Updated 28 September 2021
Unofficial translation, Finnish version of the Privacy Statement shall prevail
1. Date Controller and the contact person
UPM-Kymmene Corporation (”UPM”)
Alvar Aallon katu 1,
FI-00100 Helsinki, Finland
Group Legal Counsel Saara-Maria Helminen
Alvar Aallon katu 1, 00100 Helsinki/PL 380, 00101 Helsinki
saara-maria.helminen@upm.com or privacy@upm.com
2. The purpose and legal basis for the processing of the personal data
Information needed for the administration of the Annual General Meeting is collected through the system for the registration for the Annual General Meeting. The purpose for the collection of the information is to enable the registration of shareholders, their representatives and their counsels to the Annual General Meeting, the identification of shareholders and their ownership and to enable the shareholders to exercise their rights, such as voting and presenting questions. The processing is based on the legal obligation to organize an Annual General Meeting according to the Finnish Companies Act.
The technical provider of the service is Euroclear Finland Ltd.
3. Personal data processed
In connection with the registration for the Annual General Meeting, the following categories of personal data may be processed: name, personal identity code, address, phone number, email address. The same personal data can be collected of an assistant or authorized representative.
4. Regular sources of information
The personal data is collected mainly from the shareholder registering, voting and presenting questions for the Annual General Meeting or from someone acting on the shareholder's behalf.
5. Disclosures of data to third parties and transfer of data outside the EU or EEA
The Controller may transfer and disclose personal data to third parties in the following situations:
- to the provider of the system for the registration for the Annual General Meeting, Euroclear Finland Oy, and other trusted service provides who act on the Controller's behalf, when needed;
- within the group; and
- when the disclosure is necessary in order to ensure the rights of the Controller, data subject or others, to investigate potential fraud, or to respond to requests from public authorities.
Personal data is not transferred to countries outside the European Union or the European Economic Area.
6. The principles how the data file/register is secured
The Controller has undertaken appropriate technical and organizational security measures in order to protect the personal data from loss, destruction, misuse and unauthorized access.
Euroclear Finland Ltd shall be responsible for the maintenance of the register. The connection from a user’s browser to the server of Euroclear Finland Ltd is encrypted with SSL-technology. Technical data protection is being used in the application, by which the entered information shall remain unchanged and is available only for the authorized persons.
7. Retention period for personal data
The personal data is only kept for as long as it is necessary for the purposes set out in this statement or for the retention periods set out in legislation. For example, the rules on prescription in the Finnish Companies Act (624/2006) require the Controller to keep the personal data related to Annual General Meetings for three months after the decision of the Annual General Meeting. In practice the personal data may be kept for a longer period for purposes required by other legislation.
8. Data subject rights and the exercise of rights
A data subject has the following rights according to the applicable data protection legislation:
- The right to request access to personal data concerning the data subject and the right to ask for the data in question to be rectified or deleted within the limitations set out in and according to applicable data protection legislation;
- The right to request restriction of processing or object the processing within the limitations set out in and according to applicable data protection legislation;
- The right to file a complaint to the national data protection authority (in Finland: The Office of the Data Protection Ombudsman, https://tietosuoja.fi/etusivu) or another EU or EEA data protection authority.
Requests to exercise the abovementioned rights shall be directed to
Group legal Counsel Saara-Maria Helminen either
by email (saara-maria.helminen@upm.com) or privacy@upm.com
or by post to the address:
UPM-Kymmene Corporation / Privacy
Alvar Aallon katu 1, P.O. Box 380
FI-00101 Helsinki, Finland