Processing of personal data by<br>VP SECURITIES / VP Securities

Processing of personal data by
VP SECURITIES

1. Introduction

The purpose of this Policy is to describe how VP SECURITIES A/S and subsidiaries of VP SECURITIES A/S (hereinafter called “VP”, “we” or “us”) process the personal data that we as data controllers receive about investors, our customers and our business partners.

VP is the data controller for the personal data that we receive in our capacity as a central securities depository and some of our ancillary services and as a company with many business partners.

Feel free to contact us at any time if you have any questions to the way we process your personal data. You can contact:

Chief Risk & Compliance Officer Jakob Hermansen
VP SECURITIES A/S
Weidekampsgade 14
2300 Copenhagen S
Denmark
Telephone: +45 4358 8920
Email: jah@vp.dk

2. The purpose and basis of our processing of personal data

2.1 Investors
VP SECURITIES A/S holds a licence to operate as a central securities depository. As a central securities depository, we keep records of holders of the securities (for instance shares, bonds and investment fund units) issued by us, and we settle (i.e. transfer from one securities account to another) securities transactions.

This means that we hold information on all holders of securities accounts with VP, and if it is a private individual who is registered as the account holder, we hold personal data on such individual.

We process personal data about the private investors who hold accounts with VP through their bank to be able to deliver our services as a central securities depository. In our system, we make the registrations requested by the investors and possibly their creditors through their banks or by the issuing companies. For instance registrations relating to the purchase or sale of securities or dividend payouts. We receive the personal data from our customers who in this case are the banks where the private investors are customers.

VP is governed by an EU regulation on central securities depositories and the Danish Capital Markets Act. Consequently, we have a legal obligation to process personal data by virtue of our activities as a central securities depository.

2.2 Customers
VP’s customers are primarily banks, mortgage institutions and issuers of securities which as companies are not subject to the rules on the processing and protection of personal data. In certain cases, we process personal data about individuals who are related to our existing or prospective customers in order to be able to comply with current anti-money laundering legislation, or we assist specific persons working at our customers in complying with the EU Market Abuse Regulation.

The data are either publicly available, or we receive them from the persons themselves or from our customer.

We process personal data because we have a legal obligation to do so, which is the case under anti-money laundering legislation, or on the basis of the data subject’s consent.

VP has various systems to which external users have access. We store personal data about the users and also log their conduct when using the systems to prevent abuse of our systems. In our systems, the logging of users is based on the legitimate interests of VP to ensure high IT security and prevent abuse of our systems.

2.3 Business partners and stakeholders, etc.
VP has a number of business partners about whom we store contact details, etc. These partners include employees of our customers, suppliers and prospective customers as well as people who have signed up for our newsletters. We store this information to be able to service our customers and manage our supplier agreements.

In connection with meetings and events, we also have visitors to our facilities whom we register before they are given access to our headquarters. We do so in compliance with our data security policy to protect against unauthorised access to our systems and data.

The data have been given to us by the relevant persons themselves or their employers.

The processing of personal data received from people who have signed up for our newsletter or have taken part in our customer satisfaction surveys is based on their consent, which may be withdrawn at any time.

Our storage of other information is based on legitimate interests such as IT security, marketing purposes or the servicing of customer relationships.

As part of our data security policy, we use video surveillance to monitor our headquarters.

3. Personal data categories

VP processes personal data only for specific purposes as mentioned in section 2 above and processes only the personal data necessary.

We handle only general personal data in the form of:

  • Name
  • Civil reg. no.
  • Postal address
  • Telephone number
  • Email
  • Profession/occupation
  • Financial information, for example securities portfolios
  • Proof of identity documentation, for example passport or driver’s licence, including photo
  • Information on beneficial owners or other information according to current anti-money laundering legislation
  • Video surveillance pictures
  • Initials, logon and passwords for users of our systems

We do not process sensitive personal data such as health details. As part of our control procedures under current anti-money laundering legislation, we may, however, process publicly available sensitive personal data, for example about politically exposed persons.

4. Recipients or categories of recipients

All VP’s employees are subject to a duty of secrecy, and any unauthorised disclosure or use of confidential information, including personal data, is prohibited. In some cases, we have a duty to disclose information to public authorities such as the Danish Financial Supervisory Authority or the tax authorities.

We also disclose personal data to the Danish State Prosecutor for Serious Economic and International Crime (SØIK) if we are ordered by the courts to produce further documents.

We also disclose personal data to the financial institutions which are the point of contact to the investors, and we disclose personal data to companies and funds, etc. which have issued securities through VP, either on the basis of consent or if regulations so permit.

We disclose personal data within the VP Group for the purpose of managing the services delivered by the Group and for internal administration purposes.

In some cases, we use various suppliers who process personal data on our behalf. In such cases we transfer personal data to the suppliers who become the data processors. For instance, in connection with the hosting of our IT platform when we send investor notifications to e-Boks and when we distribute our newsletter ‘News & Insights’. In the latter case, we transfer email addresses to a data processor based in the USA and registered under the EU-U.S.Privacy Shield, which is approved by the EU Commission.

5. Storage of your personal data

VP saves personal data as long as necessary and reasonable to fulfil the purpose for which the data are collected and processed. It varies how long we store personal data.

According to current legislation, we have the right and duty to store certain information. As a central securities depository, we must, among other things, store all data for ten years.

Therefore, we store personal data about investors for ten years. We store other personal data for five years in accordance with anti-money laundering legislation and the Danish Bookkeeping Act. In contractual relationships with a limitation period of ten years, we may store personal data for up to ten years after termination of the contract. The logging of the use of our systems is stored for up to two years.

6. Automated decisions, including profiling

As a general rule, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly affects you. Automated processing means that the matter is not assessed by a person, but that the data are processed solely by a system. VP does not use automated decisions.

7. The right to withdraw your consent

If VP’s processing of your personal data is based on your consent, you have the right to withdraw your consent at any time.

If you withdraw your consent, it will not affect the lawfulness of our processing of your personal data based on your previous consent up until the time of the withdrawal. Thus, if you withdraw your consent, it will not be effective until the time of the withdrawal.

8. Your rights

Under the General Data Protection Regulation (GDPR), you have various rights in relation to VP’s processing of information about you.

  • Right to access information (right of access)
    You have the right to access the information we process about you as well as various additional information.
    You can read more about how you request access at our website www.vp.dk
  • Right to rectification
    You have the right to have inaccurate information about you rectified.
  • Right to erasure
    In special circumstances, you have the right to have information about you erased before our general erasure occurs.
  • Right to restrict processing
    In certain circumstances, you have the right to restrict the processing of your personal data. If you have the right to restrict processing, VP may in future only process data – except for storage – with your consent or for the purpose of establishing, exercising or defending legal claims or for the purpose of protecting the rights of another person or for reasons of important public interest.
  • Right to object
    In certain circumstances, you have the right to object to VP’s processing of your personal data. This applies for instance if the processing is based on consent or VP’s legitimate interests.
  • Right to transmit data (data portability)
    In certain circumstances, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit the data from one data controller to another without hindrance.

Conditions or restrictions may apply to your rights. That depends on the specific circumstances of the processing of your personal data.

You can read more about your rights in the Danish Data Protection Agency’s guide to the rights of data subjects available at www.datatilsynet.dk.

9. Complaints to the Danish Data Protection Agency

You have the right to complain to the Danish Data Protection Agency if you are unhappy with the way VP processes your personal data.
Contact details of the Danish Data Protection Agency:

The Danish Data Protection Agency
Borgergade 28, 5th floor
DK-1300 Copenhagen K

Email: dt@datatilsynet.dk  
Telephone: +45 3319 3200
Website: www.datatilsynet.dk