Data protection

This data protection notice describes the processing of personal data relating to VR’s customer relationships, travel, the use of digital services and customer communications.

3.1 Categories of data subjects

This notice applies to the following groups of data subjects:

Customers who have created a VR account

Individuals who have registered for VR’s services and created a personal VR account. Anyone aged 13 or over can create an account. The VR account contains information relating to the customer relationship, transactions and travel, as well as the consents and choices provided by the customer.

Other customers

Other customers include people who interact with VR without a VR account, for example:

Corporate customer contacts and business travellers

A corporate customer refers to a company that has entered into an agreement with VR. These registered parties include:

Journeys made via the corporate profile and related data can be linked to the client company’s contractual relationship.

Individuals using social media channels

Data subjects also include individuals who interact with VR on social media channels, for example:

In these situations, the processing of personal data may also involve joint controllership with the social media service provider, which is described in more detail later in this notice.

3.2 Sources of personal data

We collect personal data primarily from the data subject themselves. Data is collected, for example:

In addition, we may obtain personal data:

When using digital services, personal data may also be collected through the use of cookies and other similar technologies. Further information on these can be found in our cookie policy.

We process personal data for predefined purposes. The data categories processed for each purpose and the legal basis for processing are described below.

Processing may be based on a contract, consent, legitimate interest or a legal obligation, depending on the purpose of the processing.

Where the processing of your personal data is based on your consent, you may withdraw your consent at any time. You can withdraw your consent by logging into your account either on our website or in the VR Matkalla app.

If the processing is based on a legitimate interest, we have assessed the necessity of the processing and carried out a balancing test, in which we have weighed the controller’s legitimate interest against the data subject’s rights and freedoms. Our legitimate interests may include, for example, providing and improving transport services; ensuring safety and preventing misuse; maintaining and managing customer relationships; and developing services and customer experience. Processing is carried out only when we assess that it does not override the data subject’s fundamental rights or freedoms. In this assessment, we take into account, in particular, the data subject’s reasonable expectations based on their relationship with us, as well as the nature of the data and the impact of the processing.

4.1 Provision of services and fulfilment of the contractual relationship

Purpose

Ticket sales, travel arrangements, establishing and managing customer relationships, fulfilling corporate contracts, payment processing, invoicing and reporting, providing additional and special

services (such as assistance and car transport services), and service-related fault reporting and other service communications.

Categories of data processed

For corporate contracts, we also process:

Legal basis

4.2 Customer service and communications

Purpose

Provision of customer service, responding to enquiries, processing feedback, handling complaints and claims for compensation, paying compensation, informing customers of changes to the service, ensuring and developing the quality of customer service, and consolidating any subsequent enquiries relating to the same matter in order to handle the case. Some stages of customer service processing may be supported by automated methods and artificial intelligence solutions (such as the creation of transcripts of call recordings).

Data categories processed

Legal basis

4.3 Marketing, campaigns and customer communications

Purpose Sending general and targeted marketing messages, communicating about customer-related benefits and services, running campaigns and prize draws, target marketing and monitoring its effectiveness, promoting awareness of services, and communicating about the benefits of being a customer. Marketing and communications may also be planned and targeted using automated methods.

Data categories processed

Legal basis

4.4 Surveys, customer questionnaires and service development

Purpose Assessing customer satisfaction and service experience, conducting surveys and customer questionnaires, developing services, products and operating practices, and communication regarding the testing of new services and products.

Surveys may be sent, for example, after a service event or targeted at different customer groups. In addition, personal data may be used for the design, testing and impact assessment of new services and features. The analysis of surveys and questionnaires, as well as service development, may be supported by automated methods and artificial intelligence.

Data categories processed

Survey results are generally reviewed at group level. Individual responses are not used for automated decision-making that would have legal consequences or similar significant effects on the data subject.

Legal basis

4.5 Analytics, profiling and personalisation

Purpose

Analysis of operations, monitoring of service usage, formation of customer groups and segments, and personalisation of digital services and communications. Data may be statistically combined to form customer profiles and segments, for example, for the purposes of service design, developing the customer experience and targeting communications. Analytics and segmentation may also be carried out using automated methods and artificial intelligence.

Data groups to be processed

Profiling is used to form customer groups and to target services and communications. Profiling and other automated analytics, including the use of artificial intelligence, do not result in automated decision-making that would have legal effects on the data subject or similarly significant effects.

Legal basis

4.6 Compliance with legal obligations and cooperation with authorities

Purpose

Fulfilment of obligations arising from legislation and official regulations, ensuring security, and responding to information requests from authorities. This includes, for example, fulfilling accounting obligations, disclosing information relating to border crossings to the competent authorities, and processing related to inspection fees and other statutory measures.

Data categories processed

Legal basis

4.7 Social media channels and joint data controllership

Purpose

Interaction with customers and other stakeholders, providing customer service, communication, organising campaigns and competitions, analysing and developing social media activities, and using social media management tools for managing posts, customer communication and reporting.

When you interact with social media channels maintained by VR, for example by following pages, commenting on posts or sending messages, we process personal data related to that interaction.

The processing of personal data on social media channels may involve joint controllership with the relevant service provider to the extent that VR and the service provider jointly determine the purposes and means of processing, such as in relation to page visitor statistics or other analytics.

Categories of data processed

Legal basis

VR processes personal data as the data controller. However, in providing our services and supporting our operations, we use external service providers who process personal data on behalf of VR.

Service providers may process personal data for purposes such as:

Service providers process personal data solely in accordance with VR’s instructions and may not use the data for their own purposes. VR ensures, through contracts and other appropriate measures, that the processing of personal data complies with data protection legislation and that personal data is adequately protected.

We may disclose your personal data to our partners in the following situations

Personal data may be transferred outside the EU and EEA in connection with the provision of IT services if the personal data can be accessed from a country outside the EU and EEA. A transfer is possible where 1) an agreement has been made with the service provider in accordance with the standard contractual clauses adopted by the European Commission, or 2) the recipient country has an adequate level of data protection as determined by a decision of the European Commission, or 3) the company processing the data has binding corporate rules (Binding Corporate Rules) or 4) there is another lawful basis for the transfer. Where required, we assess the level of data protection in the recipient country and carry out transfer impact assessments.

We do not disclose customer data to parties outside VR or those involved in the provision of VR’s services without a basis under the General Data Protection Regulation.

We retain personal data only for as long as is necessary to fulfil the purposes described in this notice or to comply with legal obligations. After this, the data is deleted or anonymised.

Retention periods are determined based on the purpose of processing as follows:

As a data subject, you have rights regarding your personal data insofar as VR acts as the data controller. You can exercise your rights by submitting a data protection request via the online form on the vr.fi website or by contacting our customer service. We respond to your request without undue delay and no later than one month after receiving it. We implement these rights in accordance with applicable legislation and take into account any statutory limitations.

Requests are generally processed free of charge. However, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive. We may request additional information to verify your identity before fulfilling your request.

If you purchase tickets or services through another service provider, that service provider acts as an independent data controller. A data protection request made via VR does not apply to or get passed on to another data controller. If you wish to exercise your rights in such a situation, please contact that service provider directly.

The data subject has the following rights:

Right of access to data You have the right to obtain confirmation as to whether we are processing your personal data, as well as the right to receive a copy of the personal data we process. The copy will primarily be provided electronically in a secure format or, if necessary, in writing.

Right to rectification You have the right to request the rectification of inaccurate or incorrect personal data, as well as the completion of incomplete data.

Right to erasure In certain circumstances, you have the right to request the erasure of your personal data. This right does not apply in situations where we have a legal obligation or other lawful grounds to retain the data.

Right to restriction of processing In certain situations, you have the right to request that the processing of your personal data be restricted.

Right to object to processing You have the right to object to the processing of your personal data based on the controller’s legitimate interests. You always have the right to object to the processing of your personal data for direct marketing purposes.

Right to data portability You have the right to receive the personal data you have provided in a structured, commonly used format, and the right to transfer that data to another controller, insofar as the processing is based on consent or a contract and is carried out by automated means.

Right to withdraw consent If the processing of personal data is based on consent, you have the right to withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out prior to withdrawal.

Right to lodge a complaint with a supervisory authority If you consider that your personal data has been processed unlawfully, you have the right to lodge a complaint with the competent data protection authority.

We ensure the security of personal data processing and safeguard the confidentiality, integrity and availability of data through appropriate technical and organisational measures in accordance with VR’s data security principles.

Personal data is protected against unauthorised access, unauthorised or unlawful processing, and accidental loss, alteration or destruction. Personal data may only be processed by those individuals who are authorised to do so by virtue of their job duties. We ensure our staff’s data protection competence through training and guidance.

This applies to VR’s Facebook pages, the tracking pixel, and messaging services. These situations arise when you like a VR Facebook page, join or follow a VR community on Facebook, or chat with VR in the messaging service. 

Controller

Facebook Ireland (“Facebook”) and VR-Group Plc act as joint controllers with regard to the fan and community pages, tracking pixel and messaging services on Facebook, as applicable. Information on the joint controllership and the data required under Articles 13(1) (a) and (b) of the GDPR are available in the Facebook privacy notice:https://www.facebook.com/about/privacy, Opens in a new tab. 

Facebook processes data in accordance with its privacy policy: www.facebook.com/about/privacy, Opens in a new tab, which specifies, among other things, Facebook’s legal basis for the processing of personal data and the rights of data subjects. Facebook has the primary responsibility for compliance with the data protection legislation and the implementation of data security and the rights of data subjects in the service. You can manage your Facebook-related data protection settings on Facebook. VR is responsible for processing the content of the messages.

Data that is processed and the purpose and legal basis of the processing

Regarding individual data subjects, VR receives from Facebook the name given on Facebook, public profile picture and other data that the data subject has specified as public on Facebook. The data subject can also give other personal data in the comments or messaging services of the community pages. VR processes personal data on Facebook based on its legitimate interest.

The customer service on Facebook is part of VR’s multi-channel customer service. The registered data is not used for automatic decision-making or profiling that would affect the legal rights of the customers as data subjects. VR collects anonymised data for its own data and analytics platform in order to gain an overview of the topics discussed on social media, allocate appropriate resources to customer service, and support service development. VR may organise competitions on Facebook, in which case the data is processed in accordance with VR’s data protection notice, as stated in the competition. 

VR uses social media tools to manage activities on Facebook. VR does not transfer personal data outside of the European Union or the European Economic Area without a legal basis. Some of our service providers are located outside the EU/EEA, and we may transfer personal data to these service providers if it is necessary for the purposes specified in this data protection notice. We use the necessary contractual protection measures (e.g. the standard contractual clauses on data protection approved by the European Commission) when we transfer personal data to such service providers. 

VR recommends using VR’s feedback from for personal contacting or for sending messages that contain your personal data (such as name, address, telephone number) in order to ensure the confidentiality and data security of the communication.

You can limit the processing of your personal data by unliking and/or unfollowing the community page. You can also request the removal of your data by using the data protection form. 

Rights of data subjects

You can read about the rights of data subjects against Facebook Ireland in the privacy policy of Facebook Ireland at https://www.facebook.com/about/privacy, Opens in a new tab.

In addition, you have the right to lodge a complaint with the Office of the Data Protection Ombudsman.

Data protection officer:

Personal data is processed to ensure the maintenance of order and safety, to protect property and to prevent and look into criminal offences, incidents or accidents in VR’s premises, properties, outdoor areas and part of its rolling stock.

In VR’s maintenance and rail logistics, camera surveillance is also used to ensure smooth production processes.

The processing of personal data is based on the controller’s legitimate interest.

A camera surveillance system that consists of recording surveillance cameras in VR’s premises, properties, outdoor areas and rolling stock and body-worn cameras. There are surveillance cameras also in some of VR-Group Plc’s road transport vehicles.

VR has recording camera surveillance:

Body-worn cameras are used in VR's commuter traffic on lines D, H, M, R, T, G and Z. The body-worn cameras do not continuously record images and sound. The conductor will activate the recording function when they encounter a situation that threatens occupational or passenger safety. The uniform of the conductor using a body-worn camera includes a notice about the possibility of images and sound being recorded, and, if possible, the conductor will also state that they have activated the recording function. The body-worn camera will show that it is recording with an indicator light and sound.

All persons moving in the camera surveillance area and recorded by the surveillance cameras are data subjects. These may include, for example, train passengers, VR employees and other persons moving in the area.

Time- and location-specific visual recordings from VR’s premises, properties, outdoor areas and rolling stock, recorded by the camera surveillance system.

Time- and location-related visual and voice recordings recorded by body-worn cameras.

Personal data is disclosed, to the extent permitted by law, to the Finnish Transport Agency and, upon request, to other authorities. Data can be disclosed to companies belonging to the same group in order to present legal claims and to insurance companies for processing accident cases.

We use external parties to support the processing of personal data in the maintenance and development of IT systems and safety monitoring room duties, for instance. These service providers process personal data commissioned by us and on our behalf.

The data processing follows current legislation and is always carried out in accordance with this data protection notice. This is ensured, among other things, through contracts between the organizations.

Data will not be disclosed outside the EU or the European Economic Area or outside countries which the European Commission considers to have an adequate level of data protection, unless the adequate level of data protection has been ensured with contracts or in another manner required by law.

Normally, camera recordings are stored for one month at the maximum. However, data may be stored for a longer time, if necessary (upon authorities’ request, for instance).

As our customer, you have a right to access your personal data of which VR is the controller. You can exercise your rights by submitting a data protection request for this register by email tietosuojavastaava@vr.fi. Alternatively, you can submit the request in writing by delivering it to the address VR-Group Plc, Corporate Security Manager, PO Box 488, 00096 VR.

You will receive a response to your request no later than one month after sending the request. We ensure these rights as described here by taking the applicable legislation and restrictions set therein into account. A reasonable fee will be charged for the access request if it is less than a year since the previous access time.

Please note that in the railway network, camera surveillance in platform areas and in some of the stations falls under the responsibility of the Finnish Transport Infrastructure Agency.

Right to access data / right to review data

You have the right to receive a copy of your personal data from VR and a confirmation of whether we have processed your personal data. In order to implement the request, you must provide a sufficiently precise and individualized description of the time and place where the video was recorded.

Right to rectification

You have the right to request us to rectify inaccurate or erroneous data about you.

Right to erasure

You have the right to request us to erase your personal data. Requests are handled on a case-by-case basis. VR has a legislation-based obligation or right to store certain data; such data cannot be erased.

Right to restriction of processing

You have a right in certain special situations stipulated by the regulation to request the restriction of the processing of your personal data.

Right to object

When the processing of personal data is based on a legitimate interest, you can object to the processing of your data on grounds related to your personal situation.

Right to lodge a complaint with an authority

We seek to resolve any disputes primarily directly with data subjects. If a customer finds that we have not processed personal data as stipulated by law, the customer may lodge a complaint with a data protection authority.

VR’s premises where personal data is processed are protected with access control as defined in the facility security guidelines.

We ensure the data security of the processing of our customers’ personal data processing and personal data confidentiality, integrity and accessibility with appropriate technical and organisational measures in accordance with VR’s data security principles.

Personal data is protected against unauthorised access and illegal or accidental processing. Personal data is processed only by persons specifically appointed by VR to such tasks. We provide data protection training and guidance to our employees who process personal data.