When we refer to “you” in this Privacy Policy, we refer to you as data subject (see Section II. below for more details on what this means). If you are interacting with us on behalf of others, please make sure all affected people receive the information stated in this Privacy Policy.

If we speak of “MTG”, “we” or “us” in this Privacy Policy, we refer to ourselves as controller as defined below. Our contact details are:

Modern Times Group MTG AB
Skeppsbron 18, Box 2094,
111 30 Stockholm, Sweden
Tel: +46 8 562 000 50

If you have any questions regarding this Privacy Policy, data protection or if you want to exercise your rights mentioned in Section IV., you can at any time contact us at our Data Protection Officer. His contact details are:

Dr. Matthias Walker
c/o Modern Times Group MTG AB
Skeppsbron 18, Box 2094,
111 30 Stockholm, Sweden
E-Mail: privacy@mtg.com

The meaning of certain terms we use in this Privacy Policy is defined by the General Data Protection Regulation (“GDPR”). When we refer to the GDPR we are referring to the General Data Protection Regulation of the UK as well, unless we otherwise specify that we are referring to only one of them.

All definitions set out in Art. 4 GDPR apply to this Privacy Policy. We’d like to explicitly mention the meanings of the following terms to make transparent what the often-used terms personal data, data subject, processing, controller and processor mean according to the GDPR:

• ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
• ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

As a controller we need a legal basis to process your data lawfully, according to Art. 6 para. 1 GDPR. If

• you have given your consent to the processing of your personal data for one or more specific purposes, this forms a legal basis according to Art. 6 para. 1 let. a) GDPR;
• the processing is necessary for the performance of a contract between you and us or in order to take steps at your request prior to entering into a contract, the legal basis for this is Art. 6 para. 1 let. b) GDPR;
• the processing is necessary for compliance with a legal obligation that applies to us, the legal basis for this is Art. 6 para. 1 let. c) GDPR;
• the processing is necessary to protect our legitimate interests or legitimate interests of a third party and such legitimate interests are not outweighed by your interests or fundamental rights and freedoms, the legal basis for this is Art. 6 para. 1 let. f) GDPR.

Under the GDPR you have certain rights concerning the processing of personal data by us. According to the GDPR you have the following rights:

• Right of information: You have the right to be provided information regarding the processing of your personal data by us, in accordance with Art. 13 and 14 GDPR.
• Right of access: You have the right to obtain confirmation as to whether we are processing your personal data and, if this should be the case, access to the personal data, in accordance with Art. 15 GDPR.
• Right to rectification: You have the right to obtain rectification of inaccurate or incomplete personal data concerning you, in accordance with Art. 16 GDPR.
• Right to erasure (“right to be forgotten”): Under certain circumstances you have the right to obtain the erasure of personal data concerning you, in accordance with Art. 17 GDPR.
• Right to restriction: Under certain circumstances you have the right to obtain the restriction of processing, in accordance with Art. 18 GDPR.
• Right to data portability: Under certain circumstances you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and the right to transmit this data to another controller, in accordance with Art. 20 GDPR.
• Right to object: Under certain circumstances you have the right to object to the processing of personal data concerning you, in accordance with Art. 21 GDPR. This includes but is not limited to the right to object in cases in which we process your personal data on the legal basis of Art. 6 para. 1 let. f) GDPR.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of the EU of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR, as set out in Art. 77 GDPR.
• Right to withdraw consent: If a processing of your personal data is based on your consent as set out in Art. 6 para. 1 let. a) GDPR or Art. 9 para. 2 let. a) GDPR, you have the right to withdraw your consent at any time, in accordance with Art. 7 para. 3 GDPR. Such withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
• Right to not be subject to a decision based solely on automated processing: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, as set out in Art. 22 para 1 GDPR.

The personal data we process can also be either processed by other parties on our behalf and according to our instructions by processors or shared with and processed by other controllers. When data is processed according to this Privacy Policy, it is principally done so by our employees and freelancers commissioned by us that are responsible for the specific matter the data is required for.

The following list gives you an overview of the main providers of tools and services we use and who might be a recipient of your data:

Providers of office tools:

Microsoft Enterprise Service Privacy
Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052 USA

and

Microsoft Ireland Operations, Ltd.
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18, D18 P521, Ireland (both together “Microsoft”)

and

Slack Technologies, Inc., 500 Howard Street, San Francisco, CA 94105
USA (“Slack”)

Data protection management tool:

OneTrust Technology Limited
82 St. John Street
Farringdon, London EC1M 4JN United Kingdom (“OneTrust”)

Press release tool:

Cision Sverige AB
Box 24194, 104 51, Stockholm
Sweden
(“Cision”)

Some of these recipients are established outside of the European Union. Principally, there are two possible safeguards we rely on when these recipients receive personal data of yours, to make sure an adequate level of protection for your data is provided:

• If a recipient is located in a country for which the European Commission has found it provides an adequate level of data protection, we rely on such adequacy decision by the EU Commission.
• If a recipient is not located in a country with an adequate level of data protection according to the European Commission, we either have concluded a contract with this recipient in which we agree on rules to make sure the recipient takes adequate care of your personal data (EU Standard Contractual Clauses developed by the European Commission) or we rely on binding corporate rules of a group of undertakings or enterprises that have been approved by a supervisory authority.

Apart from the main possible recipients mentioned above, the following categories of recipients can receive personal data from us, only if necessary for the specific case: financial and IT services; host providers; providers of data rooms for M&A transactions; potential buyers or sellers of an M&A transaction; external financial and legal advisors and auditors; courts or governmental authorities that legally legitimately oblige us (e.g., through subpoenas, court orders, governmental requests or search warrants) to disclose data.

You can find details on which recipients and categories of recipients are involved in the processing of personal data under Section VI.

In the following we’d like to inform you about how we process your personal data. These are the general processing activities that can apply when you interact with us. Every processing activity is broken down into 5 parts:

(a.) What: What data is processed?
(b.) Why: For what purpose is the data processed?
(c.) Who: With whom do we share the data?
(d.) Legal Basis: What law allows us to process the data?
(e.) How Long: How long do we keep the data?

1. Communicating With You
   1. What
      If we communicate with you via email or mail, we process all personal data you disclose to us during our conversation (e.g., you name, email address, the reason why you are contacting us etc.).Apart from this, it is also possible that we use other online messaging systems to communicate with you, if you wish to contact us over these channels. Please note that if you wish to contact us via such messaging systems, it is possible that the respective companies that offer these communication services may also process your personal data and that regarding this their privacy policies apply. We have no influence over such data processing by third parties. For further information on how these services process your personal data, please view their privacy policies.
   2. Why
      Depending on the specific conversation with you, the personal data can either be processed in order to take steps at your request prior to entering into a contract with us or to perform a contract you have concluded with us. Also, the processing can be necessary for us to comply with legal documentation obligations. Apart from this, the processing can also be necessary for the purposes of our legitimate interest to respond to mails and calls of yours when you contact us and are not our contractual partner as well as to have proof regarding substantial content of our conversation, including but not limited to cases of potential legal claims on our or your side.
   3. Who
      Depending on the specific case, recipients of the processed personal can be our providers of office tools.
   4. Legal Basis
      The legal basis for processing the personal data in order to take steps at your request prior to entering into a contract with us or to perform a contract you have concluded with us is Art. 6 para. 1 let. b) GDPR.The legal basis for processing the data for compliance with our legal obligations is Art. 6 para. 1 let. c) GDPR.The legal basis for processing the data due to our legitimate interest is Art. 6 para. 1 let. f) GDPR.
   5. How long
      The data is stored at least for the time until our contract with you is fully performed. If the data has been stored in order to take steps at your request prior to entering into a contract with us, we will store the data for as long as reasons objectively exist to believe that the respective conversation will be continued within the foreseeable future. Apart from this, your data can be stored according to statutory storage periods, should such laws apply to the respective data as well as the applicable limitation period, so that we can sufficiently defend ourselves against claims.

2. Visiting Our Website
   1. What
      When you visit our website, we process your IP-address.
   2. Why
      We process this data to display the website correctly in your browser. This is a legitimate interest of ours.
   3. Who
      Recipients of the processed personal data can be our IT service providers and host providers.
   4. Legal Basis
      The legal basis for processing the data is Art. 6 para. 1 let. f) GDPR.
   5. How long
      The data is only processed during your visit of our website and not stored in log files.

3. Press Release Subscription
   1. What
      You can choose to receive our news and company information via email. To send you the press releases and reports we process your email address and your selection of content you wish to receive, as well as the information regarding whether you have opened the email we sent you and, if this is the case, the time it was opened.
   2. Why
      The purpose of processing the personal data is to keep you updated on our business developments, products, and services via email according to your preferences to receive the information, and to better understand what was of interest to you or not.
   3. Who
      Recipient of the processed personal data is the provider of our press release tool.
   4. Legal Basis
      The legal basis for processing your personal data is your declaration of consent, in accordance with Art. 6 para. 1 let. a) GDPR.
   5. How long
      Your personal data will be stored for as long as you do not withdraw your consent. You can at any time withdraw your consent with effect for the future by using the unsubscribe link at the bottom of the email you received from us, or by contacting communications@mtg.com.

4. Data Subject Requests
   1. What
      When you contact us to make use of your data subject rights (see above), we process your name, email address and any additional information you provide us in your request as well as personal data to verify your identity as legitimate data subject, if needed.We might also process your personal data when you contact another company of the MTG group which is an affiliate company of ours (“MTG Company”) with such a request if the company reaches out to us for legal advice regarding the matter.
   2. Why
      The personal data of your request is processed for the purpose of answering your request as well as the purpose of proving our compliance with the GDPR by helping you as data subject exercise your rights set out in the GDPR. This is also a legitimate interest of ours.If we process additional data of yours to verify your identity, this is done to prevent cases of fraud committed by using false identities which is a legitimate interest of ours.If we receive your personal data from an MTG Company, we process your personal to help the company respond properly by giving it legal advice. As parent company, we work closely together with all MTG Companies and support them to ensure their compliance as well as a group-wide compliance with applicable laws. This is a legitimate interest of ours and all MTG Companies.
   3. Who
      Depending on the specific case, recipients of the processed personal data can be the provider of our data protection management tool, our providers of office tools, and external legal advisors.
   4. Legal Basis
      The legal basis for processing the data of your request is Art. 6 para. 1 let. c) in connection with Art. 12 GDPR as well as Art. 6 para let. f) GDPR.The legal basis for verifying your identity is Art. 6 para. 1 let. f) GDPR.If we receive your personal data from an MTG Company, the legal basis for receiving and processing the data is Art. 6 para. 1 let. f) GDPR.
   5. How long
      The data is stored for three years starting with the end of the year in which you made your request, so we and/or the respective MTG Company are able to prove our compliance and defend ourselves against any potential claims within the general statute of limitations in Sweden for claims by consumers.

5. Legal Work
   1. What
      We work together with MTG Companies and external advisors to assess and manage legal matters. If a matter, or dispute between you and us or between you and an MTG Company (see definition in Section VI.4.a) requires relevant legal review, we and, if necessary, the relevant MTG Company, process the data relevant to the matter or dispute. In particular, this may include your name, e-mail address and contact details.It is possible that MTG Companies seek legal support from us as their mother company in legal matters. In such case we might receive personal data of yours from the respective MTG Company and process the personal data required to grant it legal report.If we would receive from authorized courts or governmental authorities a legally legitimate and binding obligation to disclose data (e.g., through subpoenas, court orders, governmental requests or search warrants), we would comply with such.
   2. Why
      The purpose of the processing of the data by us and – if applicable – the involved MTG Company is the effective and uniform handling of legal matters. This is a legitimate interest of ours and the involved MTG Company. In addition, the data processing may serve to conclude and perform contracts with you.As a parent company, we also have a legitimate interest in supporting MTG Companies with legal matters to safeguard our business interest of us, the respective MTG Company and the entire MTG Group.In case of legally legitimate and binding obligations by authorized courts or governmental authorities we would have a legal obligation to comply.
   3. Who
      Recipients of the processed personal data can be our providers of office tools as well as external legal advisors and auditors. We can receive your personal data from an MTG Company if it seeks our support in which case the same recipients can apply.In case of legally legitimate and binding obligations by authorized courts or governmental authorities such courts or authorities would be the recipients of the data.
   4. Legal Basis
      If the data processing concerns the conclusion or performance of a contract with you, the legal basis of the data processing is Art. 6 para. 1 let. b) GDPR.If the data processing is based on a legitimate interest, the legal basis is Art. 6 para. 1 let. f) GDPR.In case of legally legitimate and binding obligations by authorized courts or governmental authorities the legal basis for disclosing data would be Art. 6 para. 1 let. c) GDPR in connection with the respective laws that state the legal binding effect of the obligation.
   5. How long
      The storage period for data processed for the purpose of handling legal matters, disputes or complying with legal obligations is governed by the relevant limitation period, so that we can sufficiently defend ourselves against claims, or by the relevant legal obligations to retain documents.

6. Mergers & Acquisitions
   1. What
      We work together with MTG Companies (see definition in Section VI.4.a) and external consultants to assess and manage mergers and acquisitions relevant to the MTG Group. In such case we process personal data that is shared with us by a third-party company we or an MTG Company might acquire, or we might share such personal data with a third-party company that is interested in acquiring a company of the MTG Group and with any MTG Company involved in such transactions. Principally, personal data is anonymized before it is disclosed and, should it be necessary to disclose personal data, such disclosure of personal data (e.g., names) would be kept to a minimum.
   2. Why
      The purpose of the processing of the data by us and – if applicable – the involved MTG Company is to review relevant material shared with us by a potential seller during an M&A process, so we can make good business decisions, or to enable a potential buyer to do so when sharing such data with it. This is a legitimate interest of ours, the involved MTG Companies, the MTG Group and the potential sellers or buyers.
   3. Who
      Recipients of the processed personal data can be our providers of office tools, providers of data rooms as well as external financial and legal advisors. We can receive your personal data from an MTG Company, or potential seller or buyer involved in the relevant M&A process in which case the same recipients can apply.
   4. Legal Basis
      The legal basis for processing your personal data is Art. 6 para. 1 let. f) GDPR.
   5. How long
      The storage period for data processed for the purpose of handling legal matters or disputes is governed by the relevant limitation period, so that we can sufficiently defend ourselves against claims, and by relevant legal obligations to retain documents. If a transaction has been successful, we might be obliged to store the respective personal data according to the applicable statutory provisions, in which case we will store the documents according to the retention periods stated in such provisions. Personal data that is no longer relevant if a transaction has not been successfully made, will be deleted.

7. Job Applications
   1. What
      We process personal data you provide when applying for a job or to work together with us as a freelancer (e.g., your name, date of birth, address, data included in your cover letter or CV etc.).
   2. Why
      The data is processed to decide if a contract with you will be concluded or, if you already have a contract with us, to perform our obligations, or terminate the contract.Your data will be stored if we have decided to not hire you, or if your employment with us has ended so we are able to defend ourselves against potential claims based on § 64 Diskrimineringslag in connection with § 10 Lag om medbestämmande i arbetslivet. This is a legitimate interest of ours.
   3. Who
      Recipients of the processed personal data can be our providers of office tools and external HR consultants.
   4. Legal Basis
      The legal basis for processing your personal data when you are applying and during your employment is Art. 6 para. 1 let. b) GDPR.The legal basis for processing your personal data if we have decided to not hire you, or if your employment with us has ended, is Art. 6 para. 1 let. f) GDPR.
   5. How long
      If we work together with you, your data is stored for the applicable statutory storage periods, in general this is ten years starting at the end of the year in which your contract has ended (criteria derived from the general statute of limitations of Sweden). Should we not decide to hire you, we will delete your application after two years starting with the decision of non-employment, so we are able to defend ourselves against potential claims based on § 64 Diskrimineringslag in connection with § 10 Lag om medbestämmande i arbetslivet.

8. Cookies, Website Analytics & Consent Management
   We use cookies on our website. To make it easy for you to inform yourself about these and to grant or withdraw a potentially necessary consent of yours or object to a processing based on a legitimate interest of ours, we have implemented a consent management platform. You can at any time open the consent management platform by clicking the “CUSTOMIZE COOKIES” link at the bottom of our website. In the consent management platform and in our Cookie Policy, you will find all information on what data is processed, who the recipient is, the purpose, legal basis and storage period.You can at any time of course also contact us via privacy@mtg.com if you want to declare your withdrawal or objection to us processing your personal data.

9. No Automated Decision-Making
   We do not process your data with means of automated decision-making (e.g., profiling).
   Last Updated: January 2, 2023