Privacy statement for UPM Report Misconduct channel

Updated 20.4.2020

In order to safeguard the effective implementation of the UPM Code of Conduct and related policies and rules, UPM-Kymmene Corporation and its affiliates (“UPM”) provide the Report Misconduct channel (“Channel”) for its employees and other stakeholders to report alleged misconduct and violations. Channel is operated by an external service provider, People Intouch, through a system called SpeakUp.

This Privacy Statement describes the way UPM collects and processes personal information in relation to investigation of reports submitted through the Channel. This Privacy Statement may be updated by UPM from time to time to reflect changes in UPM’s operations and/or applicable legislation (any changes will be posted here).

UPM is committed to protecting and respecting privacy. When processing personal data, UPM will comply with the applicable data protection laws. Processing of personal data by UPM in relation to investigation of reports submitted through the Channel is mainly based on our legitimate interest to safeguard the effective implementation of the UPM Code of Conduct and related policies and rules and to enable us to conduct, safeguard and maintain our business operations effectively. Also, applicable laws that UPM is bound by, require UPM to have in place appropriate procedures and an independent channel to report misconduct and violations.

UPM has endeavoured to take appropriate action to protect personal data to prevent unauthorised access to it and its incorrect use.

How we collect personal data

Information will be collected by UPM from the person reporting the alleged misconduct or violation by using the Channel and from persons involved in the investigation of the alleged misconduct or violation. We may also collect information from relevant UPM’s IT systems. To increase the accuracy, effectiveness and fairness of the investigation, UPM encourages reporting any alleged misconduct and violations on a named basis; however, reports can also be made on an anonymous basis.

Types of personal data we collect

The information we collect and process about the reporting person may include: name, contact information, and any other information the reporting person may give us. In addition, we may collect the following information about the reported person: name, contact information, description of the alleged misconduct or violation, investigation procedures and outcome of the investigation. Furthermore, it is possible that we collect and process personal data concerning other persons relating to the misconduct, violation or investigation. Such information may include: name, contact information and any other information the reporting person may give to us or that is collected during the investigation.

The personal data collected and processed will be limited to the minimum necessary for the fair resolution of the alleged misconduct or violation.

Using personal data

Personal data is used to investigate and resolve the alleged misconduct and violations.

Sharing data and international transfers

All reports made by using the Channel are received and managed by the head of UPM’s Internal Audit and UPM’s Chief Compliance Officer. Other UPM employees and external parties may be involved in the investigation in accordance with UPM’s internal investigation procedure.

During the investigation, the investigators will protect the privacy of all parties concerned by restricting access to all information related to the allegations and investigation to those with a legitimate need to know. The identity of a person making a report may need to be disclosed to the relevant people involved in the investigations or in the course of legal proceedings.

Information may be disclosed in accordance with applicable legislation to the competent authorities, such as the Finnish Financial Supervisory Authority. Data will not be transferred by UPM outside the European Economic Area (EEA) regularly, but may be transferred in an individual case, if needed for the purpose of the investigation of the alleged misconduct or violation.

We use third party service providers to enable us to maintain the Channel and we may use external service providers (such as attorneys) to conduct the investigation. These third parties have access to your information only for the limited purposes outlined above. UPM will not disclose your personal data in any other circumstances, unless we have your consent or if disclosure is required by law.

Protection and storage of personal data

UPM has taken appropriate technical and organisational measures to restrict access to personal data and to protect it against loss, accidental destruction, misuse, and unlawful alteration. UPM has screening and selection procedures in place for third party service providers to guarantee secure processing of personal data. Access to the audit and investigations register and related personal data files is restricted on a need-to-know basis to UPM employees and third parties who need to access the data for the purposes defined in section “Using personal data” above.

UPM will store personal data as long as required for the purpose it was collected for or as required to meet legal and/or regulatory requirements.

Access to your personal data and your other rights

You have right to access the personal data held by UPM about you (and request a copy of such personal data) by contacting us on the email address or address indicated below. You have, where necessary, the right to have the data amended, rectified, or erased, if it is incorrect, inaccurate, imprecise or outdated, or obsolete as regards the purpose of its processing. You may be requested to verify your identity, specify your request, and may be asked for more information about your request.

If your request for rectification of your personal data is refused, you will be given a written certificate to this effect (also stating the reasons for the refusal). In this case or if in your opinion your personal data has not been processed in compliance with applicable data protection laws, you may bring the matter to the attention of the relevant data protection authority.

You may also request to restrict and object to the processing of your personal data, if it could compromise your rights to privacy. You have the right to restrict processing when you contest the accuracy of the data for the period its accuracy is verified, when the processing is unlawful, or when you have objected to the processing based on legitimate interests, until an overriding legitimate interest for processing is verified. In cases where processing of your personal data is based on consent, you have the right to withdraw your consent at any time.

If you have any questions about this Privacy Statement, processing of your personal data by UPM or you wish to make a data request, you may contact:

UPM-Kymmene Corporation / Privacy
Alvar Aallon katu 1, P.O. Box 380
FI-00101 Helsinki, Finland
privacy [ at ] upm.com