Data protection notice
VR’s data protection notice
5 December 2019
Processing of your personal data
As we want to protect your privacy as comprehensively as possible, we take data protection seriously. We use your personal data only for the purposes we have indicated in advance and only to the extent necessary for the purpose of the processing in question. Your data shall only be processed by individuals authorised to process personal data due to their work tasks.
The data protection notice covers the protection of your privacy and, for example, the following information:
What types of personal data we collect and for which purposes
When and how we can share your personal data with partners
What rights you have and how you can access your personal data.
Anyone over the age of 13 is allowed to create an account in VR’s services. You are responsible for your account’s login information as well as its accuracy, timeliness and appropriate use.
If you suspect that someone has gained unauthorised access to your login information, please change your password immediately. You can delete your account by requesting its deletion via e-mail at email@example.com.
VR’s customer data protection notice
VR-Group Ltd (hereinafter referred to as “VR”)
Business ID: 1003521-5
PO Box 488
FI-00101 Helsinki, Finland
tel. 029 43 43
2. Data Protection Officer and contact information
3. For which purposes do we use your personal data?
a. To offer as versatile and personal services and customer care as possible, such as tailored train travel services, targeted communications and recommendations on different services. We develop and monitor our services by analysing personal data and by creating profiles on the basis of the analysis.
b. To carry out sales and marketing activities and to facilitate your use of our various service channels (such as online, vending machine and mobile services, social media channels and digital marketing). We want to develop our services together with our customers by utilising customer surveys and customer research.
c. To be able to process feedback with the aim of improving and developing our operations and answering questions. We process compensation claims submitted to us and respond to them. We store information about customer service actions and calls, for instance, in order to verify purchase and service transactions and develop our service.
When we process your personal data in the manners described above, the grounds for processing is the performance of the contract you have concluded with VR. Customer surveys can also be conducted on the basis of your consent.
In addition, we may process your personal data to fulfil our obligations as laid down by law and regulations given by authorities, not forgetting security and responsibility. In this case, the grounds for processing is a legal obligation.
We can transfer your personal data within VR Group on the basis of a legitimate interest, if there is a particular reason to do so.
4. Sources of data
We primarily collect customer-related data from the customer themselves. Data is collected in connection with orders, creation of a VR account, purchase and use of services, our digital services, customer service transactions, customer surveys and otherwise directly from our customers (e.g. data received through games and prize draws).
Customer-related data is also created in VR’s information systems when using VR’s services and travelling. We may update the data on the basis of the Population Information System or other similar reliable external sources of data in order to ensure that our register remains up to date.
5. Data collected about our customers
Personal data related to service production and travelling
We shall process the customer information listed below:
Service, sales, payment and travel transaction data, including the e-mail address and telephone number needed for train ticket delivery or other service. When you purchase a personal ticket, we also ask you to provide your name and date of birth.
Service usage data in different transaction channels, such as the Internet, vending machine and mobile services, including, among other things, log and service transaction data and cookies required for combining the page view count.
Positioning data related to the use of services.
The model, operating system and language preference of the device used by the customer.
Travel document data, such as the passport number, in case of a border crossing.
Car-related information provided by the customer for car transport.
Data related to direct marketing and customer communications, such as what kind of messages have been sent and which messages have been opened.
Customer service call recordings.
Data required for ordering and carrying out assistance service, such as the person’s name, the description of the need of assistance, contact and journey details.
Data related to customer feedback and compensation claims as well as to responding to them, including banking details.
The information provided by the customer that makes the service more personalised and easier to use, such as favourite routes, the favourite seat in the train and customer grouping and profiling information.
We process personal identity numbers on the basis of the customer’s consent in certain services that require the customer to be specified or identified, such as identification with a personal identity card. In identification with a personal identity card, the personal identity number is not provided as clear text and the original data cannot be restored on the basis of the string created.
Consents and refusals for direct marketing and customer surveys.
Personal data needed in customer communications
We record the name, date of birth, language and detailed contact information, such as address and telephone number, of individuals registered in our digital services; in other words, customers who have created a VR account.
In addition, when it comes to persons who have created a VR account, we process consents and refusals related to direct marketing, data related to direct marketing and customer communications as well as data that makes the service more personalised and easier to use.
Data related to corporate customers
As for corporate customers, we may also collect the name of the company’s contact person and other corporate users as well as their contact details, such as their address, email address and telephone number.
6. Processors of personal data
We use reliable service providers in support of the processing of personal data in the maintenance and development of IT systems, in service production and in various research and development tasks, for instance. These experts process personal data commissioned by us. The data processing follows the current legislation. This is ensured through contracts between the organisations.
We may disclose your personal data to our partners in the following situations:
Processing of customer feedback. We may disclose your feedback and contact information to our partner if your feedback concerns services provided by said partner. In such situations, however, we ask you to primarily contact our partner directly. If we decide to transfer feedback containing your personal data, we inform you of the disclosure of the data.
Purchasing our partner’s services. If you purchase our partner’s services from us, we may disclose your personal data necessary for the implementation of the service to our partner.
VR may use personal data and travel-related information and disclose them within the VR Group for the marketing purposes of the other companies.
We will not disclose customer information to parties outside VR or parties other than those participating in the production of VR’s services without grounds based on the General Data Protection Regulation.
7. Transfer or disclosure of data outside the EU or the EEA
Data will not be disclosed outside the EU or the European Economic Area or outside countries which the European Commission considers having an adequate level of data protection, unless the adequate level of data protection has been ensured with contracts or in another manner required by law. With regard to journeys to Russia, necessary information relating to travelling is, however, handed over to the border guard and other authorities and the Russian Railways (RZD).
8. Data retention period
We store personal data only for as long as it is necessary for the purposes of use and in accordance with the legislation that is in force at each particular moment. After this, personal data will be either erased or anonymised.
When storing personal data, we comply with legal obligations, taking into account, among other things, accounting legislation, the EU regulation on rail passengers’ rights and obligations and the Rail Traffic Liability Act. When the contractual relation ends, the data retention period is determined according to the purpose of use and existing legislation.
9. Our customers’ rights
As our customer, you have a right to access your personal data of which VR is the controller. You can exercise your rights by submitting a data protection request with the online form on the vr.fi website. Alternatively, you can submit the request by calling VR’s customer service. You will receive a response to your request no later than one month after sending the request. We ensure these rights as described here by taking the applicable legislation and restrictions set therein into account.
If you buy tickets through another service provider, the provider in question will act as an independent controller. When exercising the rights of a data subject through VR’s services, the request will not be directed or transferred to the other controller. In these situations, please contact the service provider in question directly when wishing to exercise your rights under the General Data Protection Regulation.
As our customer, you have the following rights related to data protection:
1. Right to access data
You have the right to receive a copy of your personal data from VR and a confirmation of whether we have processed your personal data. The primary method for delivering the copy is encrypted email or alternatively mailing the document. Some data, such as call recordings, can only be accessed by visiting a VR office.
2. Right to rectification
You have the right to request us to rectify inaccurate or erroneous data about you. When you register in our digital services, you can edit your personal data directly through our website or application. Such data includes, for instance, your name, address and contact details.
3. Right to erasure
You have the right to request us to erase your personal data. Requests are handled on a case-by-case basis. VR has a legislation-based obligation or right to store certain data; such data cannot be erased.
4. Right to restriction of processing
You have a right in certain special situations stipulated by the regulation to request the restriction of the processing of your personal data.
5. Right to object
You also have a right to object to the use of your data in direct marketing, for instance. On grounds relating to your particular situation, you can object to processing that is based on VR’s legitimate interest.
6. Right to data portability
You have the right to receive your data from us in a structured and commonly used format, which will enable you to transfer your data to another controller. This right concerns data that is in electronic format and whose processing is based on consent or the performance of a contract. The data will be delivered to you as encrypted email.
7. Right to withdraw consent
You have the right to withdraw the consent you have given when it is the grounds for processing personal data. When the consent is withdrawn, the consent-based processing of personal data will be discontinued. Private customers who have registered in the service may withdraw their consent to electronic direct marketing by logging in to our website and editing their data.
8. Right to lodge a complaint with an authority
We seek to resolve any disputes primarily with our customers. If you find that we have not processed your personal data as stipulated by law, you may lodge a complaint with a supervisory authority.
10. Principles of data protection
We ensure the data security of the processing of our customers’ personal data processing and personal data confidentiality, integrity and accessibility with appropriate technical and organisational measures in accordance with VR’s data security principles. Personal data is protected against unauthorised access and illegal or accidental processing. Personal data is processed only by persons specifically appointed by VR to such tasks. We provide data protection training and guidance to our employees who process customer information.
25 May 2018
Business ID 1003521-5
PO Box 488
FI-00101 Helsinki, Finland
tel. +358 307 10
2. Contact person in matters related to the data file
PO Box 488
FI-00101 Helsinki, Finland
Data protection officer: firstname.lastname@example.org
3. Purposes of the processing of personal data
Personal data is processed to ensure the maintenance of order and safety and to look into criminal offences, incidents or accidents in VR’s premises, properties, outdoor areas and part of its rolling stock.
The processing of personal data is based on the controller’s legitimate interest.
4. Sources of data
A camera surveillance system that consists of recording surveillance cameras in VR’s premises, properties, outdoor areas and rolling stock.
VR has recording camera surveillance in the public spaces of the following stations:
Helsinki Central Railway Station, Hyvinkää, Hämeenlinna, Iisalmi, Imatra, Joensuu, Järvenpää, Kajaani, Karjaa, Kemi, Kerava, Kirkkonummi, Kokkola, Kouvola, Kupittaa, Lahti, Lappeenranta, Mikkeli, Oulu, Pieksämäki, Pori, Riihimäki, Rovaniemi, Salo, Seinäjoki, Tampere, Tikkurila, Turku, Vaasa, Ylivieska.
5. Data content of the data file
Time- and location-specific visual recordings from VR’s premises, properties, outdoor areas and rolling stock, recorded by the camera surveillance system.
6. Recipients of personal data
Personal data is disclosed, to the extent permitted by law, to the Finnish Transport Agency and, upon request, to other authorities.
We use external parties to support the processing of personal data in the maintenance and development of IT systems and safety monitoring room duties, for instance. These service providers process personal data commissioned by us and on our behalf. The data processing follows current legislation and is always carried out in accordance with this privacy statement. This is ensured, among other things, through contracts between the organisations.
7. Transfer or disclosure of data outside the EU or the EEA
Data will not be disclosed outside the EU or the European Economic Area or outside countries which the European Commission considers to have an adequate level of data protection, unless the adequate level of data protection has been ensured with contracts or in another manner required by law.
8. The data storage period or the definition criteria for the storage period
Normally, camera recordings are stored for one month at the maximum. However, data may be stored for a longer time, if necessary (upon authorities’ request, for instance).
9. Rights of the data subject
Right to access data / right to review data
A person has the right to access the data that has been stored about them in VR’s camera surveillance data file. After submitting a sufficiently detailed and specific access request, the person has the right to access data about them included in the recordings, subject to the rights and restrictions that are defined in more detail in the General Data Protection Regulation. The access request must be made in writing, signed and sent to: VR-Group Ltd, PO Box 488, FI-00101 Helsinki, Finland.
The response to the request will be mailed to the person who submitted the request. A reasonable fee will be charged for the access request if it is less than a year since the previous access time.
Please note that in the railway network, camera surveillance in platform areas and in some of the stations falls under the responsibility of the Finnish Transport Agency.
Right to lodge a complaint with an authority
We seek to resolve any disputes primarily directly with data subjects. If a customer finds that we have not processed personal data as stipulated by law, the customer may lodge a complaint with a data protection authority.
10. Principles of data file protection
VR’s premises where personal data is processed are protected with access control as defined in the facility security guidelines.
Paper documents/records are stored in locked premises where outsider access is completely prohibited. Only separately appointed persons can access these documents/records. Documents are disposed of according to data security guidelines.
As defined in VR’s data security policy, electronic documents and data are protected with usernames and passwords as well as with firewalls against external intrusion. Only persons who have been given access rights can access the data.