Privacy statement

Privacy statement

14.9.2011

Combined register statement and information document Personal Data Act (523/99) Sections 10 and 24

1. Registrar

VR-Group Ltd (hereinafter VR)
Business ID: 1003521-5
Vilhonkatu 13
P.O. Box 488
FI-00101 Helsinki
tel. +358 307 11

2. Matters concerning the register are handled by

VR-Group Ltd
Mr. Harri Luoto
P.O. Box 488
FI-00101 Helsinki
tel. +358 307 11

3. Register name

VR passenger services customer register

4. Purpose of collection of personal data

The primary purpose of the collection of personal data is the customership between VR and the customer (factual connection). The collection of personal data may also be based on the customer's consent, be due to a legal obligation or an assignment given by the customer to VR.
Personal data is used for the following purposes:

• Production, development and monitoring of VR services and customer service.
  
• Management and development of the customer relation.
  
• Customer relations communication and marketing and management of customer contact history.
  
• Processing of and replying to customer feedback.
  
• Processing of refund requests and compensation claims, replies and payments.
  
• Analysis of customer database and travel information and classification which aims to focus communications. An individual customer cannot be identified from the end result of the analysis.
  
• Realization of the customer's and VR's rights and obligations and security and responsibility. Taking care of obligations based on the law or orders issued by the authorities.
  
• Operation of online services, development of the sites and compilation of statistics.
  
• Recording of phone calls to authenticate service transactions, to secure due process and security and for customer service staff training.

5. Register information content

Customer information:

• name
  
• date of birth
  
• user names and customer identifiers
  
• gender
  
• language
  
• address
  
• phone number(s)
  
• e-mail
  

Personal data connected to the provision of services and travelling:

• Service, sales and travel information
  
• Service usage information by service channel such as the Internet and ticket vending machines
  
• Personal identity number for services requiring identification such as a school ticket
  
• Travel document information when crossing the border such as passport number
  
• Information provided by the customer for car transport
  
• Customership analysis and classification data
  
• Direct marketing permissions and bans (see point 12)
  
• Information connected to direct marketing and customer communications
  
• Recording of VR Customer Care phone calls
  
• Information received from external sources, such as the Population Information System, connected to the customer
  
• Information connected to data processing, such as log files
  
• Information required to order and execute assistance services, such as name, type of help needed, contact information and journey details
  
• Information connected to refund and compensation application, such as grounds, amount of compensation sought and bank account information
  
• Information connected to customer feedback and replying to it

6. Regular sources of information

Information connected to customers are primarily gathered from customers themselves when an order is placed or when signing up, when purchasing or using services, in online services' My account section, in customer service situations and otherwise directly from customers. Information connected to customers are generated in VR information systems also in the context of service use and travelling. The information is also updated from the Population Information System or other similar external sources of information.

7. Regular transfers and handing over of information and transfer of information outside the EU and the European Economic Area (EEA)

Customer information is not handed over to parties outside VR or parties not taking part in the production of VR services without a statutory basis. Customer information may be transferred to VR's direct marketing register
Customer information is transferred outside the EU or EEA only on to implement an agreement between the customer and VR or for purposes relating to travel based on the law.

8. Use of cookies

A cookie is a short text file which the web server sends to the user's browser and is stored on the computer's hard disk. VR uses cookies in its web services to provide services and make it easier to use the service. Cookies are used to safeguard the service's security, efficiency and user friendliness. With the cookies the service provider can find out what information the user is interested in and how and when the online service is used. With this information the service provider tries to develop the online service to even better meet the needs of customers.

Online service users can disable cookies in the browser settings. In most browsers you can check JavaScript and cookie settings from Internet Options or Tools menus. If cookies are disabled it is possible that you cannot use all of the site's services such as VR Online Shop. For additional information on cookies and the technical implementation of VR online services click here.

9. Register data protection principles

The data security of VR personal data processing and confidentiality, integrity and usability is ensured with appropriate technical and administrative measures in accordance with VR's information security principles. Personal data is protected against unauthorized access or accidental data processing. Only VR staff members specifically authorized to handle personal data are authorized to access it.

10. Right to inspect and carrying out the inspection right

Customers have in accordance with Sections 26-28 of the Personal Data Act the right to verify what information on them has been recorded into VR customer register. Customers must in the verification request state the necessary information to find the data: name, address, phone number and customer number.
The verification request is to be signed and sent in writing to:

VR-Group Ltd
VR Customer Care
P.O. Box 55
FI-11130 Riihimäki

The reply to the verification request will be sent to the person having made the request by post. A reasonable fee is charged for the verification request if the request is made less than one year after the previous request.

11. Correction of information

Customers may in accordance with Section 29 of the Personal Data Act update their basic information in VR's online service. With regard to other information the correction request must be made by calling VR Customer Care or in writing to:

VR-Group Ltd
VR Customer Care
P.O. Box 55
FI-11130 Riihimäki

Customers must state the necessary facts to correct the data and information required to identify the customer: name, address, phone number and customer number. VR takes care of customer information correctness and integrity also by updating the customers' official name and contact information regularly from the Population Information System.

12. Permissions and bans

Customers may give VR a direct marketing permission conforming to Section 26 of the Data Protection of Electronic Communications Act or forbid VR in accordance with Section 30 of the Personal Data Act from using information concerning them for direct marketing.

Customers have the possibility to forbid direct marketing, tele marketing, market surveys and the use of their travel information for marketing purposes.

If the customer does not give any permissions and orders all possible bans the customer will only be sent the necessary customer communications material required to provide the service and manage the customership.

VR-Group Ltd Customership Agreement

14.9.2011

1. Purpose and Objective of the Agreement

This Agreement determines the terms of the customership of a registered customer of VR-Group Ltd. The Agreement deals with VR-Group Ltd's own traffic. The objective of the Agreement is to enable better customer service by offering customers various services and benefits connected to the customership. The Agreement is concluded between VR-Group Ltd and the customer.

2. Service provider and contact information

VR-Group Ltd Vilhonkatu 13, FI-00100 Hki vr.fi/asiakaspalvelu Business ID 1003521-5

3. Customership

Birth of the customership The Customership Agreement between the customer and VR emerges when the customer signs up as a VR customer by providing the required information and by accepting these customership terms. The customership is free of charge and valid until further notice. Prerequisites for the birth of the customership are:

• 18 years of age
  
• the customer is a natural, legally competent person
  
• the customer provides correct information when signing up VR reserves the right not to grant customership.
  

The validity of the customership requires that the customer maintains the correctness of the the personal information and updates and corrects it immediately during the entire validity of the Agreement.

End of the customership The customership may be discontinued at any time by notifying VR in writing. VR has the right to cancel the Agreement on the following grounds: – materially erroneous or incomplete information provided by the customer, – a material breach of the Agreement by the customer, – the customer does not use the service during a period of 24 months – other reason attributable to the customer due to which there are no justifiable reasons to continue the customership After the customer has sent the notice of termination or VR has cancelled the Agreement the customer can no longer get any benefits connected to the customership. The customership ends when VR has processed all matters concerning the customership pending at the time that the notice of termination is sent.

Handling of personal data In providing personal data to VR the customer thereby consents to the processing of the information in accordance with VR Passenger Services' Privacy protection notice and VR direct marketing register statement.

4. Use of online services

Customers' rights and obligations Customers have the right to use online services provided by VR to access VR services. Customers receive their own user name and password when signing up. Customers agree to use the online service in accordance with VR instructions, law, good practice and in conformity with the Agreement only for the agreed purpose. The access right is non-transferable. The customer agrees that all actions effected with the customer's user name bind the customer and that the customer is responsible for them. The customer is released from liability only after the customer has reported that a third party has gained access to the user name.

VR's rights and obligations VR tries to provide a high-level of service but is not responsible for uninterrupted functioning of the site, Internet connections, technical problems, fault-free online service etc. and is not liable for damage incurred by customers due to deficiencies in the online service. VR is not responsible for links to third party websites on its website, sites accessed through the links or any damage caused to customers by accessing the sites.

5. General terms

The contractual terms are in effect until further notice and VR is entitled to unilaterally change them. A customer cannot transfer the Agreement to a third party. Any liability for damages attributable to VR does not cover indirect or consequential damage incurred by the customer. VR is not responsible for consequences due to force majeure or unreasonable hardships in VR operations. The Agreement is governed by Finnish law. Disputes concerning or arising from the Agreement which cannot be resolved by the parties are settled by Helsinki District Court.

Direct marketing register

14 September 2011

Personal Data Act (523/99) Chapter 19

1. Registrar

VR-Group Ltd (hereinafter VR)
Business ID: 1003521-5
Vilhonkatu 13
P.O. Box 488
FI-00101 Helsinki
tel. +358 307 11

2. Register contact person

Sara Kontio
VR-Group Ltd, Passenger Services
Vilhonkatu 13
FI-00100 Helsinki

3. Register name

VR Direct marketing register

4. Purpose of processing of personal data

The processing of personal data in accordance with the Personal Data Act's Section 19, subsection 1, paragraphs 1 and 2 for VR direct marketing, telemarketing, marketing act, campaign or other direct marketing, opinion poll or market survey or other comparable addressed message by e-mail, post and mobile phone.

5. Register information content

The following information is stored in the direct marketing register:

• registree's name
  
• title or occupation · age
  
• gender
  
• mother tongue
  
• one registree identity attribute
  
• contact information: postal address, phone number and e-mail address.
  
• personal data connected to a marketing act or campaign earmarked in advance which has a short duration and due to its information content does not endanger the privacy protection of the registree
  
• consents and prohibitions in direct marketing referred to in Section 30 of the Personal Data Act and Section 26 of the Act on the Protection of Privacy in Electronic Communications

6. Regular sources of information

Information concerning VR's customers is obtained from VR Passenger Services' customer register and external information sources such as third party registers used to focus marketing. Information quality can be maintained by comparing the information in the direct marketing register to information in the Population Information System or other reliable source.

7. Regular transfers and handing over of information outside the EU and the European Economic Area (EEA)

The direct marketing register information is processed only by VR or third parties working for VR to maintain or develop the service and partners participating in marketing. Personal data is not transferred outside the EU or the European Economic Area (EEA).

8. Register data protection principles

The data security of VR personal data processing and confidentiality, integrity and usability is ensured with appropriate technical and administrative measures in accordance with VR's information security principles. Personal data is protected against unauthorized access or illegal or accidental data processing. Only VR staff members specifically authorized to handle personal data are authorized to access it.

9. Verification right

Customers have in accordance with Sections 26-28 of the Personal Data Act the right to verify what information on them has been recorded into VR customer register. Customers shall in the inspection request state the following information: name, address and e-mail address. The verification request is to be signed and sent in writing to:
VR-Group Ltd
VR Customer Care
P.O. Box 55
FI-11130 Riihimäki
The reply to the verification request will be sent to the person having made the request by post. A reasonable fee is charged for the verification request if the request is made less than a year after the previous request.

Camera surveillance privacy statement

18.9.2012

Personal Data Act (523/99) Chapters 10 and 24

1. Registrar

VR-Group Ltd (hereinafter VR)
Business ID: 1003521-5
Vilhonkatu 13
P.O. Box 488
FI-00101 Helsinki
tel. +358 307 10

2. Register contact person

Pekka Ahola
VR-Group Ltd
P.O. Box 488
FI-00101 Helsinki

3. Register name

VR-Group Ltd Passenger Services Camera Surveillance Register for Work and Passenger Areas

4. Purpose of processing of personal data

The personal data is processed to maintain order and general safety and to investigate crimes, losses and accidents at VR premises and areas and on certain trains.

5. Register information content

The time and location specific recordings made by the camera surveillance system at VR premises and areas and Sm4 and Sm5 trains.

6. Regular sources of information

The camera surveillance system operating at VR premises and areas stated in the appendix and in Sm4 and Sm5 trains.

7. Regular handing over of information

Information is not handed over regularly. It is handed over if required to carry out measures stated in point 4.

8. Data transfer to outside the EU or EEA

Data is not transferred to outside the EU or EEA.

9. Register data protection principles

VR premises where personal data is processed are protected by access control under the premises security guideline.

Documents/recordings in paper format are kept in locked spaces to which access by outsiders is completely prohibited. Only specifically designated persons may access them. Documents are destroyed in line with information security guidelines.

VR premises, where personal data is processed, are protected with access control in line with premise security guidelines.

Unnecessary documents are destroyed. Documents and data in electronic format are protected under VR's information security guideline with user names and against outside intrusion with firewalls. Only persons with user rights may access the data.

10. Verification right

Persons have under Sections 26-28 of the Personal Data Act the right to verify what information has been recorded on them in the camera surveillance register. Individuals have the right to know what information has been recorded on them with rights and limitations stated in the Personnel Data Act by submitting a sufficiently accurate and detailed request on the matter. The written request is to be signed and sent to: VR-Yhtymä Oy, PL 488, 00101 Helsinki.

The reply will be sent by post. A reasonable fee is charged for the verification request if the request is made less than a year after the previous request.

VR has recording cctv surveillance at public spaces at the following stations:

Espoo, Helsinki central railway station, Hyvinkää, Hämeenlinna, Iisalmi, Imatra, Joensuu, Järvenpää, Kajaani, Karjaa, Kemi, Kerava, Kirkkonummi, Kokkola, Kouvola, Kupittaa, Lahti, Lappeenranta, Mikkeli, Oulu, Pieksämäki, Pori, Riihimäki, Rovaniemi, Salo, Seinäjoki, Tampere, Tikkurila, Turku, Vaasa, Ylivieska.

The Finnish Transport Agency conducts camera surveillance at some stations.