Mowi ASA reprimanded and ordered to update its procedures
Shareholders must be informed when personal data is collected from an equity manager.
Shareholders must be informed when personal data is collected from an equity manager.
The Data Protection Authority has reprimanded the seafood company Mowi ASA for failing to provide all the information required by the General Data Protection Regulation to company shareholders. The information in question is personal data collected by Mowi directly from the company’s equity managers.
In addition, Mowi is ordered to ensure that notification procedures and documentation are in compliance with the General Data Protection Regulation – this includes changes to the company’s privacy policy.
In Norway and other European countries, it is possible to purchase shares in listed companies through a bank, which then acts as a manager of the shareholding. This means that the company does not necessarily know who its shareholders are. Under the Public Limited Liability Companies Act, however, the company has the right to ask the equity manager to disclose the identity of the underlying owner of the managed shareholdings.
When the company collects such information from the equity manager, personal data is processed. The company must therefore provide the shareholders in question with all the information required by Article 14 of the General Data Protection Regulation. Mowi failed to do so.
“This case is an important reminder that the GDPR's requirement to provide information also applies when personal data is processed in accordance with a legal right, like that granted under Section 4-10 of the Public Limited Liability Companies Act. One cannot presume that a shareholder purchasing shares through their bank is aware of the fact that their personal data may be shared with the company whose shares they purchased. Listed companies in Norway should take this decision into consideration,” says then acting Director Janne Stang Dahl.
Mowi is headquartered in Norway, but has connections with and shareholders in several European countries. The Norwegian Data Protection Authority has therefore considered this case in collaboration with several supervisory authorities in other EEA countries through the so-called one-stop-shop mechanism. As the leading supervisory authority, the Norwegian Data Protection Authority has had primary responsibility for the investigation, processing and decision-making in this case.