, through which they are
processed via a technical remote connection. Personal data is not transferred outside
the European Union or the European Economic Area, unless it is necessary for the
technical implementation of the service. In all cases, the precondition for disclosing and
transferring data is that the parties receiving and processing the data have signed an
agreement with Posti Group Corporation that ensures the legal processing of the data.

Data protection principles

Posti Group Corporation is responsible for the confidentiality, usability, integrity and
accuracy of the data in the register. Data is transferred using information security
solutions that comply with Posti Group Corporation's information security principles. Data
is encrypted in compliance with the information security principles of Posti Group.
Separate instructions have been prepared on the processing of sensitive data.

Rights of data subjects, access to information, rectification and completion of
data, restrictions

The data subject has the right to know about the processing of his or her personal data,
to review his or her personal data and to request rectification of inaccurate data and
completion of incomplete data. The data subject may request the erasure or transfer of
personal data or request restriction of processing. When processing is based on
consent, consent can be withdrawn at any time.

When logged in, data subjects can also submit a request for a review of personal data at
www.posti.fi/yhteystietoni.

Data subjects may also submit requests for review, rectification and completion by
personally visiting Posti Group Corporation’s address mentioned above or by sending a
signed request to the said address or by sending a scanned copy of a request by e-mail
to tietosuoja@posti.com.

Requests will be handled on a case-by-case basis, as these rights may be subject to
restrictions due to the circumstances.

All data subjects have the right to lodge a complaint with a supervisory authority,
especially in the Member State where they have their habitual residence or place of work
or where the alleged breach of the data protection regulation occurred (in Finland, the
supervisory authority is the Data Protection Ombudsman).