28.02.2018, updated 28.01.2020
This UPM Employee Privacy Statement (“Privacy Statement”) describes what types of personal data UPM-Kymmene Corporation and its affiliates (“UPM”) may collect about its employees, how it may be used, and how it is protected.
Please note that this Privacy Statement may be updated from time to time to reflect changes in UPM’s operations and/or applicable legislation (any changes will be posted here). We encourage you to regularly review this Privacy Statement for possible updates. Any material changes to processing of personal data described in this Privacy Statement will also be notified on UPM’s intranet.
While this Privacy Statement is intended to describe the broadest range of our personal data processing activities globally, those processing activities may be more limited in some jurisdictions due to local legal requirements.
UPM is committed to protecting and respecting your privacy. When processing your personal data, UPM will comply with the applicable data protection laws. UPM has endeavoured to take appropriate action to protect your personal data to prevent unauthorised access to it and its incorrect use.
How we collect your personal data
UPM collects your personal data mainly directly from you. Other sources may include your manager, UPM HR and other Group Functions and local UPM affiliates. In some instances, we may also collect information about you from third parties, such as tax authorities and insurance companies. We may also collect, to the extent permitted by law, personal data obtained through your use of UPM’s IT tools or HR services.
When personal data is collected directly from you UPM notifies you of the possible consequences of not providing your personal data and whether providing such data is mandatory or voluntary.
Types of personal data we collect
The categories of personal data UPM may collect about you are (local restrictions may apply):
- Employee data: name, photo, date and place of birth, gender, contact information (including home address, telephone numbers, email address, web address links, instant messenger address), education, employment history, national and governmental identification information, employee identification information (username and user ID), passport and any other national identification documents, visa information, driver’s license ID, residence status, nationality, citizenship information, marital status, employee’s corporate credit card number, banking details, military service information
- Related persons data: name and contact information of dependents, beneficiaries and emergency contacts (including home address, telephone number, email address), date of birth, gender, national and governmental identification informatio, other relevant information clarifying ground for absence
- Employment data: employer company, location, cost centre, department, job title, job type and code, employment contract data, manager, long-term leaves (start and end date, type, reason), project and international assignments, retirement information, disciplinary actions
- Personnel development: target setting and results, development plan, potentiality and performance information, succession planning
- Training, licenses and certificates, competences and qualifications
- Compensation and related information: salary, benefits (including medical, insurance, savings and health plans), allowances, grade, long-term and short-term incentives, awards, tax information
- Recruitment process information: applications, background check information
- Records on your use of IT tools and services: IP address, Mac address, browser fingerprint
- Logging information
- Time management information
- Surveillance: video surveillance recordings, locations
- Communication: telephone recordings, voice mails, emails, chat, collaboration tools
- Business travel information: flights, hotel and car booking history, travel and expense invoice history, company credit card statements
UPM may also collect the following special categories of personal data in some countries due to mandatory legislation:
- Religion (Germany and Malaysia)
- Ethnicity (USA)
- Medical and health information: medical diagnosis, medical history, disability information, sick leaves, drug test results, information about incidents, medical surveys to apply for life insurance
- Trade union membership (Austria, Finland, Italy, Spain, South Africa and UK)
Types of personal data we collect about you may vary based on your location (country) as well as your position in the organisation. In some jurisdictions local legal requirements may apply which require or do not allow processing of certain types of personal data.
Using personal data (purposes and legal basis for processing)
UPM may process your personal data for the following purposes:
- keeping the records of employee data required by national laws
- for payroll purposes and fulfilling other legal requirements (e.g. pension and rehabilitation)
- providing HR services and employee self-service
- offering employment related benefits
- organising and managing trainings
- evaluating performance and potential
- authorising physical access to and within UPM locations
- recording working hours (time management purposes)
- securing and monitoring IT infrastructure and enabling effective usage use of the IT
- recording access to IT systems for investigation purposes
- identification and logging of actions
- authentication and authorisation of users
- securing and managing access to data systems
- incident resolution, troubleshooting
- investigation and remediation of alleged misconduct, disciplinary actions
- managing self-service travel portal for employees
- recording and processing of safety issues
- business process development
- company internal and external communication
- exercising rights and obligations arising from the national laws
- statistical analysis.
Legal basis for UPM processing personal data of its employees are an employment contract between UPM and an employee, a legitimate interest of UPM, a legal obligation of UPM, and in rare cases a consent of an UPM employee. Examples of these are given in the following table:
Data disclosures and transfers
UPM may share your personal data with your manager, UPM HR and other Group Functions, other companies within UPM and professional advisors or other third party service providers to enable us to provide HR related services to UPM employees. When using third party service providers appropriate contractual and other measures are taken to safeguard processing of your personal data. UPM may also disclose your personal data to comply with its legal obligations (e.g. tax authorities, insurance companies).
UPM may share your personal data with these parties only for the limited purposes outlined in section “Using your personal data (purposes and legal basis for processing)” above and only to the extent needed for the purpose.
UPM may also transfer your personal data to countries outside the European Economic Area (EEA), e.g. if we use third parties to provide HR related services. When outsourcing services to any third party service providers and transferring personal data within UPM, we ensure through contractual and other measures, such as EU Model Clauses, that personal data is processed appropriately and in compliance with all applicable laws. In transferring personal data outside the EEA, appropriate technical and organisational measures are taken to secure your personal data.
Protection and storage of personal data
UPM has taken appropriate technical and organisational measures to restrict access to your personal data and to protect it against loss, accidental destruction, misuse, and unlawful alteration. UPM has screening and selection procedures in place for third party service providers to guarantee secure processing of personal data. Access to personal data is restricted on a need-to-know basis to individuals who need to access the data for the purposes defined in section “Using your personal data (purposes and legal basis for processing)” above.
UPM will store personal data as long as required for the purpose it was collected for or as required to meet legal and/or regulatory requirements. More information on the storage of employee personal data at UPM is available by contacting your local HR.
Access to your personal data and your other rights
You have right to access the personal data held by UPM about you (and request a copy of such personal data) by contacting us on the email address or address indicated below. You have, where necessary, the right to have the data amended, rectified, or erased, if it is incorrect, inaccurate, imprecise or outdated, or obsolete as regards the purpose of its processing. You may be requested to verify your identity, specify your request, and may be asked for more information about your request.
If your request for rectification of your personal data is refused, you will be given a written certificate to this effect (also stating the reasons for the refusal). In this case or if in your opinion your personal data has not been processed in compliance with applicable data protection laws, you may bring the matter to the attention of the relevant data protection authority.
You may also request to restrict and object to the processing of your personal data, if it could compromise your rights to privacy. You have the right to restrict processing when you contest the accuracy of the data for the period its accuracy is verified, when the processing is unlawful, or when you have objected to the processing based on legitimate interests, until an overriding legitimate interest for processing is verified. In cases where processing of your personal data is based on consent, you have the right to withdraw your consent at any time.
If you have any questions about this Privacy Statement, processing of your personal data by UPM or you wish to make a data request, you may contact:
UPM-Kymmene Corporation / Privacy
Alvar Aallon katu 1, P.O. Box 380
FI-00101 Helsinki, Finland
The e-mails and mail sent to these addresses are received and responded to by UPM privacy team.
You may also contact your employer company or local data protection officer (if applicable).