Privacy statement – AGM webcast 2024


Updated 31 January 2024
Unofficial translation, Finnish version of the Privacy Statement shall prevail

1. Data Controller and the contact person

UPM-Kymmene Corporation (”UPM”)
Alvar Aallon katu 1,
FI-00100 Helsinki, Finland
Group Legal Counsel Saara-Maria Helminen
Alvar Aallon katu 1, 00100 Helsinki/PL 380, 00101 Helsinki or

2. The purpose and legal basis for the processing of the personal data

Information needed for the identification of a shareholder is collected in pursuance of the registration for the webcast of Annual General Meeting. The webcast is only intended for shareholders. The purpose for the collection of the information is to enable the registration of shareholders to follow the Annual General Meeting [webcast], the identification of shareholders. The processing is based on UPM’s legitimate interest to be able to provide its shareholders flexible opportunity to follow the company’s Annual General Meeting.

Innovatics Oy is the technical administrator and implementer of the system used to register for the webcast and confirm the right to participate, and FLIK Helsinki Oy is the administrator and implementer of the system used for the webcast.

3. Personal data processed

In connection with the registration for the Annual General Meeting webcast, the following categories of personal data may be processed: name, personal identity code or date of birth, phone number, email address and ip-address.

4. Regular sources of information

The personal data is collected mainly from the shareholder registering for the Annual General Meeting webcast. Registration information is compared to the shareholder list on the record date to confirm shareholder ownership.

5. Disclosures of data to third parties and transfer of data outside the EU or EEA

The Controller may transfer and disclose personal data to third parties in the following situations:

  •  to Innovatics Oy and FLIK Helsinki Oy, which maintain the systems used for the online broadcast of the general meeting, and to FLIK Helsinki Oy, as well as to other trusted service providers who act on behalf of the controller, as necessary;
  • within the group; and
  • when the disclosure is necessary in order to ensure the rights of the Controller, data subject or others, to investigate potential fraud, or to respond to requests from public authorities.

Personal data is not transferred to countries outside the European Union or the European Economic Area.

6. The principles how the data file/register is secured

The Controller has undertaken appropriate technical and organizational security measures in order to protect the personal data from loss, destruction, misuse and unauthorized access.

7. Retention period for personal data

The personal data is only kept for as long as it is necessary for the purposes set out in this statement. In practice the personal data shall be kept for a period of three months after the date of the Annual General Meeting.

When personal data are no longer needed or there is no longer a basis for their processing, personal data is anonymized or deleted.

8. Data subject rights and the exercise of rights

A data subject has the following rights according to the applicable data protection legislation:

  • The right to request access to personal data concerning the data subject and the right to ask for the data in question to be rectified or deleted within the limitations set out in and according to applicable data protection legislation;
  • The right to request restriction of processing or object the processing within the limitations set out in and according to applicable data protection legislation;
  • The right to file a complaint to the national data protection authority (in Finland: The Office of the Data Protection Ombudsman, or another EU or EEA data protection authority.

Requests to exercise the abovementioned rights shall be directed to or
or by post to the address:
UPM-Kymmene Corporation / Privacy
Alvar Aallon katu 1, P.O. Box 380
FI-00101 Helsinki, Finland