UPM Privacy

UPM Employee privacy statement

28.02.2018, updated 28.01.2020 and 28.04.2025

This UPM Employee Privacy Statement (“Privacy Statement”) describes what types of personal data UPM-Kymmene Corporation and its affiliates (“UPM”) may collect about its employees, how it may be used, and how it is protected.

Please note that this Privacy Statement may be updated from time to time to reflect changes in UPM’s operations and/or applicable legislation (any changes will be posted here). We encourage you to regularly review this Privacy Statement for possible updates. Any material changes to processing of personal data described in this Privacy Statement will also be notified on UPM’s intranet.

While this Privacy Statement is intended to describe the broadest range of our personal data processing activities globally, those processing activities may be more limited in some jurisdictions due to local legal requirements.

UPM is committed to protecting and respecting your privacy. When processing your personal data, UPM will comply with the applicable data protection laws. UPM has endeavoured to take appropriate action to protect your personal data to prevent unauthorised access to it and its incorrect use.

How we collect your personal data 

UPM collects your personal data mainly directly from you. Other sources may include your manager, UPM HR and other Group Functions and local UPM affiliates. In some instances, we may also collect information about you from service providers or other third parties, such as tax authorities and insurance companies. We may also collect, to the extent permitted by law, personal data obtained through your use of UPM’s IT tools.

When personal data is collected directly from you UPM notifies you of the possible consequences of not providing your personal data and whether providing such data is mandatory or voluntary.

Types of personal data we collect

The categories of personal data UPM may collect about you are (local restrictions may apply):

  • Employee data: name, photo, date and place of birth, gender, contact information (including home address, telephone numbers, email address, web address links, social media links, instant messenger address), education, employment history, national and governmental identification information, employee identification information (username and user ID), passport and any other national identification documents, visa information, driver’s license ID, residence status, nationality, citizenship information, marital status, employee’s corporate credit card number, banking details, military service information
  • Related persons data: name and contact information of dependents, beneficiaries and emergency contacts (including home address, telephone number, email address), date of birth, gender, national and governmental identification information, other relevant information clarifying ground for absence
  • Employment data: employer company, location, cost centre, department, job title, job type and code, employment contract data, manager, long-term leaves (start and end date, type, reason), project and international assignments, retirement information, disciplinary actions
  • Personnel development: target setting and results, skills, development plan, potentiality and performance information, succession planning
  • Training, licenses and certificates, competences and qualifications
  • Compensation and related information: salary, benefits (including medical, insurance, savings and health plans), allowances, grade, long-term and short-term incentives, awards, tax information
  • Recruitment process information: applications, CVs, background check information, ability tests and test results
  • Records on your use of UPM IT tools and services, such as, IP address, Mac address, browser fingerprint
  • Logging information generated from your use of UPM IT tools and services
  • Software license usage, e.g. usage measurements
  • Working time management information
  • Surveillance: video surveillance recordings, site location you work at
  • Communication as permitted by law: telephone recordings, voice mails, emails, chat, collaboration tools, Teams meeting recordings, transcriptions of meetings
  • Business travel information: flights, hotel and car booking history, travel and expense invoice history, company credit card statements, passport

UPM may also collect the following special categories of personal data in some countries due to mandatory legislation:

  • Ethnicity (USA)
  • Medical and health information: medical diagnosis, medical history, disability information, sick leaves, drug test results, information about incidents, medical surveys to apply for life insurance
    • Health information may also be inferred from the dietary information you have given in connection with an event registration.
  • Biometric: FaceID or fingerprint in laptops (only if enabled by you), fingerprint in working time management (Mexico)
  • Trade union membership (Austria, Finland, Italy, Spain, South Africa and UK)

Types of personal data we collect about you may vary based on your location (country) as well as your position in the organisation. In some jurisdictions local legal requirements may apply which require or do not allow processing of certain types of personal data.

Using personal data (purposes and legal basis for processing)

UPM may process your personal data for the following purposes:

  • keeping the records of employee data required by national laws
  • for payroll purposes and fulfilling other legal requirements (e.g., salary, pension and rehabilitation)
  • providing services and employee self-service (e.g., HR services)
  • offering employment related benefits (e.g., employee share savings plans, phone, car or bike benefit)
  • organizing and managing trainings, including certification programs for users or employees
  • enabling and supporting career development, and job rotation
  • evaluating performance and potential
  • authorising physical access to and within UPM locations
  • recording working hours (time management purposes)
  • securing and monitoring IT infrastructure and enabling effective usage use of the IT
  • recording access to IT systems for investigation purposes
    • identification and logging of actions
    • authentication and authorisation of users
    • securing and managing access to data systems
    • incident resolution, troubleshooting
  • investigation and remediation of alleged misconduct, including disciplinary actions
  • managing self-service travel portal for employees, including managing business travel arrangements and reimbursing employee travel expenses
  • recording and processing of safety issues, ensuring workplace safety and managing workplace accidents and incidents
  • business process and product development
  • company internal and external communication, such as, surveys and Griffin Forum news
  • organize and manage events (e.g., registrations, managing dietary preferences)
  • exercising rights and obligations arising from the national law
  • statistical analysis

Legal basis for UPM processing personal data of its employees are an employment contract between UPM and an employee, a legitimate interest of UPM, a legal obligation of UPM, and in rare cases a consent of an UPM employee. Examples of these are given in the following table:

UPM may use Artificial Intelligence (‘AI’) or Machine Learning (‘ML’) technology.

 

Data disclosures and transfers

UPM may transfer and disclose your personal data with other companies within UPM group.

UPM may also transfer your personal data to professional advisors or other service providers to enable us to use their services or products, develop UPM’s business processes and to provide services to UPM employees. When using third party service providers appropriate contractual and other measures are taken to safeguard processing of your personal data.

UPM may also disclose your personal data to provide you employment benefits and to comply with its legal obligations (e.g. tax authorities, insurance companies).

UPM may share your personal data with these parties only for the limited purposes outlined in section “Using your personal data (purposes and legal basis for processing)” above and only to the extent needed for the purpose.

UPM may also transfer your personal data to countries outside the European Economic Area (EEA), e.g. if we use third parties to provide services. When outsourcing services to any third-party service providers and transferring personal data within UPM, we ensure through contractual and other measures, such as EU Standard Contractual Clauses, that personal data is processed appropriately and in compliance with all applicable laws. In transferring personal data outside the EEA, appropriate technical and organisational measures are taken to secure your personal data.

Protection and storage of personal data

UPM has taken appropriate technical and organisational measures to restrict access to your personal data and to protect it against loss, accidental destruction, misuse, and unlawful alteration. UPM has screening and selection procedures in place for third party service providers to guarantee secure processing of personal data. Access to personal data is restricted on a need-to-know basis to individuals who need to access the data for the purposes defined in section “Using your personal data (purposes and legal basis for processing)” above. These may include, e.g., your manager, UPM HR and IT personnel, and other Group Functions.

UPM will store personal data as long as required for the purpose it was collected for or as required to meet legal and/or regulatory requirements. More information on the storage of employee personal data at UPM is available by contacting your local HR.

Access to your personal data and your other rights

You have right to access the personal data held by UPM about you (and request a copy of such personal data) by contacting us on the email address or address indicated below. You may also access and modify your own personal data through employee self-service tools, where available. You have, where necessary, the right to have the data amended, rectified, or erased, if it is incorrect, inaccurate, imprecise or outdated, or obsolete as regards the purpose of its processing. You may be requested to verify your identity, specify your request, and may be asked for more information about your request.

If your request for rectification of your personal data is refused, you will be given a written certification to this effect (also stating the reasons for the refusal). In this case or if in your opinion your personal data has not been processed in compliance with applicable data protection laws, you may bring the matter to the attention of the relevant data protection authority.

You may also request to restrict and object to the processing of your personal data, if it could compromise your rights to privacy. You have the right to restrict processing when you contest the accuracy of the data for the period its accuracy is verified, when the processing is unlawful, or when you have objected to the processing based on legitimate interests, until an overriding legitimate interest for processing is verified. In cases where processing of your personal data is based on consent, you have the right to withdraw your consent at any time.

If you have any questions about this Privacy Statement, processing of your personal data by UPM or you wish to make a data request, you may contact:

UPM-Kymmene Corporation / Privacy
Alvar Aallon katu 1, P.O. Box 380
FI-00101 Helsinki, Finland
privacy@upm.com

The e-mails and mail sent to these addresses are received and responded to by UPM Privacy & Digital Compliance team.

You may also contact your employer company or local data protection officer (if applicable).