Preregistration and participation in the Annual General Meeting 2025
Updated 31 January 2025
Unofficial translation, Finnish version of the Privacy Statement shall prevail
1. Data Controller and the contact person
UPM-Kymmene Corporation (”UPM”)
Alvar Aallon katu 1,
FI-00100 Helsinki, Finland
Director, Legal operationa and Group legal, Saara-Maria Helminen
Alvar Aallon katu 1, 00100 Helsinki/PL 380, 00101 Helsinki
saara-maria.helminen@upm.com or privacy@upm.com
2. The purpose and legal basis for the processing of the personal data
Information needed for the administration of the Annual General Meeting is collected through the system for the registration for the Annual General Meeting. The purpose for the collection of the information is to enable the registration of shareholders, their representatives and their counsels to the Annual General Meeting, the identification of shareholders and their ownership. The processing is based on the legal obligation to organize an Annual General Meeting according to the Finnish Companies Act.
The technical implementation of the registration system, Annual General Meeting hall bookkeeping and possible possible voting during the Annual General Meeting is carried out by Innovatics Oy. The list of shareholders is maintained by Euroclear Finland Oy. Inderes Oyj is responsible for the Annual General Meeting service in its entirety. In addition, other service providers are used when needed.
Processing of personal data is based on the legal obligations of the controller.
3. Personal data processed
The processed personal data include the shareholder’s and their possible proxy’s name, personal identity number and/or business ID, address, contact details, number of shares and votes, possible voting information, authentication method, basis of representation, date of registration, and possible information on aid, power of attorney, and any additional information provided in connection with the registration. When participating in the Annual General Meeting, the time of arrival and departure of each participant are recorded. For technical maintenance and monitoring of the service, log data on registration and voting, as well as the user’s IP address are also recorded.
The register contains the list of shareholders on the record date created by Euroclear Finland for the Annual General Meeting, containing, e.g., the shareholder’s name, personal identity number/business ID, address, and number of shares.
The register contains a temporary list of shareholders created by Euroclear Finland for the General Meeting, containing information on nominee registered shareholders registered for the General Meeting and their number of shares.
4. Regular sources of information
Personal data is mainly collected from the shareholder themself or from their representative in connection with the registration to the Annual General Meeting. When registering via e-mail, mail or telephone, the controller or Innovatics Oy enters the registrant's personal data into the register.
Based on the personal data provided in connection with the registration, Innovatics Oy retrieves the number of shares of the shareholder on the record date from the list of shareholders created by Euroclear Finland.
Innovatics Oy enters the voting instructions for nominee registered shareholders represented by account operators at the General Meeting into the register.
5. Disclosures of data to third parties and transfer of data outside the EU or EEA
Based on the information in the register, a list of votes and a summary of the votes cast are established and attached to the minutes of the meeting. The list of votes contains information on the name of the shareholder and possible proxy and/or aid, number of the vote ticket (participant number), number of shares, number of votes, basis of representation and means of attendance.
At the meeting venue of the Annual General Meeting, in accordance with the Finnish Limited Liability Companies Act, the shareholder register is made available, which includes the names of shareholders, municipality, and the number of shares and votes according to the record date of the meeting. The list also contains information on nominee registered shareholders who are temporarily registered in the list of shareholders for the Annual General Meeting.
The data contained in the register may be shared with third parties involved in organising the Annual General Meeting who need the registered data in their operations. Data is not disclosed for commercial purposes.
For recipients with Finnish phone numbers, text messages are sent via a Finnish service provider. For those with foreign numbers, text messages are sent using a Swiss service.
Otherwise, personal data is not transferred or disclosed outside the EU or the European Economic Area.
6. The principles how the data file/register is secured
Physical material is stored in a locked room accessible only to persons entitled to the data.
Electronic material is stored in a data room that meets the requirements for the processing of personal data. The connection from the user's browser to the server is encrypted. Access to the register is limited to the employees of the controller and subcontractors who need and process data to organise the Annual General Meeting.
7. Retention period for personal data
The personal data is only kept for as long as it is necessary for the purposes set out in this statement or for the retention periods set out in legislation.
Innovatics Oy stores personal data for a maximum of two years after the end of the Annual General Meeting. Euroclear Finland Oy stores personal data for a maximum of four months after the end of the General Meeting.
The minutes of the General Meeting and the list of votes attached thereto are stored permanently. It includes the names of shareholders who participated in the General Meeting, the names of potential proxies and aids, the number of shares and votes, and the numbers of the voting tickets.
When the personal data is no longer necessary or there is no longer legal basis for processing them, the reports containing personal data will be anonymised or erased.
8. Data subject rights and the exercise of rights
A data subject has the following rights according to the applicable data protection legislation:
- The right to request access to personal data concerning the data subject and the right to ask for the data in question to be rectified or deleted within the limitations set out in and according to applicable data protection legislation;
- The right to request restriction of processing or object the processing within the limitations set out in and according to applicable data protection legislation;
- The right to file a complaint to the national data protection authority (in Finland: The Office of the Data Protection Ombudsman, https://tietosuoja.fi/etusivu) or another EU or EEA data protection authority.
Requests to exercise the abovementioned rights shall be directed to
UPM Privacy by e-mail privacy@upm.com
or by post to the address:
UPM-Kymmene Corporation / Privacy
Alvar Aallon katu 1, P.O. Box 380
FI-00101 Helsinki, Finland
