Data protection notice



Processing of your personal data

As we want to protect your privacy as comprehensively as possible, we take data protection seriously. We use your personal data only for the purposes we have indicated in advance and we process it without jeopardising your privacy.

We process your personal data only to the extent necessary for processing in question. There is no need to worry: your data is only processed by persons whose task it is to do so.

The data protection notices below provide you with more information about the protection of your privacy. In the data protection notices, we describe, for instance,

  • what kind of personal data we collect and for which purposes

  • when and how we can share your personal data with partners

  • what rights you have and how you can access your personal data.


VR’s customer data protection notice


1. Controller

VR-Group Ltd (hereinafter referred to as “VR”)
Business ID: 1003521-5

PO Box 488
FI-00101 Helsinki, Finland
tel. +358 307 10


2. Data protection officer and their contact information

VR Group’s Data Protection Officer
Tanja Kalliojärvi

In any questions related to the register, please contact us by e-mail at


3. For which purposes do we use your personal data?

  1. To offer as versatile and personal services and customer care as possible, such as tailored train travel services, targeted communications and recommendations on different services. We develop and monitor our services by analysing personal data and by creating profiles on the basis of the analysis.

  2. To carry out sales and marketing activities and to facilitate your use of our different service channels (such as online, vending machine and mobile services). We want to develop our services together with our customers by utilising customer surveys and customer research.

  3. To be able to process feedback with the aim of improving and developing our operations and answering questions. We process compensation claims submitted to us and respond to them. We store information about customer service actions and calls, for instance, in order to verify purchase and service transactions and develop our service.

When we process your personal data in the manners described above, the grounds for processing is the performance of the contract you have concluded with VR. Customer surveys can also be conducted on the basis of your consent.

In addition, we may process your personal data to fulfil our obligations as laid down by law and regulations given by authorities, not forgetting security and responsibility. In this case, the grounds for processing is a legal obligation.

We can transfer your personal data within VR Group on the basis of a legitimate interest, if there is a particular reason to do so.

We use cookies on our website to execute services and to make the service easy to use. More information about cookies and the technical execution of the VR website.


4. Sources of data

The principal source for collecting customer-related data is the customer themselves. Data is collected in connection with orders, registration, purchase and use of services, customer service transactions, on our website and otherwise directly from the customer. Customer-related data is created in VR’s information systems also when using VR’s services and travelling. We may update the data on the basis of the Population Information System or other similar reliable external sources of data.


5. Data collected about our customers

Personal data related to service production and travelling

We process the personal data described below that we collect from persons who have done business with us or used our services and from customers registered in the loyalty programme.

  • Service, sales, payment and travel transaction data, including the e-mail address and telephone number needed for train ticket delivery or other service. When you purchase a personal ticket, we also ask you to provide your name and date of birth.

  • Service usage data in different transaction channels, such as the Internet, vending machine and mobile services, including, among other things, log and service transaction data and cookies required for combining the page view count.

  • Positioning data related to the use of services.

  • The model, operating system and language preference of the device used by the customer.

  • Travel document data, such as the passport number, in case of a border crossing.

  • Car-related information provided by the customer for car transport.

  • Data related to direct marketing and customer communications, such as what kind of messages have been sent and whether they have been opened.

  • Customer service call recordings.

  • Data associated with the customer that is obtained from external sources of data, such as the Population Register Centre’s address information system.

  • Data required for ordering and carrying out assistance service, such as the person’s name, the description of the need of assistance, contact and journey details.

  • Data related to customer feedback and compensation claims as well as to responding to them, including banking details.

  • The information provided by the customer that makes the service more personalised and easier to use, such as favourite routes, the favourite seat in the train and customer grouping and profiling information.

  • We process personal identity numbers on the basis of the customer’s consent in certain services that require the customer to be specified or identified, such as identification with a personal identity card. In identification with a personal identity card, the personal identity number is not provided as clear text and the original data cannot be restored on the basis of the string created.

  • Market research bans.


Personal data needed in customer communications

When it comes to persons who have registered in the loyalty programme, we also store their name, date of birth, language and more detailed contact information, such as the address and telephone number.

In addition, when it comes to persons who have registered in the loyalty programme, we process consents and bans related to direct marketing, data related to direct marketing and customer communications as well as data that makes the service more personalised and easier to use.


Data related to corporate customers

As for corporate customers, we may also collect the name of the company’s contact person and other corporate users as well as their contact details, such as their address, email address and telephone number.


6. Processors of personal data

We use reliable service providers in support of the processing of personal data in the maintenance and development of IT systems, in service production and in various research and development tasks, for instance. These experts process personal data commissioned by us. Data processing follows the current legislation. This is ensured through agreements between the organisations.

Without statutory grounds, we will not disclose customer data to parties outside VR or parties other than those participating in the production of VR’s services.


7. Transfer or disclosure of data outside the EU or the EEA

Data will not be disclosed outside the EU or the European Economic Area or outside countries which the European Commission considers to have an adequate level of data protection, unless the adequate level of data protection has been ensured with agreements or in another manner required by law. With regard to journeys to Russia, necessary information relating to travelling is, however, handed over to the border guard and other authorities and the Russian railways (RZD).



8. Data retention period

We store personal data only for as long as it is necessary for the purposes of use according to the legislation that is in force at each particular moment. After this, personal data will be either erased or anonymised.

When storing personal data, we comply with legal obligations, taking into account, among other things, accounting legislation, the EU regulation on rail passengers’ rights and obligations and the Rail Traffic Liability Act. When the contractual relation ends, the data storage period is determined according to the purpose of use and existing legislation.


9. Our customers’ rights

As our customer, you have a right to your personal data processed by VR. You can exercise your rights by submitting a data protection request with the online form on the website. Alternatively, you can submit the request by calling VR’s customer service. Your request will be responded to within a month. We ensure these rights as described here by taking the applicable legislation and restrictions set therein into account.

As our customer, you have the following rights related to data protection:


1. Right to access data

You have the right to receive a copy of your personal data from VR and a confirmation of whether we have processed your personal data. The primary method for delivering the copy is encrypted email or alternatively mailing the document. Some data, such as call recordings, can only be accessed by visiting a VR office.


2. Right to rectification

You have the right to request us to rectify inaccurate or erroneous data about you. When you register in our loyalty programme, you can edit your personal data directly through our website. Such data includes, for instance, your name, address and contact details.


3. Right to erasure

You have the right to request us to erase your personal data. Requests are handled on a case-by-case basis. VR has a legislation-based obligation or right to store certain data; such data cannot be erased.


4. Restriction of processing

You have a right in certain special situations stipulated by the regulation to request the restriction of the processing of your personal data.


5. Objection to processing

You also have a right to object to the use of your data in direct marketing, for instance. On grounds relating to your particular situation, you can object to processing that is based on VR’s legitimate interest.


6. Right to data portability

You have the right to receive your data from us in a structured and commonly used format, which will enable you to transfer your data to another controller. This right concerns data that is in electronic format and whose processing is based on consent or the performance of a contract. The data will be delivered to you as encrypted email.


7. Right to withdraw consent

You have the right to withdraw the consent you have given when it is the grounds for processing personal data. When the consent is withdrawn, the consent-based processing of personal data will be discontinued. Private customers who have registered in the loyalty programme may withdraw their consent to electronic direct marketing by logging in to our website and editing their data.


8. Right to lodge a complaint with an authority

We seek to resolve any disputes primarily with our customers. If you find that we have not processed your personal data as stipulated by law, you may lodge a complaint with a supervisory authority.


10. Principles of data protection

We ensure the data security of the processing of our customers’ personal data processing and personal data confidentiality, integrity and accessibility with appropriate technical and organizational measures in accordance with VR’s data security principles. Personal data is protected against unauthorised access and illegal or accidental processing. Personal data is processed only by persons specifically appointed by VR to such tasks. We train and provide guidance to our employees involved in the processing of customer data in matters related to data protection.



Data Protection Notice for VR-Group Ltd’s camera surveillance (CCTV)

25 May 2018

1. Controller

VR-Group Ltd
Business ID 1003521-5
PO Box 488
FI-00101 Helsinki, Finland
tel. +358 307 10


2. Contact person in matters related to the data file

Pekka Ahola
VR-Group Ltd
PO Box 488
FI-00101 Helsinki, Finland

Data protection officer
Päivi Minkkinen


3. Purposes of the processing of personal data

Personal data is processed to ensure the maintenance of order and safety and to look into criminal offences, incidents or accidents in VR’s premises, properties, outdoor areas and part of its rolling stock.

The processing of personal data is based on the controller’s legitimate interest.


4. Sources of data

A camera surveillance system that consists of recording surveillance cameras in VR’s premises, properties, outdoor areas and rolling stock.

VR has recording camera surveillance in the public spaces of the following stations:

Helsinki Central Railway Station, Hyvinkää, Hämeenlinna, Iisalmi, Imatra, Joensuu, Järvenpää, Kajaani, Karjaa, Kemi, Kerava, Kirkkonummi, Kokkola, Kouvola, Kupittaa, Lahti, Lappeenranta, Mikkeli, Oulu, Pieksämäki, Pori, Riihimäki, Rovaniemi, Salo, Seinäjoki, Tampere, Tikkurila, Turku, Vaasa, Ylivieska.


5. Data content of the data file

Time- and location-specific visual recordings from VR’s premises, properties, outdoor areas and rolling stock, recorded by the camera surveillance system.


6. Recipients of personal data

Personal data is disclosed, to the extent permitted by law, to the Finnish Transport Agency and, upon request, to other authorities.

We use external parties to support the processing of personal data in the maintenance and development of IT systems and safety monitoring room duties, for instance. These service providers process personal data commissioned by us and on our behalf. The data processing follows current legislation and is always carried out in accordance with this privacy statement. This is ensured, among other things, through contracts between the organisations.


7. Transfer or disclosure of data outside the EU or the EEA

Data will not be disclosed outside the EU or the European Economic Area or outside countries which the European Commission considers to have an adequate level of data protection, unless the adequate level of data protection has been ensured with contracts or in another manner required by law.


8. The data storage period or the definition criteria for the storage period

Normally, camera recordings are stored for one month at the maximum. However, data may be stored for a longer time, if necessary (upon authorities’ request, for instance).


9. Rights of the data subject

Right to access data / right to review data

A person has the right to access the data that has been stored about them in VR’s camera surveillance data file. After submitting a sufficiently detailed and specific access request, the person has the right to access data about them included in the recordings, subject to the rights and restrictions that are defined in more detail in the General Data Protection Regulation. The access request must be made in writing, signed and sent to: VR-Group Ltd, PO Box 488, FI-00101 Helsinki, Finland.

The response to the request will be mailed to the person who submitted the request. A reasonable fee will be charged for the access request if it is less than a year since the previous access time.

Please note that in the railway network, camera surveillance in platform areas and in some of the stations falls under the responsibility of the Finnish Transport Agency.


Right to lodge a complaint with an authority

We seek to resolve any disputes primarily directly with data subjects. If a customer finds that we have not processed personal data as stipulated by law, the customer may lodge a complaint with a data protection authority.


10. Principles of data file protection

VR’s premises where personal data is processed are protected with access control as defined in the facility security guidelines.

Paper documents/records are stored in locked premises where outsider access is completely prohibited. Only separately appointed persons can access these documents/records. Documents are disposed of according to data security guidelines.

As defined in VR’s data security policy, electronic documents and data are protected with usernames and passwords as well as with firewalls against external intrusion. Only persons who have been given access rights can access the data.


VR-Group Ltd Customership Agreement

6 February 2015

1. Purpose and Objective of the Agreement

This Agreement determines the terms of the customership of registered customers of VR-Group Ltd. The Agreement deals with VR-Group Ltd's own traffic. The objective of the agreement is to enable better customer service by offering customers various services and benefits connected to the customership. The Agreement is concluded between VR-Group Ltd and the customer.


2. Service provider and contact information

VR-Group Ltd
Vilhonkatu 13,
FI-00100 Hki
Business ID 1003521-5


3. Customership

Establishment of Customership A Customership Agreement between the customer and VR is established when a natural person registers as a VR customer by giving the requested information of him, or herself, and by approving the conditions of customership. The customership is free of charge and valid until further notice. The establishment of customership requires that the information that is given when registering is accurate, and that the customer is at least 16 years old. A customer who is under age is required to have permission from a parent or guardian. The customership is free of charge and valid until further notice. VR reserves the right to refuse customership. The validity of customership requires that the customer must, throughout the duration of the agreement, keep his or her information accurate and up-to-date, and to correct any errors without delay.

End of customership Customers can discontinue their Veturi membership at any time by notifying VR in writing. VR has the right to cancel the agreement on the following grounds:

  • materially erreonous or incomplete information provided by the customer

  • material breach of the agreement by the customer

  • the customer does not use the service during a period of 24 months

  • other reason attributable to the customer due to which there are no justifiable reasons to continue the customership

After the customer has sent the notice of termination or VR has cancelled the agreement the customer can no longer get any benefits connected to the customership. The customership ends when VR has processed all matters concerning the customership pending at the time that the notice of termination is sent.

Processing of personal data In providing personal information to VR customers thereby consents to the processing of the information in accordance with VR Passenger Services' Privacy protection notice and VR direct marketing register statement.


4. Use of online services

The customers' rights and obligations Customers have the right to use their username (e-mail address or customer number) to access VR's online service to manage their customership. Customers agree to use the online service in accordance with VR instructions, law, good practice and in conformity with the agreement only for the agreed purpose. The access right is non-transferable. Customers agree that all actions effected with the customers’ user name bind them and that customers are responsible for them. Customers are released from liability only after they have reported that a third party has gained access to the user name.

VR's rights and obligations VR tries to provide a high-level of service but is not responsible for uninterrupted functioning of the site, Internet connections, technical problems, fault-free online service etc. and is not liable for damage incurred by customers due to deficiencies in the online service. VR is not responsible for links on its websites, sites accessed through the links or any damage caused to customers by accessing the sites.


5. General terms and conditions

The contractual terms are in effect until further notice and VR is entitled to unilaterally change them. Customers cannot transfer the agreement to a third party. Any liability for damages attributable to VR does not cover indirect or consequential damage incurred by customers. VR is not responsible for consequences due to force majeure or unreasonable hardships in VR operations. The Agreement is governed by Finnish law. Disputes concerning or arising from the Agreement which cannot be resolved by the parties are settled by Helsinki District Court.