04.12.2017, Updated 01.06.2020
UPM-Kymmene Corporation and its affiliates (“UPM”) is committed to respecting and protecting your privacy. This Privacy Statement describes what types of personal data UPM may collect about you work as a contractor for UPM in the Finnish production sites. As used in this Privacy Statement “personal data” means any information that is capable of identifying you as an individual either submitted by you when using our Services and/or obtained through alternative channels.
We may update this Privacy Statement from time to time to reflect changes in our Services, operations and/or applicable law. Any changes will be posted here.
How we collect personal data
The contractor enters data on a standard form on every employee and firm working for the contract. Timestamps are received from the system indicated by the user or contractor. Further UPM ERP system is used as a source of the data (PO and WO).
Types of personal data we collect
The types of personal data we collect and process about the person include the following personal data:
- UPM Purchase orders and work orders;
- all contractors and subcontractors;
- registration country of the employer;
- name and address of the representative of foreign firm in Finland;
- names, dates of birth, contact info, tax number of the employees and other work related information;
- the citizenship of employees and info about residence permits and expiry dates;
- the collective labour agreement applied to the employee;
- safety induction acquired (occupational safety card, licence for hot works);
- timestamps from access control system;
- timestamps for maintenance work phases;
- location data regarding the timestamps (based on user consent).
Using personal data (purposes and legal basis for processing)
UPM processes your personal data for its legitimate business purposes:
- Work documentation, management and invoicing;
- Organising access control on site;
- Controlling and complying with the safety regulations concerning people working on site;
- Controlling status of safety trainings;
- Controlling and complying with the legal obligations concerning foreign labour and leased labour;
- Generate summary logs from access control system as a basis for service entry.
- Validation of work and invoice processing.
Legal basis for processing your personal data is legal obligation, contract and legitimate interest.
Sharing data and international transfers
Information may be disclosed in accordance with applicable legislation to the competent authorities, such as the Finnish Tax Authority. Data will not be transferred by UPM outside the European Economic Area (EEA) regularly.
We use third party service providers to enable us to maintain the contactor portal. These third parties have access to your information only for the limited purposes outlined above. UPM vendors have access to the portal regarding their own workers. The access is for verification purposes. UPM will not disclose your personal data in any other circumstances, unless we have your consent or if disclosure is required by law.
Protection and storage of personal data
UPM has taken appropriate technical and organisational measures to restrict access to personal data and to protect it against loss, accidental destruction, misuse, and unlawful alteration. UPM has screening and selection procedures in place for third party service providers to guarantee secure processing of personal data. Access to the personal data files is restricted on a need-to-know basis to UPM employees and third parties who need to access the data for the purposes defined in section “Using personal data” above.
Contractor Portal database is located in Nebula datacenter in EU and data is not transferred outside EU. Data can be given out to authorities and other parties who have legal rights to receive info.
UPM will store personal data as long as required for the purpose it was collected for or as required to meet legal and/or regulatory requirements which is this case is 7 years from the year of collection.
Access to your personal data and your other rights
You have right to access the personal data held by UPM about you (and request a copy of such personal data) by contacting us on the email address or address indicated below. You have, where necessary, the right to have the data amended, rectified, or erased, if it is incorrect, inaccurate, imprecise or outdated, or obsolete as regards the purpose of its processing. You may be requested to verify your identity, specify your request, and may be asked for more information about your request.
If your request for rectification of your personal data is refused, you will be given a written certificate to this effect (also stating the reasons for the refusal). In this case or if in your opinion your personal data has not been processed in compliance with applicable data protection laws, you may bring the matter to the attention of the relevant data protection authority.
You may also request to restrict and object to the processing of your personal data, if it could compromise your rights to privacy. You have the right to restrict processing when you contest the accuracy of the data for the period its accuracy is verified, when the processing is unlawful, or when you have objected to the processing based on legitimate interests, until an overriding legitimate interest for processing is verified. In cases where processing of your personal data is based on consent, you have the right to withdraw your consent at any time.
If you have any questions about this Privacy Statement, processing of your personal data by UPM or you wish to make a data request, you may contact:
UPM-Kymmene Corporation / Privacy
Alvar Aallon katu 1, P.O. Box 380
FI-00101 Helsinki, Finland