Can shareholders' personal data be publicly posted online without their consent?

No. When the data controller (in this case the joint-stock company) obtains the Single Record of Shareholders from the Central Registry for the purpose of convening a Shareholders' Assembly, it may use such Record solely for that purpose. Any public disclosure of shareholders' identifying information online constitutes inadmissible processing of personal data, since such processing is done without a proper legal basis (explicit legal authority) and for a purpose different from that originally intended. The purpose of obtaining and using the Single Record of Shareholders is regulated in great detail by the Law on Companies and the Law on Capital Market, so any use of that Record for any other purpose is a form of inadmissible processing of personal data.