Personal data act file concerning UPM Report Misconduct channel

(sections 10 and 24 of the personal data act 523/1999)

 3.7.2016​

 

1. Data controller

UPM-Kymmene Corporation (”UPM”)
Alvar Aallon katu 1, FI-00100 Helsinki, Finland

2. The person in charge / contact person

Head of Internal Audit
Arto Tenhula
Alvar Aallon katu 1, FI-00100 Helsinki/P.O. Box 380, FI-00101 Helsinki
email: arto.tenhula@upm.com
phone: +358 50 370 3716

3. Name of the register

Register regarding personal data concerning UPM Report Misconduct channel

4. The purpose for processing the personal data / the purpose for the use of a register

In order to safeguard the effective implementation of its Code of Conduct and relating policies UPM provides a reporting channel for its employees and other stakeholders for reporting alleged misconduct and violations of its Code of Conduct and relating policies.

Moreover, applicable national and EU-level regulation requires UPM to have in place appropriate internal procedures for its employees to report by using an independent channel infringements of financial markets regulations.

UPM encourages reporting misconduct and violations on a named basis but reports can also be made on an anonymous basis.

The purpose for the processing of data contained in the register is to investigate the alleged misconduct and violations and to comply with the regulations governing the procedures.

5. Content of the register

The register shall contain the following information:

  • Reporting person:
    Name (if available);
    Address (if available);
    E-mail (if available);
    Phone number (if available);
    Other information provided by the reporting person;
    Date of report.
  • Person accused of alleged misconduct or violation:
    Name
    Contact information (as available);
    Description of the alleged misconduct or violation, investigation procedure and outcome of the investigation.
    Date on which the person was included to the register.

6. Regular sources of information

The information to be entered into the register shall be collected from the reporting person and persons involved in the investigation of the alleged misconduct or violation.

7. Regular destinations of disclosed data and whether the data is transferred to countries outside the European Union or the European Economic Area

Data may be disclosed in accordance with applicable legislation to the competent authorities, such as the Finnish Financial Supervisory Authority.

Personal data is not regularly transferred to countries outside the European Union or the European Economic Area but may be transferred in an individual case if needed for the purpose of effective investigation of the alleged misconduct or violation.

8. The principles how the data file/register is secured.

A. Manual register
No manual data shall be kept.

B. Data processed by electronic means
Access to the register is protected by passwords. Access to the register is restricted to identified persons within UPM or any person acting on its behalf or on its account that need that access due to the nature of their function or position.

9. Right of access and realization of the right of access

Regardless of secrecy provisions, the registered person shall have the right of access, after having supplied sufficient search criteria, to the data on him/her in the personal data file, or to a notice that the file contains no such data. The data controller shall at the same time provide the data subject with information of the regular sources of data in the file, on the uses for the data in the file and the regular destinations of disclosed data. However, the right of access described above may be restricted if providing the data to the registered person could adversely affect the investigation of the alleged misconduct or violation.

A person, who wishes to have access to the data on himself/herself, as referred to above shall make a request to this effect to the data controller by a personally signed or otherwise comparably verified document.

Above described requests shall be directed to Head of Internal Audit Arto Tenhula either by email: arto.tenhula@upm.com or by letter: P.O. Box 380, FI-00101 Helsinki.

10. Rectification and realization of the rectification

The data controller shall, on its own initiative or at the request of the data subject, without undue delay rectify, erase or supplement personal data contained in its personal data file if it is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing. The data controller shall also prevent the dissemination of such data, if this could compromise the protection of the privacy of the person who has been entered into the register or his/her rights.

If the data controller refuses the request of the data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the data subject may bring the matter to the attention of the Data Protection Ombudsman.
The data controller shall notify the rectification to the recipients to whom the data have been disclosed and to the source of the erroneous personal data. However, there is no duty of notification if this is impossible or unreasonably difficult.

Above described requests shall be directed to Head of Internal Audit Arto Tenhula either by email: arto.tenhula@upm.com or by letter: P.O. Box 380, FI-00101 Helsinki.