28.02.2018, updated 28.01.2020 and 28.04.2025
This UPM Employee Privacy Statement (“Privacy Statement”) describes what types of personal data UPM-Kymmene Corporation and its affiliates (“UPM”) may collect about its employees, how it may be used, and how it is protected.
Please note that this Privacy Statement may be updated from time to time to reflect changes in UPM’s operations and/or applicable legislation (any changes will be posted here). We encourage you to regularly review this Privacy Statement for possible updates. Any material changes to processing of personal data described in this Privacy Statement will also be notified on UPM’s intranet.
While this Privacy Statement is intended to describe the broadest range of our personal data processing activities globally, those processing activities may be more limited in some jurisdictions due to local legal requirements.
UPM is committed to protecting and respecting your privacy. When processing your personal data, UPM will comply with the applicable data protection laws. UPM has endeavoured to take appropriate action to protect your personal data to prevent unauthorised access to it and its incorrect use.
How we collect your personal data
UPM collects your personal data mainly directly from you. Other sources may include your manager, UPM HR and other Group Functions and local UPM affiliates. In some instances, we may also collect information about you from service providers or other third parties, such as tax authorities and insurance companies. We may also collect, to the extent permitted by law, personal data obtained through your use of UPM’s IT tools.
When personal data is collected directly from you UPM notifies you of the possible consequences of not providing your personal data and whether providing such data is mandatory or voluntary.
Types of personal data we collect
The categories of personal data UPM may collect about you are (local restrictions may apply):
- Employee data: name, photo, date and place of birth, gender, contact information (including home address, telephone numbers, email address, web address links, social media links, instant messenger address), education, employment history, national and governmental identification information, employee identification information (username and user ID), passport and any other national identification documents, visa information, driver’s license ID, residence status, nationality, citizenship information, marital status, employee’s corporate credit card number, banking details, military service information
- Related persons data: name and contact information of dependents, beneficiaries and emergency contacts (including home address, telephone number, email address), date of birth, gender, national and governmental identification information, other relevant information clarifying ground for absence
- Employment data: employer company, location, cost centre, department, job title, job type and code, employment contract data, manager, long-term leaves (start and end date, type, reason), project and international assignments, retirement information, disciplinary actions
- Personnel development: target setting and results, skills, development plan, potentiality and performance information, succession planning
- Training, licenses and certificates, competences and qualifications
- Compensation and related information: salary, benefits (including medical, insurance, savings and health plans), allowances, grade, long-term and short-term incentives, awards, tax information
- Recruitment process information: applications, CVs, background check information, ability tests and test results
- Records on your use of UPM IT tools and services, such as, IP address, Mac address, browser fingerprint
- Logging information generated from your use of UPM IT tools and services
- Software license usage, e.g. usage measurements
- Working time management information
- Surveillance: video surveillance recordings, site location you work at
- Communication as permitted by law: telephone recordings, voice mails, emails, chat, collaboration tools, Teams meeting recordings, transcriptions of meetings
- Business travel information: flights, hotel and car booking history, travel and expense invoice history, company credit card statements, passport
UPM may also collect the following special categories of personal data in some countries due to mandatory legislation:
- Ethnicity (USA)
- Medical and health information: medical diagnosis, medical history, disability information, sick leaves, drug test results, information about incidents, medical surveys to apply for life insurance
- Health information may also be inferred from the dietary information you have given in connection with an event registration.
- Biometric: FaceID or fingerprint in laptops (only if enabled by you), fingerprint in working time management (Mexico)
- Trade union membership (Austria, Finland, Italy, Spain, South Africa and UK)
Types of personal data we collect about you may vary based on your location (country) as well as your position in the organisation. In some jurisdictions local legal requirements may apply which require or do not allow processing of certain types of personal data.
Using personal data (purposes and legal basis for processing)
UPM may process your personal data for the following purposes:
- keeping the records of employee data required by national laws
- for payroll purposes and fulfilling other legal requirements (e.g., salary, pension and rehabilitation)
- providing services and employee self-service (e.g., HR services)
- offering employment related benefits (e.g., employee share savings plans, phone, car or bike benefit)
- organizing and managing trainings, including certification programs for users or employees
- enabling and supporting career development, and job rotation
- evaluating performance and potential
- authorising physical access to and within UPM locations
- recording working hours (time management purposes)
- securing and monitoring IT infrastructure and enabling effective usage use of the IT
- recording access to IT systems for investigation purposes
- identification and logging of actions
- authentication and authorisation of users
- securing and managing access to data systems
- incident resolution, troubleshooting
- investigation and remediation of alleged misconduct, including disciplinary actions
- managing self-service travel portal for employees, including managing business travel arrangements and reimbursing employee travel expenses
- recording and processing of safety issues, ensuring workplace safety and managing workplace accidents and incidents
- business process and product development
- company internal and external communication, such as, surveys and Griffin Forum news
- organize and manage events (e.g., registrations, managing dietary preferences)
- exercising rights and obligations arising from the national law
- statistical analysis
Legal basis for UPM processing personal data of its employees are an employment contract between UPM and an employee, a legitimate interest of UPM, a legal obligation of UPM, and in rare cases a consent of an UPM employee. Examples of these are given in the following table: