Privacy Notice for Stakeholders at Musti Group Oyj
Last updated: 17.12.2025
Scope and Data Subject Groups
This privacy policy applies to the processing of personal data of our shareholders, Members of the Board and individuals that are associated in Musti Group’s governance or investment activities. Musti Group Oyj handles personal data that is strictly necessary to comply with legal requirements, such as corporate governance, shareholder administration, and board management.
The Musti Group comprises the company affiliates of Musti Group Oyj and its brands: Musti ja Mirri, Arken Zoo, Djurmagazinet, Vetzoo, Peten Koiratarvike and Animail.Musti Group Oyj is part of SONAE SGPS. The Musti Group and its affiliated companies are throughout this Privacy Notice individually or collectively referred to as “Musti”, “we” or “us”.
Controller
Musti Group Oyj (later “Musti Group”, “Group”, “we”, “us”, “our”)
Mäkitorpantie 3
00620 Helsinki, Finland
Our data processing are managed on our behalf by our subsidiary, Musti Group Nordic Oy. The subsidiary acts under our instructions and does not serve as a data controller. It also handles inquiries regarding our data processing and your rights related to personal data. If you have any questions about our privacy practices or if you wish to exercise your rights as a data subject, please contact us at the following address privacy@mustigroup.com
1. When do we collect your personal data
We only collect personal data in situations where it is necessary for Musti Group’s legal and governance responsibilities, such as:
- When you are appointed as a member of the Board or the executive team
- When you are listed as an investor or shareholder
- When you are part of our investor communications or IR materials
- When you are directly involved in Musti Group’s decision-making or investment activities
- When you are employee, advisor or other individual who has been granted access to inside information.
2. What personal data do we process?
We process the following types of personal data that we obtain directly from data subjects:
- Identification details, such as social security number and full name.
- Contact details, such as address and email address.
- Employment details, such as role and experience.
- Contract information, such as details and metadata of contracts and agreements.
- Marketing preferences, such as consents and prohibitions.
- Event participation, such as participation details.
- Insider data, such as reason for inclusion on the insider list
- Transaction data, such astransaction date and time and quantity and price of the trade.
Information obtained from third parties:
- Public authorities, for example information based on data from the Trade Register and other official registers.
3. From where do we acquire data?
We obtain stakeholder data primarily from three sources: directly from the data subjects themselves, from parties authorized by the data subjects, and from official registers maintained by public authorities, such as the Trade Register maintained by PRH. In addition, data may be collected from documents and communications related to contracts, governance, and regulatory obligations, as well as from mandatory disclosures required by law and group-level reporting systems when individual-level data is necessary.
4. Purposes of Processing Personal Data and Legal Basis
| Purpose of the processing of personal data | Data categories | Legal base | Description of the legal base applied to the purpose |
| Investor communications and IR materials when personal data is included, for example, regarding members of the executive team or the board of directors. | Employment details | Legitimate interest | We have a legitimate interest in communicating with our shareholders and other relevant parties on matters related to the group’s governance and decision-making. Any impact on individuals’ privacy is assessed to be minimal. |
| Management of shareholder registers, meeting invitations, and general meeting documents. | Identification details Contact details Event participation | Legal obligation | Limited Liability Companies Act 624/2006 obliges us to maintain shareholder information and conduct shareholders’ meetings in accordance with its procedures. |
| Organising governance and maintaing records of board members and management. (e.g., contracts, benefits, and remuneration). | Identification details Contact details Contract information | Compliance with a legal obligation, Legitimate interest and Performance of a contract | We process this data to comply with statutory obligations under the Finnish Limited Liability Companies Act 624/2006, which requires companies to organize governance and maintain records of board members and management. In addition, Musti Group has a legitimate interest in ensuring effective corporate governance and fulfilling its responsibilities towards shareholders and other stakeholders. Processing is also necessary for the performance of contracts, such as employment agreements for senior management or agreements that define the roles and responsibilities of board members. |
| Group-level HR reporting, when reporting is based on individual-level data or includes personal data. | Identification details Contact details Employment details Contract information | Legitimate interest legal obligation | Musti Group provides reporting to its stakeholders, employees, and other relevant parties to inform them about key measures, plans, and decisions made at the company level. This processing is based on our legitimate interest in ensuring transparency and effective communication. In addition, certain legal obligations require us to process personal data. For example, EU regulations such as Directive 2464/2022 on corporate sustainability reporting mandate the collection and disclosure of information related to our workforce, diversity policies, leadership practices, and accountability measures. |
| To ensure market integrity by preventing insider dealing, supporting regulatory investigations, and meeting statutory record-keeping and reporting requirements. | Insider data Transaction data | Legal obligation | Under EU Market Abuse Regulation (MAR) 596/2014, Articles 18 and 19, companies must process certain personal data to comply with legal obligations. This includes maintaining insider lists and monitoring/reporting transactions by persons discharging managerial responsibilities and their closely associated persons. The legal basis for processing is compliance with a legal obligation under MAR. |
5. Do we transfer personal data outside the EU/EEA area?
As we cannot do everything ourselves and we rely on several third parties that help us to conduct our business operations, there are situations when your personal data is transferred to a country outside European Union or European Economic Area (“Third Countries”). For example, some IT systems that we use to store personal data are in Third Countries. In addition, some sub-contractors of our business partners can have access to personal data in limited situations.
When your personal data is transferred to a Third Country, the level of protection guaranteed by the GDPR might decrease. Therefore, before any transfer, we take necessary measures to ensure a high level of protection of your personal data as required by the GDPR. Such measures we have implemented include the use of the ‘standard contractual clauses’ (SCCs) approved and provided by the EU Commission as part of the agreements we enter with the recipients of personal data in Third Countries. You can read more about the SCCs here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
| Recipient | Service Description | Service Area | Description |
| Microsoft Corporation | Email and office services etc. | EU | Microsoft is certified under the EU-US Data Privacy Framework. |
| Google Analytics | Web analytics service | EU/USA | Google is certified under the EU-US Data Privacy Framework. |
| Cloudflare, Inc | Improves website performance and protects against cyber threats by acting as a global content delivery network | EU/USA | Cloudflare is certified under the EU-US Data Privacy Framework. |
| IDX/Investis | Investor relations | UK | The United Kingdom is subject to an adequacy decision by the European Commission, which allows the transfer of personal data from the EU to the UK without additional safeguards. |
6. Your Rights as a Data Subject
Under applicable data protection legislation, you have certain rights regarding your personal data. These rights are not absolute and may be subject to limitations, for example where we must retain data to comply with legal obligations. To exercise any of the rights below, please contact us at privacy@mustigroup.com. We may need to verify your identity before fulfilling your request.
- Right to information and access: You can request details about how we process your personal data and obtain a copy of the data we hold about you.
- Right to rectification: You can ask us to correct or update inaccurate or incomplete personal data.
- Right to erasure: In certain cases, you may request deletion of your personal data, subject to legal retention requirements.
- Right to restriction and objection: You may request that we restrict processing or object to processing based on our legitimate interests.
- Right to data portability: Where applicable, you can request your data in a machine-readable format.
- Right to lodge a complaint: You have the right to lodge a complaint to the supervisory authority if you believe your data has been processed unlawfully or you are not happy about our privacy practices. Find the contact details of the supervisory authority below:
Finland: https://tietosuoja.fi/ilmoitus-tietosuojavaltuutetulle
7. How long do we store your data?
We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Notice or to comply with statutory requirements. Retention periods vary depending on the category of data and applicable legal obligations, for example:
| Data Category | Retention Period | Legal Reference |
| Board and executive member data | Board and general meeting minutes: permanent * Financial statements: 10 years | Limited Liability Companies Act 5:23 §, 6:2 §; Accounting Act 2:10 § |
| Shareholder information | Shareholder register: permanent* General meeting minutes: permanent* | Limited Liability Companies Act 3:15–17 §; Accounting Act 2:10 § |
| Insider data, transaction data and data on closely associated people | 5 years | Article 18(5) of the EU Market Abuse Regulation (MAR) 596/2014 |
*‘permanent’ means that the document is retained for the entire lifespan of the organization.
8. Who do we disclose your personal data to?
We primarily process your personal data within Musti Group. When we disclose personal data to partners or third parties, all disclosures are always protected through binding contractual terms, strict organisational controls, and technical safeguards applied to all subcontractors
Musti Group
Information about our stakeholders and their decisions is essential for operations across the Group’s subsidiaries and senior management. As a result, a significant portion of our data transfers occurs within the Musti Group or to companies belonging to the same economic interest group. We disclose personal data to our subsidiaries or parent company in situations such as:
- Communicating HR-related matters, including decisions on personnel and resources
Partners and third parties
We work with selected partners and service providers who support our operations and provide services that we cannot deliver internally. These include, for example:
- Companies providing IT systems, infrastructure, and technical support
- Service providers offering data storage and cloud solutions
- Marketing and communications partners
Authorities
In certain cases, as required by law, stakeholder data is disclosed to authorities such as the Finnish Patent and Registration Office (PRH) and the Finnish Financial Supervisory Authority. These disclosures occur in connection with mandatory regulatory obligations, for example:
- Submitting insider lists or reporting transactions by managers and persons closely associated with them under the Market Abuse Regulation (MAR)
- Notifying beneficial owners to PRH
9. How do we keep your data safe
Musti Group applies strict, and up-to-date data security means to protect your personal data. It is important for us to protect the confidentiality and integrity of your personal data when we are processing it. We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure.
Your personal data is protected by physical, organizational, and technical means. Data is stored on servers securely located and behind firewalls. When we are using our partners to process your personal data, we require them to follow the same rules that we follow. Only authorized persons are allowed to access the data, and we keep up different kinds of technical measures to protect the data and control access.
10. Changes to this Privacy Notice
We may update this Privacy Notice from time to time, for example due to changes in legislation, regulatory guidance, or our business operations and we encourage you to review its contents regularly.