Privacy Statement - Site Security Systems

Rev 04/2018, Updated 25.08.2020 and 3.2.2022

UPM-Kymmene Corporation and its affiliates (“UPM”) is committed to respecting and protecting your privacy. This Privacy Policy governs the manner in which UPM-Kymmene Corporation and its Group companies (“UPM”) collect and process personal information of UPM’s employees and external visitors accessing its production facilities and/or sites. By accessing UPM’s production facilities and/or site, you agree to be bound by these terms and conditions. This Privacy Policy may be updated from time to time (any changes will be posted here).

This Privacy Policy only covers data processing carried out by UPM and not by any third parties operating any site or service incorporating or linking to our services.

UPM is committed to protecting and respecting your privacy. When processing any personal information provided by you, UPM shall always comply with and abide by the applicable personal data and data protection legislation. UPM has endeavored to take appropriate action to protect personal information provided by you in order to prevent their unauthorized access and incorrect use.

Site Security Systems covers: Access management system, CCTV camera system, SMS and email messages 

How we collect personal data

We collect your personal information when you visit our production units or other locations. By accessing our production facilities and/or sites, you accept and acknowledge the use of your personal data in line with this Privacy Policy.

In addition to you, UPM may obtain information about you through UPM's contractor portal, External access portal, access control system or third parties (such as a subcontractor or tenant) who works with us.

Through camera surveillance (CCTV), we process image and personal information about people moving in an area covered by UPM camera surveillance. Area covered by camera surveillance is informed with signs.

Types of personal data we collect

The information we collect and process about you may include your full name, phone number, email, date of birth, tax identification number, starting and ending date of your presence at UPM’s site, your employer and employer’s business ID (or equivalent foreign company registration number), vehicles’ registration numbers, photograph for permanent personal access rights and any other necessary information relating to access management that you may give us.

The camera surveillance systems record video and image data as well as the date and time of the data on people moving in UPM's territory (without sound).

Using personal data (purposes and legal basis for processing)

Information we collect about you is used to manage security and access rights of UPM’s personnel, external service providers and tenants and any other third parties visiting UPM’s production facilities and/or sites and for their monitoring within UPM’s production facility and/or site.

UPM processes your personal data for its legitimate business purposes described above and:

  • to identify visitors of our production facilities and/or sites (persons and owners of vehicles);
  • to manage site access rights of persons working at production facilities and/or sites;
  • to monitor persons and vehicles and keep real-time list of persons and vehicles (internal and external) in the production facilities and/or sites;
  • to contact you if needed when entering or be present at our premises
  • personnel site presence information can be used for checking purposes of contractor’s invoice and other legal obligation e.g. tax reporting
  • internal investigation purposes e.g. fire event, ohs accident, security deviation
  • remote alarm center records phone information and data is used only for investigation purposes
  • monitoring and development of activities and reporting
  • The purpose of the camera surveillance system is to protect property as well as to help detect and prevent misconduct and crime. The purpose of camera surveillance is also to protect the safety of people in the area.

Legal basis for processing your personal data is legal obligation, contract and legitimate interest.

Sharing data and international transfers

Information may be disclosed in accordance with applicable legislation to the competent authorities, such as the Finnish Tax Authority. Data will not be transferred by UPM outside the European Economic Area (EEA) regularly.

We may use third party service providers to enable us to provide the access management system or administer related activities on our behalf. We may share your information with these third parties only for the limited purposes outlined above. UPM will not disclose your personal information in any other circumstances, unless we have your consent or if disclosure is required by law.

Protection and storage of personal data

UPM has taken appropriate technical and organisational measures to restrict access to personal data and to protect it against loss, accidental destruction, misuse, and unlawful alteration. UPM has screening and selection procedures in place for third party service providers to guarantee secure processing of personal data. Access to the personal data files is restricted on a need-to-know basis to UPM employees and third parties who need to access the data for the purposes defined in section “Using personal data” above.

UPM retains personal data for as long as it is needed for the purpose for which it was collected or as required by law. For visits, the retention period is six years from the year the data were collected. The retention period for camera surveillance data is three months.

The information may be provided to public authorities and other parties who have a legal right to receive the information.

Access to your personal data and your other rights

You have right to access the personal data held by UPM about you (and request a copy of such personal data) by contacting us on the email address or address indicated below. You have, where necessary, the right to have the data amended, rectified, or erased, if it is incorrect, inaccurate, imprecise or outdated, or obsolete as regards the purpose of its processing. You may be requested to verify your identity, specify your request, and may be asked for more information about your request.

If your request for rectification of your personal data is refused, you will be given a written certificate to this effect (also stating the reasons for the refusal). In this case or if in your opinion your personal data has not been processed in compliance with applicable data protection laws, you may bring the matter to the attention of the relevant data protection authority.

You may also request to restrict and object to the processing of your personal data, if it could compromise your rights to privacy. You have the right to restrict processing when you contest the accuracy of the data for the period its accuracy is verified, when the processing is unlawful, or when you have objected to the processing based on legitimate interests, until an overriding legitimate interest for processing is verified. In cases where processing of your personal data is based on consent, you have the right to withdraw your consent at any time.

If you have any questions about this Privacy Statement, processing of your personal data by UPM or you wish to make a data request, you may contact:

UPM-Kymmene Corporation / Privacy
Alvar Aallon katu 1, P.O. Box 380
FI-00101 Helsinki, Finland