WM Shareholder Rights Directive Hub
Data Protection Notice
The EU Shareholder Rights Directive II and its corresponding implementation in national law give stock corporations (also known as public limited companies) the right to obtain information regarding their shareholders from banks and custodians. The laws and regulations, which establish this transfer, provide explicitly that stock corporations may use specialized service providers to request the data. These service providers should ensure that the data transfer is automated, smooth, and secure.
The WM Group has been providing reliable data services to the financial market for many decades. With the SRD-HUB, the WM Group provides an additional service that enables stock corporations to use efficiently their legal right of access to personal data and enables banks or custodians to comply with their obligation to provide the requested information.
In order to use the SRD-HUB, a contract with WM Group is needed. The initiation and execution of this contract involves the processing of personal data. This Data Protection Notice explains the details.
You may find the General Data Protection Notice of the WM Group at: https://www.wmgruppe.de/datenschutz
Only registered users may use the SRD-HUB. The registration requires the conclusion of a contract with the operator of the SRD-HUB. The operator is:
Keppler, Lehmann GmbH & Co. KG
Düsseldorfer Straße 16
60329 Frankfurt a. M.
Phone +49-(0)69-27 32-0
The representation authority of the company is Verlagsbeteiligungs- und Verwaltungsgesellschaft mbH (address as above).
In the text always referred to as “WM Group”.
The WM Group has appointed a data protection officer who can be reached at the above address or by e-mail: firstname.lastname@example.org.
Emergency number: In case of a really urgent data protection issue regarding the SRD-HUB, please dial +49-(0)69-27 32-677 (available 24 hours a day).
Upon request of a stock corporation, the SRD-HUB shall request information about its shareholders from banks and custodians and provide it to the stock corporation. The right of access to personal data of the stock corporation is based, among other things, on the German Act Implementing the Second Shareholders Rights Directive (ARUG II) as well as on an Implementing Regulation (EU) 2018/1212 for implementing the EU Directive 2007/36/EC. The law precisely regulates the right of access to personal data, the period, and especially the extend of the data.
Once a stock corporation has commissioned the WM Group to request shareholder’s personal data, it does so solely as a service provider and practically blind – in any case without pursuing its own purposes with these data. Therefore, the WM Group acts as so-called processor within the meaning of Art. 28 of the GDPR. In practice, this means that the data subjects concerned by the data processing may also assert their rights under the GDPR with the WM Group, but the controller in such a constellation is the client of the WM Group (in this case the respective stock corporation).
For this reason, the WM Group always makes formal enquiries to the banks and custodians on behalf of the requesting stock corporation and only presents itself as a commissioned service provider (processor). The bank or custodian will be the controller until they hand over the shareholder’s data to the WM Group (officially to the stock corporation). Since the data are handed over as a copy, the banks and custodians will of course remain responsible in accordance with the GDPR. Once the handover took place, the requesting stock corporation is responsible for the copy.
We explain this background to provide a good overview of all data processing taking place. However, the responsible persons for the data protection notice of the shareholder’s data are the respective controllers. Therefore, the details presented below only refer to the data for which the WM Group is the controller within the meaning of the GDPR. One more restriction: We only describe processing activities that are directly related to the SRD-HUB. General data processing that otherwise concern the WM Group are explained here.
The use of the SRD-HUB is only possible after registration and concluding a contract. This applies to both, the stock corporations (may request data) and banks / custodians (shall provide data).
Our contractual partners are regularly legal entities (corporations), which as such are not identified as “data subjects” by the GDPR. However, corporations may only act with us on a mandatory basis through so-called natural persons (legal representatives). Personally Identifiable Information (PII) are therefore necessarily involved in the preparation and conclusion of contracts (even in the termination). Of course, people also communicate with each other during the execution of the contract, although the SRD-HUB was made for fully automatic operation. At some point, there is something to coordinate or clarify so that people exchange e-mails or call each other. Here is where the processing of PII within the meaning of the GDPR comes into play.
The GDPR demands to mention the legal basis for each processing activity within the data protection notice. This information is of interest to the data subjects because different rights arise depending on the legal basis (see the section on “Rights” for further details). Article 6 para. 1 of the GDPR provides a catalogue of these legal bases. In the following, we will only mention the legal bases by their common names (shown in italics), which, however, may be used to make an exact classification in the GDPR, if necessary.
Regarding the conclusion, implementation, or termination of contracts, we process the necessary contact data of the legal representatives and / or other representatives acting on behalf of the corporation. If these data become a necessary part of the contract, the contract is the legal basis, for obvious reasons.
In addition to the contact data required by the contract, PII of other persons may be noted to be able to address them directly regarding particular issues arising from the business relationship. Especially in the case of more complex issues we occasionally make notes of the conversations so that we do not have to start with the same questions repeatedly in follow-up discussions. This form of data processing is made because we have an interest in efficient and customer-oriented cooperation and expect that the data subjects share this view, or in other words that they do not have objections. We obviously limit ourselves to what is necessary for business purposes when processing PII, and, in general, do not provide personal data to third parties without a legal basis. This allows us to base this data processing on the so-called legitimate interest.
The same applies to data subjects who are not yet customers of the SRD-HUB, but considering doing so (interested parties).
The use of the SRD-HUB is not free of charge. If the fees are charged depending on the usage, we have to collect data about the usage. This is done by recording which UserID carried out which transactions and when. We would like to be able to bill correctly and, if necessary, prove that a use of the service has taken place. This data processing may not result literally from the contract. However, we assume that correct and traceable billing is a legitimate interest for both parties.
Every visit to a website involves the processing of PII. To display the website in its intended look on the user device, the internet browser transmits the following data to the web server:
- the current IP address of your internet connection;
- if you visit the website via a link, the page from which you visit the SRD-HUB site;
- the date and time of access;
- the user’s operating system, the type of browser (e.g. Chrome, Firefox, etc.) and the browser version;
- as well as other technical details required for the display, such as the screen resolution.
The data may be deleted once the site has been displayed. Nevertheless, we still store these data for a maximum of 7 days to be able to trace possible errors or to better ward off illegitimate attacks on the website. These illegitimate attacks also endanger your safety while visiting our website, so that protective measures are also in your interest.
The processing of the technical data or log files is based on a legitimate interest.
Any further use of the data, especially for advertising purposes or profiling, does not take place.
The shareholder’s data processed by the SRD-HUB, upon request, need a high level of protection, so that we comprehensively secure the processing procedures; we owe this to the data subjects and our customers. Part of this protection is inter alia the identification of anomalies in the system and the traceability of transactions. For this purpose, usage logs are recorded from the registration process and then after each login, which include the following data:
- Date and time
- Type of transaction
Besides the proactive protection, we may use these data to resolve discrepancies about the use of the SRD-HUB. For this reason, it may be necessary for us to disclose the logs of a UserID to the corresponding customer so that other members of that company different than the employee behind the UserID may learn about the activities that person performed within the SRD-HUB. We do not have influence on these processes in our customer companies.
If this data processing is not already explicitly stated in the contracts with our customers, we carry out this data processing based on a carefully considered legitimate interest.
We use so-called technical session cookies exclusively to ensure the functionality of our website. Contrary to advertising or so-called tracking cookies, our cookies are deleted automatically once you leave our website, at the latest once you close your internet browser.
Cookies are small text files which are sent from a website to the internet browser, to be stored and may be send back again. For example, this technology allows you to browse between internet pages without having to re-enter data you have already provided. If the cookies were not deleted automatically after visiting our website, as we do, they may be used for range measurement or tracing (advertising and so-called tracking cookies).
Advertising or tracking cookies may only be used if the user expressly gives his or her consent. It is not required to obtain a consent for the technical session cookies we use since they may be based on a legitimate interest.
To be accurate, we should also mention that in some cases we are obliged to process PII, e.g. due to a court order. This may include the transfer of user data to public authorities. Here applies the legal obligation as the lawful basis. Regarding civil law disputes, we use data in the interest of an efficient clarification of disputed positions (legitimate interest).
PII entrusted to us for processing will always be deleted immediately and completely under the instructions of the controller.
We, as a controller, shall delete all data processed under our responsibility. Of course, this is performed by following the requirements of the GDPR, which requires deletion after the purpose of the processing has been achieved – unless another purpose follows, which makes it necessary to process PII and justifies it. This is especially the case with commercial data. Commercial and tax laws require the storage of data within legal periods of retention. We naturally follow this legal obligation, and we consequently do not use the data for other purposes than to disclose required during a tax audit.
Data which, for example, were essential for billing purposes may be deleted once the invoice is accepted and paid – unless tax laws makes a retention mandatory. Which makes an example for a subsequent processing is associated with the original purpose.
We regularly delete data we have processed to support the communication with our interested parties or customers at the latest after 36 months (start after the end of the calendar year), once we consider a process as completed. For example, the interested person has decided against us; the customer’s contact person is replaced by a colleague; PII at a customer whose contract is fulfilled and therefore terminated. We do not consider an immediate deletion to be useful because some communication often takes place afterwards, for example, even though a contract has already been terminated. This subsequent processing also constitutes a legitimate interest.
There are precise specifications for public authorities from the Federal Data Protection Act of 2018 to store technical data from the operation of server systems. Article 76 defines not only a right to store but also a determined obligation. There are no such specifications for private sector companies. In this case, a solution shall be found independently, taking into account the circumstances of the individual case. We consider it legitimate to follow the guidelines for public authorities and to keep log files for a period of 12 months and then delete them. This period is in line with the limitation periods individually defined in our contracts for the SRD-HUB.
This regulation applies to all log files within the SRD-HUB, for example, all logging within the non-public area. We had already explained the lifetime of the log files before the logon (only for a period of 7 days).
The GDPR requires that we also explain whether there is an obligation to provide the data.
We only process PII needed to fulfill the respective purpose. If the PIIs are missing, the purpose may not be fulfilled (in particular concluding a contract to use the SRD-HUB, communication etc.).
The shareholder’s data are collected and processed to be transferred to the controller. Since we process on behalf of the controller this transfer is not to be considered as a transfer to ‘third parties’ strictly speaking. Actually the party which is entitled to the PII receives its own data.
We also use so-called processors for the processing of data. We do this especially in the interest of data protection and information security by involving qualified specialists for specific tasks. These specialized partners work as processors subject to instructions referring to data processing and are, of course, subject to the regulations of the GDPR. All service providers involved in the operation of the SRD-HUB work for us exclusively in Germany.
The GDPR confers several rights to every data subject (especially in Articles 15 to 18 [information, rectification, deletion, restriction of processing] and Articles 20 and 21 [data portability, objection]). Instead of a detailed repetition of what is already in the law, we would like to discuss here the objection in more detail.
For all data processing activities formally based on the legitimate interest, we have already carefully weighed up the interests involved. This means we had already considered if the processing is indeed legitimate and does not infringe the rights of the data subjects. However, individual situations may justify objections to the processing in particular cases.
Therefore the GDPR gives you a right to object for all processing that we carry out on the basis of a legitimate interest. In this case, please use the contact details mentioned above to get in touch with us and explain why you raise an objection so that we may understand and evaluate your objection, and especially resolve it.
If the objection refers to direct marketing purposes carried out by us, you do not need to give any reasons; in any case, the processing would be stopped immediately and without further examination. Your data would no longer be processed for such purposes.
Furthermore we are pleased to answer your questions about data protection. In this case, please use the contact details mentioned above; this also applies, of course, if you would like to make formal use of your guaranteed rights.
We take data protection very seriously and we are sure we may give you a very precise answer to all your questions. If you do not feel comfortable with the processing of your data in the context of the SRD-HUB, we would like to find a solution in the interest of both parties.
If this does not satisfy you, you also have the right to complain to a data protection supervisory authority at any time. The data protection supervisory authority responsible for us is:
The Hessen Commissioner for Data Protection and Freedom of Information; P.O. Box 3163; 65021 Wiesbaden; Phone: +49-(0)611-1408-0.
Changes in the operation of our website and/or the SRD-HUB may require adjustments to this data protection notice. You may find the latest information here: https://www.wm-srd-hub.eu/.
This data protection notice was updated on 20.08.2020.