Privacy statement

29.9.2015

Combined register statement and information document Personal Data Act (523/99) Sections 10 and 24

 

1. Registrar

VR-Group Ltd (hereinafter VR)
Business ID: 1003521-5
Vilhonkatu 13
P.O. Box 488
FI-00101 Helsinki
tel. +358 307 10Soita: +358 307 11

 

2. Matters concerning the register are handled by

VR-Group Ltd
VR Customer Care
P.O. Box 54
FI-11101 Riihimäki

 

3. Register name

VR passenger services customer register

 

4. Purpose of collection of personal data

The primary purpose of the collection of personal data is the customership between VR and the customer (factual connection). The collection of personal data may also be based on the customer's consent, be due to a legal obligation or an assignment given by the customer to VR.

Personal data is used for the following purposes:

  • Production, development and monitoring of VR services and customer service.
  • Management of customer relationship and development and customization of services.
  • Customer relations communication and marketing and management of customer contact history.
  • Processing of and replying to customer feedback.
  • Processing of refund requests and compensation claims, replys and payments.
  • Analysis of customer database and travel information and classification which aims to focus communications.
  • Realization of the customer's and VR's rights and obligations and security and responsibility. Taking care of obligations based on the law or orders issued by the authorities.
  • Monitoring and compilation of statistics on electronic service channels (such as online, ticket machine and mobile services) to develop the services, for marketing purposes and to make using VR services easier.
  • Recording of phone calls to authenticate service transactions, to secure due process and security and for customer service staff training.

 

5. Register information content

Customer information:

  • name
  • date of birth
  • user names and customer identifiers
  • gender
  • language
  • address
  • phone number(s)
  • e-mail

Personal data connected to the provision of services and travelling:

  • Service, sales, payment and travel information
  • Service usage information in the service channels such as online, ticket machine and mobile services, including e.g. log data and service usage data and cookies needed to keep track of page downloads.
  • information given by customers used to customize the service and to make use of the services easier, such as favourite routes and favourite seat on train and customership classification data compiled by VR.
  • Based on the Customer’s consent, the personal ID number is handled in services such as ID card identification and school pupil’s tickets, which require the identification or recognition of the Customer. In identification using an official ID card, the personal ID number will not be stored in the system unencrypted, and it will not be possible to retrieve the original information on the basis of the row of characters that emerges.
  • Travel document information when crossing the border such as passport number
  • Information provided by the customer for car transport
  • Customership analysis and classification data
  • Direct marketing permissions and bans (see point 12)
  • Information connected to direct marketing and customer communications
  • Recording of VR Customer Care phone calls
  • Information received from external sources, such as the Population Information System, connected to the customer
  • Information connected to data processing, such as log files
  • Information required to order and execute assistance services, such as name, type of help needed, contact information and journey details.
  • Information connected to refund and compensation application, such as grounds, amount of compensation sought and bank account information
  • Information connected to customer feedback and replying to it


6. Regular sources of information

Information connected to customers are primarily gathered from customers themselves when an order is placed or when signing up, when purchasing or using services, in online services' My account section, in customer service situations and otherwise directly from customers. Information connected to customers are generated in VR information systems also in the context of service use and travelling. The information is also updated from the Population Information System or other similar external sources of information.

 

7. Regular transfers and handing over of information and transfer of information outside the EU and the European Economic Area (EEA)

Customer information is not handed over to parties outside VR or parties not taking part in the production of VR services without a statutory basis. Customer information may be transferred to VR's direct marketing register VR may hand over the customer information necessary to implement mobile payments to Verifone Finland Oy's and Nets Finland Oy's online payment service customer register.

Customer information is transferred outside the EU, EEA or countries with adequate level of data protection verified by the European Commission only to implement an agreement between the customer and VR, for purposes relating to travel based on the law or if an adequate level of data protection has been confirmed by agreements or as otherwise required by law.

 

8. Use of cookies

A cookie is a short text file which the web server sends to the user's browser and is stored on the computer's hard disk. VR uses cookies in its web services to provide services and make it easier to use the service. Cookies are used to safeguard the service's security, efficiency and user friendliness. With the cookies the service provider can find out what information the user is interested in and how and when the online service is used. With this information the service provider tries to develop the online service to even better meet the needs of customers. The information can also be used to make marketing content more relevant for the user.

Online services usets may give their consent or ban the use of cookies in their browser settings. If cookies are disabled it is possible that you cannot use all of the site's services such as VR Online Shop. For additional information on cookies and the technical implementation of VR online services.

 

9. Register data protection principles

The data security of VR personal data processing and confidentiality, integrity and usability is ensured with appropriate technical and administrative measures in accordance with VR's information security principles. Personal data is protected against unauthorized access or accidental data processing. Only VR staff members specifically authorized to handle personal data are authorized to access it.

 

10. Right to inspect and carrying out the inspection right

Customers have in accordance with Sections 26-28 of the Personal Data Act the right to verify what information on them has been recorded into VR customer register. Customers must in the verification request state the necessary information to find the data: Name, address, phone number and username (customer number or email address). The verification request is to be signed and sent in writing to:

VR-Group Ltd
VR Asiakaspalvelukeskus/Tarkastuspyyntö
P.O. Box 54
FI-11130 Riihimäki

The reply to the verification request will be sent by post. A reasonable fee is charged for the verification request if the request is made less than a year after the previous request.

 

11. Correction of information

Customers may in accordance with Section 29 of the Personal Data Act update their basic information in VR's online service. With regard to other information the correction request must be made by calling VR Customer Care or in writing to:

VR-Group Ltd
VR Asiakaspalvelukeskus/Tarkastuspyyntö
P.O. Box 54
FI-11130 Riihimäki

Customers must state the necessary facts to correct the data and information required to identify the customer: name, address, phone number and customer number. VR takes care of customer information correctness and integrity also by updating the customers' official name and contact information regularly from the Population Information System.

 

12. Permissions and bans

Customers may give VR a direct marketing permission conforming to Section 26 of the Data Protection of Electronic Communications Act or forbid VR in accordance with Section 30 of the Personal Data Act from using information concerning them for direct marketing.

Customers may give their consent to direct marketing by channel (SMS, e-mail). Customers have the possibility to forbid direct marketing in more than one channel (phone, post), market surveys and the use of their travel information for marketing purposes.

If the customer does not give any permissions and orders all possible bans the customer will only be sent the necessary customer communications material required to provide the service and manage the customership.

VR-Group Ltd Customership Agreement

6 February 2015

1. Purpose and Objective of the Agreement

This Agreement determines the terms of the customership of registered customers of VR-Group Ltd. The Agreement deals with VR-Group Ltd's own traffic. The objective of the agreement is to enable better customer service by offering customers various services and benefits connected to the customership. The Agreement is concluded between VR-Group Ltd and the customer.

2. Service provider and contact information

VR-Group Ltd
Vilhonkatu 13,
FI-00100 Hki
vr.fi/asiakaspalvelu
Business ID 1003521-5

3. Customership

Establishment of Customership A Customership Agreement between the customer and VR is established when a natural person registers as a VR customer by giving the requested information of him, or herself, and by approving the conditions of customership. The customership is free of charge and valid until further notice. The establishment of customership requires that the information that is given when registering is accurate, and that the customer is at least 16 years old. A customer who is under age is required to have permission from a parent or guardian. The customership is free of charge and valid until further notice. VR reserves the right to refuse customership. The validity of customership requires that the customer must, throughout the duration of the agreement, keep his or her information accurate and up-to-date, and to correct any errors without delay.

End of customership Customers can discontinue their Veturi membership at any time by notifying VR in writing. VR has the right to cancel the agreement on the following grounds:

  • materially erreonous or incomplete information provided by the customer
  • material breach of the agreement by the customer
  • the customer does not use the service during a period of 24 months
  • other reason attributable to the customer due to which there are no justifiable reasons to continue the customership

After the customer has sent the notice of termination or VR has cancelled the agreement the customer can no longer get any benefits connected to the customership. The customership ends when VR has processed all matters concerning the customership pending at the time that the notice of termination is sent.

Processing of personal data In providing personal information to VR customers thereby consents to the processing of the information in accordance with VR Passenger Services' Privacy protection notice and VR direct marketing register statement.

4. Use of online services

The customers' rights and obligations Customers have the right to use their username (e-mail address or customer number) to access VR's online service to manage their customership. Customers agree to use the online service in accordance with VR instructions, law, good practice and in conformity with the agreement only for the agreed purpose. The access right is non-transferable. Customers agree that all actions effected with the customers’ user name bind them and that customers are responsible for them. Customers are released from liability only after they have reported that a third party has gained access to the user name.

VR's rights and obligations VR tries to provide a high-level of service but is not responsible for uninterrupted functioning of the site, Internet connections, technical problems, fault-free online service etc. and is not liable for damage incurred by customers due to deficiencies in the online service. VR is not responsible for links on its websites, sites accessed through the links or any damage caused to customers by accessing the sites.

5. General terms and conditions

The contractual terms are in effect until further notice and VR is entitled to unilaterally change them. Customers cannot transfer the agreement to a third party. Any liability for damages attributable to VR does not cover indirect or consequential damage incurred by customers. VR is not responsible for consequences due to force majeure or unreasonable hardships in VR operations. The Agreement is governed by Finnish law. Disputes concerning or arising from the Agreement which cannot be resolved by the parties are settled by Helsinki District Court.

Direct marketing register

29 September, 2015

Personal Data Act (523/99) Chapter 19

1. Registrar

VR-Group Ltd (hereinafter VR)
Business ID: 1003521-5
Vilhonkatu 13
P.O. Box 488
FI-00101 Helsinki
tel. +358 307 11

2. Register contact

VR-Group Ltd
VR Customer Care
P.O. Box 54
FI-11130 Riihimäki

3. Register name

VR Direct marketing register

4. Purpose of processing of personal data

The processing of personal data in accordance with the Personal Data Act's Section 19, subsection 1, paragraphs 1 and 2 for VR direct marketing, telemarketing, marketing act, campaign or other direct marketing, opinion poll or market survey or other comparable addressed message by e-mail, post and mobile phone.

5. Register information content

The following information is stored in the direct marketing register:

  • registree's name
  • title or occupation
  • age
  • gender
  • mother tongue
  • one registree identity attribute
  • contact information: postal address, phone number and e-mail address.
  • personal data connected to a marketing act or campaign earmarked in advance which has a short duration and due to its information content does not endanger the privacy protection of the registree
  • consents and prohibitions in direct marketing referred to in Section 30 of the Personal Data Act and Section 26 of the Act on the Protection of Privacy in Electronic Communications


6. Regular sources of information

Information concerning VR's customers is obtained from VR Passenger Services' customer register and external information sources such as third party registers used to focus marketing. Information quality can be maintained by comparing the information in the direct marketing register to information in the Population Information System or other reliable source.

7. Regular transfers and handing over of information outside the EU and the European Economic Area (EEA)

The direct marketing register information is processed only by VR or third parties working for VR to maintain or develop the service and partners participating in marketing.

Personal data can be transferred outside the EU, the European Economic Area (EEA) or countries with an adequate level of data protection verified by the European Commission only if an adequate level of data protection has been confirmed with agreements or as otherwise required by law.

8. Register data protection principles

The data security of VR personal data processing and confidentiality, integrity and usability is ensured with appropriate technical and administrative measures in accordance with VR's information security principles. Personal data is protected against unauthorized access or illegal or accidental data processing. Only VR staff members specifically authorized to handle personal data are authorized to access it.

9. Verification right

Customers have in accordance with Sections 26-28 of the Personal Data Act the right to verify what information on them has been recorded into VR customer register. Customers shall in the inspection request state the following information: name, address and e-mail address. The verification request is to be signed and sent in writing to:
VR-Group Ltd
VR Customer Care
P.O. Box 54
FI-11130 Riihimäki
The reply to the verification request will be sent to the person having made the request by post. A reasonable fee is charged for the verification request if the request is made less than a year after the previous request.uin yksi vuosi.

Camera surveillance privacy statement

18.9.2012

Personal Data Act (523/99) Chapters 10 and 24

1. Registrar

VR-Group Ltd (hereinafter VR)
Business ID: 1003521-5
Vilhonkatu 13
P.O. Box 488
FI-00101 Helsinki
tel. +358 307 10Soita: +358 307 10

2. Register contact person

Pekka Ahola
VR-Group Ltd
P.O. Box 488
FI-00101 Helsinki

3. Register name

VR-Group Ltd Passenger Services Camera Surveillance Register for Work and Passenger Areas

4. Purpose of processing of personal data

The personal data is processed to maintain order and general safety and to investigate crimes, losses and accidents at VR premises and areas and on certain trains.

5. Register information content

The time and location specific recordings made by the camera surveillance system at VR premises and areas and Sm4 and Sm5 trains.

6. Regular sources of information

The camera surveillance system operating at VR premises and areas stated in the appendix and in Sm4 and Sm5 trains.

7. Regular handing over of information

Information is not handed over regularly. It is handed over if required to carry out measures stated in point 4.

8. Data transfer to outside the EU or EEA

Data is not transferred to outside the EU or EEA.

9. Register data protection principles

VR premises where personal data is processed are protected by access control under the premises security guideline.

Documents/recordings in paper format are kept in locked spaces to which access by outsiders is completely prohibited. Only specifically designated persons may access them. Documents are destroyed in line with information security guidelines.

VR premises, where personal data is processed, are protected with access control in line with premise security guidelines.

Unnecessary documents are destroyed. Documents and data in electronic format are protected under VR's information security guideline with user names and against outside intrusion with firewalls. Only persons with user rights may access the data.

10. Verification right

Persons have under Sections 26-28 of the Personal Data Act the right to verify what information has been recorded on them in the camera surveillance register. Individuals have the right to know what information has been recorded on them with rights and limitations stated in the Personnel Data Act by submitting a sufficiently accurate and detailed request on the matter. The written request is to be signed and sent to: VR-Yhtymä Oy, PL 488, 00101 Helsinki.

The reply will be sent by post. A reasonable fee is charged for the verification request if the request is made less than a year after the previous request.

VR has recording cctv surveillance at public spaces at the following stations:
Espoo, Helsinki central railway station, Hyvinkää, Hämeenlinna, Iisalmi, Imatra, Joensuu, Järvenpää, Kajaani, Karjaa, Kemi, Kerava, Kirkkonummi, Kokkola, Kouvola, Kupittaa, Lahti, Lappeenranta, Mikkeli, Oulu, Pieksämäki, Pori, Riihimäki, Rovaniemi, Salo, Seinäjoki, Tampere, Tikkurila, Turku, Vaasa, Ylivieska.

The Finnish Transport Agency conducts camera surveillance at some stations.