WÄRTSILÄ’S STATUTORY PRIVACY NOTICE

1 Purpose
Purpose of this Privacy Notice is to provide different stakeholders included in Wärtsilä’s data files collected and used to fulfil legal obligations about processing of their personal data. This Privacy Notice gives a general understanding of such personal data processing. However, the individual situations in which personal data is being processed may vary significantly. Thus, all of the information provided in this Privacy Notice may not be applicable to each different data processing situation. Please also note that there might be other legal obligations to pro-cess personal data in Wärtsilä that are not included in this Privacy Notice, but are informed in a different privacy notice or otherwise to relevant data subjects. If you want more detailed in-formation in relation to how specifically your personal data is being processed, you should contact your own principal contact person or use the contact information provided in section 13 of this Privacy Notice.

2 Data Controller
In respect of each data subject’s personal data, the controller is regarded to be the Wärtsilä Group company subject to the legal requirement to maintain the relevant statutory personal data. To certain extent, Wärtsilä Group companies are sharing so called global data systems, which are provided by Wärtsilä Corporation to the entire group. The global data systems are jointly controlled by Wärtsilä Corporation and each individual group company processing per-sonal data in such systems.
For the avoidance of doubt, in this Privacy Notice “Wärtsilä” shall refer to the company act-ing as the data controller in each individual case, or in case of global data systems, Wärtsilä Corporation and the applicable local group company together.
Regardless of the applicable data controller in each situation, the data subjects can always use their rights by contacting their own principal contact person or Wärtsilä Corporation as in-structed in section 13.

Contact address:
John Stenbergin ranta 2
P.O. Box 196
00530 Helsinki
Finland

Other contact details:
E-mail: dataprotection@wartsila.com

3 Lawfulness of Processing
The legal ground for processing of the personal data is fulfilment of a legal obligation. These obligations relate to e.g. following situations:
1) Market Abuse Regulation (MAR) (EU) No 596/2014

a. Insider lists

Wärtsilä has to maintain insider lists of persons who have access to information consid-ered as insider information under the MAR.
b. Closely associated persons

Wärtsilä entities subject to MAR have to maintain register of persons closely related to in-dividuals in managerial positions.
c. Notifications of transactions

Wärtsilä entities subject to MAR have to notify certain transactions conducted by persons in managerial positions or persons closely associated with them to relevant supervisory authori-ties.
d. List of persons with trading restrictions

Wärtsilä has to maintain a list of persons with trading restrictions, which according to MAR apply to named persons in specific roles in Wärtsilä.
2) Sanctions screening & reporting

Wärtsilä is obliged to follow legal requirements relating to international sanctions. In relation to these statutory obligations and also, to the extent allowed by applicable laws, due to Wärt-silä’s internal risk management interests (legitimate interest), Wärtsilä conducts sanctions screening of certain high risk third parties. Wärtsilä also reports suspected money laundering or terrorist funding attempts to the relevant supervisory authority.
3) Corporate governance

a. Share and shareholder registers

Subject to local laws, Wärtsilä has to maintain register of the shares and shareowners.
b. Shareholders’ meetings

Wärtsilä has to collect e.g. attendance and voting information in relation to shareholder meet-ings.
c. Board related data

Wärtsilä has to collect certain information of members of the board.

4 Purpose of Processing
Maintaining this personal information is necessary in order for Wärtsilä to fulfil its statutory obligations.

5 Types of Personal Data
1) Market Abuse Regulation (MAR) (EU) No 596/2014

a. Insider lists, information about insiders and closely associated persons (legal and natural) to individuals in managerial positions, including:

First, last and maiden name, home address details and possible use restrictions, phone num-ber, e-mail address, social security number, business identity code, date of birth, nationality, language, insider and share group, ID number, information about closely associated natural and legal persons of an insider
b. Notifications of transactions

Name, position, employer, information about the data subject’s transaction, including nature of the transaction, transaction date and venue, type of instrument, and other transaction de-tails
c. List of persons with trading restrictions

First, last and maiden name, home address details and possible use restrictions, phone num-ber, e-mail address, social security number, business identity code, date of birth, nationality, language, insider and share group and ID number
2) Sanctions screening & reporting

Possible inclusion in different sanction lists
3) Corporate governance

a. Share and shareholder registers

Name, home address, nationality of the shareholder, types and numbers of book-entries, number of votes
b. Shareholders’ meetings

Name and contact details of the shareholder, name of authorised representative of the share-holder, power of attorney, time of leaving and arrival and other additional information based on the data subject’s consent
c. Board related data

Board Member information, related party transactions and other relevant information

6 Regular sources of information
The primary sources of information are the data subjects. Wärtsilä may also collect infor-mation from reliable third parties such as trade register and national central securities deposi-tory.

7 Data Retention
Wärtsilä processes the personal data actively and regularly deletes unnecessary and outdated data when the relationship between the data subject and Wärtsilä is active. After the relation-ship between the data subject and Wärtsilä terminates, Wärtsilä retains the personal data for pre-defined time periods based on Wärtsilä’s genuine needs or legislative requirements Wärt-silä is subject to. For more information regarding the retention times, you may contact Wärt-silä Corporation by using the contact details provided in section 13.

8 Regular Data Disclosure
Personal data may be disclosed to Wärtsilä Group companies for purposes compatible with the processing purposes defined in section 4 of this Privacy Notice. Personal data may be disclosed to public authorities.

9 Data Transfers from EU/EEA
If personal data is transferred outside of the EU/EEA area, the data controller ensures that sufficient level of data protection is maintained through appropriate safety measures, e.g. EU commission’s model clauses. More information of such international data transfers and the applied safeguards may be received by contacting dataprotection@wartsila.com.

10 Data Security
Hard copies shall always be stored in locked-up premises. The data may be processed only by such Wärtsilä’s employees who need to have access to the manual data as a part of their duties.
Wärtsilä’s IT systems apply customary authorisation processes, e.g. individual access rights and passwords. Access is allowed only for such persons who have a legitimate need to access the personal data.
In case of outsourced applications and data processing activities, Wärtsilä Corporation pro-tects the data security by applying appropriate confidentiality and other clauses in the out-sourcing agreements.

11 Data subject’s rights
11.1 Access to information
Data subject is entitled to obtain information of the personal data concerning him/her which Wärtsilä is processing and obtain a copy of such personal data. Request for access may be pre-sented to Wärtsilä in accordance with section 13 of this Privacy Notice.
11.2 Right to rectification, erasure and restriction
Data subject is entitled to have any such personal data that is inaccurate, outdated, unneces-sary or contrary to the purposes of data processing corrected or erased. Requests concerning rectification and erasure may be presented in accordance with the instructions in section 13 of this Privacy Notice.
Data subject is also entitled to have the data controller to restrict processing of the data sub-ject’s personal data for example when data subject is waiting for the data controller’s answer to data subject’s access or erasure request.
11.3 Right to lodge a complaint
If the data controller does not follow the applicable data protection regulation, a data subject is entitled to lodge a complaint with competent data protection authority.

12 Using data subject’s rights
As a general rule, Wärtsilä does not charge the data subject for using his/her rights presented in section 11. However, Wärtsilä may, at its sole discretion,
(a) refuse to fulfil; or

(b) charge a reasonable fee for fulfilling of

several similar consecutive requests or requests that are manifestly unfounded or excessive. Wärtsilä is also entitled to decline requests on statutory grounds.

13 Contacting the Data Controller
In all questions and matters relating to personal data processing or rights of the data subject, data subjects can contact Wärtsilä Corporation. Wärtsilä Corporation shall further communi-cate the matter to the Wärtsilä entity considered as the data controller in the respective case. Data subjects may use their rights by e-mail to dataprotection@wartsila.com.