Data processing agreement


This Data Processing Agreement (“DPA”) shall govern the processing of the Controller Personal Data by Processor on behalf of Controller pursuant to the Agreement. “Processor” means the supplier or other third party who processes personal data in connection with provision of services or other activities provided to Controller. “Controller” means UPM-Kymmene Corporation and/or any of the companies belonging to UPM group. “Agreement” means the agreement referred to in the General Processing Specification Form. The General Processing Specification Form specifies the Controller Personal Data which is processed by the Processor on behalf of the Controller pursuant to the Agreement and shall form an integral part of this DPA.

This DPA shall form an integral part of the Agreement and is incorporated by reference into the Agreement. In case of conflict between the Agreement and this DPA, the provisions of this DPA shall prevail. In case of conflict between this DPA and the General Processing Specification Form, the provisions of the General Processing Specification Form shall prevail.


The Processor shall process Controller Personal Data only as necessary to provide the Services under the Agreement to the Controller and as instructed by the Controller in writing. “Controller Personal Data” means information relating to an identified or identifiable natural person or as otherwise defined in the Laws that is processed by the Processor on behalf of the Controller pursuant to the Agreement and can be further specified in the General Processing Specification Form and in the Agreement between the Processor and the Controller. With respect to processing of Controller Personal Data in the context of the Services provided by the Processor, the Processor acts as a data processor.

The Processor shall at all times comply with the provisions of all applicable laws and regulations relating to data protection, privacy and security in relevant jurisdictions (“Laws”) when processing Controller Personal Data under the Agreement. The Processor shall also comply with the Controller’s written instructions and regulations, e.g. on handling, protecting and encrypting personal and other data. The Processor shall immediately inform the Controller, if any Controller’s instructions could in the Processor’s opinion violate the Laws. In this case the Processor is not obliged to comply with the relevant part of the instructions until the Controller either changes its instructions or expressly confirms the relevant instructions.


Except to the extent necessary for the Processor to perform its obligations towards the Controller under the Agreement or as required by law, the Processor shall keep Controller Personal Data confidential and shall have no rights to Controller Personal Data and shall not access, use, process, disclose, or transfer Controller Personal Data (in part or in whole) to any third party (excluding its approved subcontractors) during or after the term of the Agreement.

The Processor is entitled to transfer or disclose Controller Personal Data to third parties only with a prior written consent of the Controller. If the Controller has agreed in the Agreement or otherwise in writing that the Processor may engage subcontractor(s) to process Controller Personal Data, then (i) such engagement will be under a written contract, and (ii) the subcontract will require the subcontractor to comply with the same obligations applicable to Processor under this Appendix and the Laws. In any event, the Processor will remain fully liable for the acts and omissions of its subcontractors.

When processing Controller Personal Data, the Processor shall implement and maintain at all times appropriate physical, technical and organizational measures to protect the Controller Personal Data against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access so that all processing is in compliance with the Laws. Technical safeguards shall include up-to-date virus protection of the data files containing Controller Personal Data and backup copies of such files. The Processor shall limit access to the Controller Personal Data to authorized and properly trained personnel with a well-defined “need-to-know” and who are bound by appropriate confidentiality obligations.

The Processor warrants that in performing the Services all necessary precautions are taken by the Processor to prevent loss and alteration of any data or programs, to prevent introduction of viruses to the Controller’s systems, and to prevent improper access to the Controller’s IT environment and Confidential Information of the Controller. The Processor undertakes to inform the Controller immediately, if the data security measures taken by the Processor do not meet the standards set out in the Controller's instructions. This applies accordingly if there are disturbances and if there is any suspicion that there is a violation of the data protection or any irregularities concerning the processing of Controller Personal Data.


If requested by the Controller in order for the Controller to comply with the Laws, the Processor shall promptly provide the Controller with information and cooperation regarding the processing of Controller Personal Data, and/or carry out an action related to the processing of Controller Personal Data, as the Controller may reasonably request under this Agreement or to fulfil legal requirements, by way of example:

i. maintain and provide the Controller with a written record of data processing activities carried out by the Processor on behalf of the Controller, containing the information on such Processor processing which the Controller is required to maintain as prescribed under the Laws;

ii. assist the Controller in carrying out a privacy impact assessment of new technologies or products;

iii. notify without undue delay or if specified by the Laws, within that period, the Controller of any security incidents; such notification will include, or be shortly succeeded by, all due information on the security incident in order for the Controller to be able to carry out its obligations under Laws;

iv. assist with the Controller’s obligation to respond to requests from individuals seeking to exercise their rights under the Laws applicable to Controller.


The Processor shall not (and shall procure that its subcontractors shall not) transfer any Controller Personal Data to any third country or any international organization outside the EU or EEA (together “Third Countries”), unless expressly required or consented to do so by the Controller. Such consent shall be requested and provided in writing and separately for each recipient and/or location of the recipient of such transfers. Before such transfer, the Processor shall assess the impact of a transfer of personal data to a third country outside of the EU/EEA and based on the results of said assessment, implement effective supplementary measures, additional safeguards and mechanisms for safe and compliant processing of personal data in cases where personal data is processed in a third country.

When carrying out a data transfer to such Third Countries and at all times when storing, transferring or maintaining Controller Personal Data, the Processor shall ensure that all such transfers are in compliance with the Laws and this Appendix. Transfers shall only be executed in accordance with the instructions of the Controller.

Where a transfer ceases to be in compliance with the Laws or the Controller’s instructions, the Processor shall immediately obtain substitutive means of transfer in order to ensure that the transfer becomes compliant with the Laws and the Controller’s instructions. If the Processor fails to obtain such compliance for the transfer, it shall forthwith terminate the transfer of Controller Personal Data to Third Countries and return the Controller Personal Data to the EU/EEA, without additional costs to the Controller.

The Processor shall upon request from the Controller inform the Controller where the Controller Personal Data is stored no later than five (5) working days from the request.


The Controller is entitled to audit the Processor's compliance with the legal and contractual obligations regarding data protection at any time within the necessary scope, especially by making requests and checking the archived data and the data processing programs. The Controller shall try to ensure that the audit shall be performed in a manner not causing material adverse effect on the performance of the services under the Agreement or the Processor's other activities.

This Appendix shall remain in full force for as long as the Agreement is in force and for such period thereafter as is necessary for the activities after Agreement termination or expiration to be completed (including but not limited to the deletion of Controller Personal Data). To the extent that Controller Personal Data is processed by or for the Processor, for whatsoever reason, after the termination or expiration of the Agreement, this Appendix shall continue to apply to such processing for as long as such processing is carried out.

Breach by the Processor (or its subcontractors, as the case may be) of its obligations under this Appendix will be deemed a material breach of the Agreement.

In respect of services provided under the Agreement, all damages arising out of or relating to the processing of data shall be deemed direct damages (regardless of their actual nature) unless the damages have incurred despite the Processor's conduct in accordance with due care, diligence and professional skill in processing Controller data and such damage arises despite such conduct, which proper conduct can afterwards be demonstrated by the Processor. Furthermore, no limitation of liability defined in the Agreement or this Appendix shall limit the Controller’s right to claim back from the Processor their part of responsibility for the damage in accordance with the principles defined in Article 82 (5) of GDPR in full.

Any changes to this Appendix must be agreed in writing between the Parties.

Upon termination of the Agreement, the Processor shall (and shall procure that its subcontractors shall) promptly return to the Controller all Controller Personal Data in a commonly used electronic form and/or duly destroy and delete all Controller Personal Data, as instructed by the Controller in writing, and all documentation and any material supplied by the Controller or made by the Processor for the performance of its duties pursuant to the Agreement. The concrete medium of handing over the archived data (including, but not limited to, Controller Personal Data) is based on an individual agreement which has to be concluded before the termination date. If no such agreement can be concluded until the termination date, the Controller is entitled to determine the concrete medium as well as the other modalities of the handing over of the data. Afterwards, all Processor's storage data as well as any test-material or rejects which have not been handed over to the Controller have to be erased physically.