Data protection notice
3 March 2025
Data protection notice VR Transpoint Partners’ contact persons
1. Controller
VR-Group Plc (hereinafter referred to as “VR”)
Business ID 1003521-5
Radiokatu 3
P.O. Box 488
FI-00096 VR, Finland
tel. +358 (0)29 4343
2. Contact information and contact
Data Protection Officer's contact information:
VR-Group Plc
Data Protection Officer
P.O. Box 488, FI-00096 Helsinki, Finland
tietosuojavastaava(a)vr.fi
3. Purpose of the processing of personal data
Data about VR’s partners and their service providers is processed for the following purposes:
- Managing cooperation and providing services
- Statistics, reporting, development and planning of VR’s operations and customer cooperation
- VR’s sales and marketing
- Providing digital services
The processing of personal data about partners’ contact persons is based on:
A contract: We process the contact persons’ personal data to put into effect a contract to which the partner is a party.
A legal obligation: We process the customer’s personal data in order to fulfil our statutory obligations, such as those stipulated by the provisions for the retention of information in the Accounting Act and the special requirements laid down in the Rail Transport Act.
A legitimate interest: The processing of the personal data of a partner’s contact person may be based on the legitimate interest of the data controller when the data is used to manage and develop the customer relationship or to prevent and investigate irregularities.
We use cookies on our website to implement and facilitate the use of services.
4. Sources of data
The data of the data subjects is collected from a company acting as a partner or its service provider or from the persons themselves. In addition, data is collected in connection with the use of digital services.
VR has a separate data protection notice concerning video surveillance.
5. Data subjects and the personal data groups
|
Data subjects |
|
|
Categories of personal data |
|
6. Recipients of personal data
We use external actors to support the processing of personal data, including the maintenance and development of IT systems. These service providers process personal data commissioned by us and on our behalf. The data processing is in compliance with the current legislation and is always carried out in accordance with this data protection notice. This is ensured, for instance, through agreements between the various organisations.
Without statutory grounds, we will not disclose customer data to parties outside VR or parties other than those participating in the production of VR’s services.
7. Transferring or handing over data outside the EU or EEA areas
Personal data will not be disclosed outside the EU or the European Economic Area or outside countries which the European Commission considers to have an adequate level of data protection, unless the adequate level of data protection has been ensured by means of contracts or in another manner required by law.
In transportation outside the EEA area, in connection with handing over waybills, mandatory contact information will be handed over to transport companies from outside the EEA area and to the customs service of the country in question to ensure successful transport.
8. The data retention period or the definition criteria for the retention period
We store personal data only for as long as it is necessary for the purposes of use and in accordance with the legislation that is in force at each particular moment. After this, personal data will be either erased or anonymised.
In storing personal data, we comply with legal obligations, taking into consideration the legislation on accounting and the EU regulation on rail passengers’ rights and obligations and the Rail Traffic Liability Act.
9. Rights of the data subjects
You have a right to your personal data processed by VR. You can exercise your rights by contacting VR using the online form at: https://www.vrtranspoint.fi/en/vr-transpoint/contact-information/. You will receive a response to your request no later than one month after sending the request.
Below, we have listed the general rights of data subjects:
1. Right to access data
You have the right to receive confirmation as to whether we have processed your personal data. If your data protection is processed, you have the right to receive a copy of your personal data.
2. Right to rectification
You have the right to request VR to rectify inaccurate or erroneous data about you. The erroneous nature of data is to be decided on a case-by-case basis by resolving whether the data is erroneous from the viewpoint of its processing (unnecessary, incomplete, outdated).
3. Right to erasure (“right to be forgotten”)
You have the right to request us to erase your personal data. Requests are handled on a case-by-case basis. VR has a legislation-based obligation or right to store certain data; such data cannot be erased.
4. Right to restriction of processing
You have a right in certain special situations stipulated by the regulation to request the restriction of the processing of your personal data.
5. Right to object
You have the right to object to the processing of your personal data if the processing is based on the controller’s legitimate interest or if your personal data is processed for direct marketing purposes.
6. Right to data portability
You have the right to request your personal data in machine-readable file format. This right concerns data that is in electronic format and whose processing is based on consent or the performance of a contract.
7. Right to withdraw consent
In situations in which the processing of the data subject’s personal data is based on consent, you have the right to withdraw your consent. After the consent is withdrawn, the consent-based processing in question will be discontinued.
8. Right to lodge a complaint with an authority
We seek to resolve any disputes primarily directly with data subjects. If a customer finds that we have not processed personal data as stipulated by law, they may lodge a complaint with a data protection authority.
10. Principles of data protection
The data security of VR’s personal data processing as well as personal data confidentiality, integrity and accessibility are ensured with appropriate technical and organisational measures in accordance with VR’s data security principles. Personal data is protected against unauthorised access and illegal or accidental processing. Personal data is processed only by persons specifically appointed by VR to such tasks. We provide data protection training and guidance to our employees who process customer data.