Dematerialisation of shares: Change in deadlines and the perspective of the Personal Data Protection Office | In Principle

Go to content
Find what you need in over 1,000 articles
Search form
Subscribe to newsletter
In principle newsletter subscription form

Dematerialisation of shares: Change in deadlines and the perspective of the Personal Data Protection Office

03.09.2020 data protection | capital markets

The mandatory dematerialisation of shares of stock, introduced by the 30 August 2019 amendment of the Commercial Companies Code, was intended to bring about a situation as of 1 January 2021 where the shares of all joint-stock companies and joint-stock limited partnerships in Poland would take the form of an electronic record, and share documents would lose their legal force from that date. But the coronavirus epidemic has made it difficult for commercial entities to make this organisational change, and the parliament has extended the deadlines for complying with certain obligations related to dematerialisation of shares. The Polish Personal Data Protection Office has also issued an opinion on dematerialisation.

New deadlines

Under the legislation known as Anti-Crisis Shield 3.0, the deadlines for dematerialisation of shares were postponed. Thus, share documents will lose legal force on 1 March 2021, and entries in the register of shareholders will assume legal force on that date. But the most pressing deadline at the moment is 30 September 2020, by which time companies must adopt a resolution selecting the entity operating the register, conclude a contract with that entity, and issue the first summons to shareholders to submit their share documents.

Position of Personal Data Protection Office

At the height of preparations by companies and brokerages for operation of share registers, an opinion on the new institution was issued by the Personal Data Protection Office (UODO), evaluating the position of entities statutorily authorised to maintain registers of shareholders of non-public companies in the context of processing of shareholders’ personal data.

In UODO’s view, a non-public company transferring the data of its shareholders and the entity operating its share register (in practice usually a brokerage) are two independent controllers of personal data. UODO based its finding on three key aspects:

  • Autonomous tasks of entity operating register

According to UODO, the overall set of tasks imposed on the brokerage by the new regulations call for individual processing of shareholders’ personal data by the brokerage, as the amendment vests the brokerage with a range of duties and legal and organisational entitlements which the brokerage will undertake at its own initiative and within its own scope. All of these activities are connected with processing of the personal data of companies’ shareholders.

  • Function of entity operating register

By law, only entities authorised to issue registration certificates can operate share registers. This is their exclusive competence, independent of the company’s instructions. From UODO’s perspective, this means that the brokerage to which the company transfers the shareholders’ personal data has its own purposes for processing the personal data in the register, as specified by statute.

  • Entries in the shareholders’ register

The next argument asserted by UODO is the multiplicity of entities initiating entries in the shareholders’ register. Apart from the company, which originally submits the data for creation of the shareholders’ register, a request for entry in the register may be submitted by a shareholder or anyone else who has a legal interest in the entry. The company has no influence on the course of the entry process if the shareholder or third party filing with the brokerage appropriately demonstrates its legal interest in the entry. Consequently, it is not only the company that establishes the purpose of processing the data in the shareholders’ register.

In light of these arguments, UODO expressly found that entities maintaining shareholders’ registers, including brokerages serving this function, are also controllers of the personal data obtained for this purpose. Consequently, UODO indicates that the practice of companies concluding data processing contracts with entities maintaining shareholder registers would not be proper. Because the brokerage acts as a controller of personal data, the contract between the brokerage and the company for operating the shareholders’ register should contain relevant provisions reflecting this.

Danuta Pajewska, attorney-at-law, Katarzyna Jaroszyńska, attorney-at-law, M&A and Corporate practice, Wardyński & Partners

Recommended articles
Pseudonymisation of data in clinical trials and its implications for sponsors
The gig economy: Digital platform workers vs. personal data
The Digital Markets Act: A revolution, and not only for gatekeepers
“Bossware” under labour and data protection law
Remote work vs. personal data processing