Rev 04/2018, Updated 25.08.2020
UPM is committed to protecting and respecting your privacy. When processing any personal information provided by you, UPM shall always comply with and abide by the applicable personal data and data protection legislation. UPM has endeavored to take appropriate action to protect personal information provided by you in order to prevent their unauthorized access and incorrect use.
Site Security Systems covers: Access management system, CCTV camera system, SMS and email messages
How we collect personal data
Types of personal data we collect
The information we collect and process about you may include your full name, phone number, email, date of birth, tax identification number, starting and ending date of your presence at UPM’s site, your employer and employer’s business ID (or equivalent foreign company registration number), vehicles’ registration numbers and any other necessary information relating to access management that you may give us. Information we collect about you is used to manage security and access rights of UPM’s personnel, external service providers and tenants and any other third parties visiting UPM’s production facilities and/or sites located in Finland and for their monitoring within UPM’s production facility and/or site.
Using personal data (purposes and legal basis for processing)
UPM processes your personal data for its legitimate business purposes described above and:
- to identify visitors of our production facilities and/or sites (persons and owners of vehicles);
- to manage site access rights of persons working at production facilities and/or sites;
- to monitor persons and vehicles and keep real-time list of persons and vehicles (internal and external) in the production facilities and/or sites;
- to contact you if needed when entering or be present at our premises
- personnel site presence information can be used for checking purposes of contractor’s invoice and other legal obligation e.g. tax reporting
- internal investigation purposes e.g. fire event, ohs accident, security deviation
- Remote alarm center records phone information and data is used only for investigation purposes
Legal basis for processing your personal data is legal obligation, contract and legitimate interest.
Sharing data and international transfers
Information may be disclosed in accordance with applicable legislation to the competent authorities, such as the Finnish Tax Authority. Data will not be transferred by UPM outside the European Economic Area (EEA) regularly.
We may use third party service providers to enable us to provide the access management system or administer related activities on our behalf. We may share your information with these third parties only for the limited purposes outlined above. UPM will not disclose your personal information in any other circumstances, unless we have your consent or if disclosure is required by law.
Protection and storage of personal data
UPM has taken appropriate technical and organisational measures to restrict access to personal data and to protect it against loss, accidental destruction, misuse, and unlawful alteration. UPM has screening and selection procedures in place for third party service providers to guarantee secure processing of personal data. Access to the personal data files is restricted on a need-to-know basis to UPM employees and third parties who need to access the data for the purposes defined in section “Using personal data” above.
Contractor Portal database is located in Nebula datacenter in EU and data is not transferred outside EU. Data can be given out to authorities and other parties who have legal rights to receive info.
UPM will store personal data as long as required for the purpose it was collected for or as required to meet legal and/or regulatory requirements which is this case is 7 years from the year of collection.
Access to your personal data and your other rights
You have right to access the personal data held by UPM about you (and request a copy of such personal data) by contacting us on the email address or address indicated below. You have, where necessary, the right to have the data amended, rectified, or erased, if it is incorrect, inaccurate, imprecise or outdated, or obsolete as regards the purpose of its processing. You may be requested to verify your identity, specify your request, and may be asked for more information about your request.
If your request for rectification of your personal data is refused, you will be given a written certificate to this effect (also stating the reasons for the refusal). In this case or if in your opinion your personal data has not been processed in compliance with applicable data protection laws, you may bring the matter to the attention of the relevant data protection authority.
You may also request to restrict and object to the processing of your personal data, if it could compromise your rights to privacy. You have the right to restrict processing when you contest the accuracy of the data for the period its accuracy is verified, when the processing is unlawful, or when you have objected to the processing based on legitimate interests, until an overriding legitimate interest for processing is verified. In cases where processing of your personal data is based on consent, you have the right to withdraw your consent at any time.
If you have any questions about this Privacy Statement, processing of your personal data by UPM or you wish to make a data request, you may contact:
UPM-Kymmene Corporation / Privacy
Alvar Aallon katu 1, P.O. Box 380
FI-00101 Helsinki, Finland