Data protection

VR’s data protection

In the data protection notice, we explain how we process our customers’ personal data and protect their privacy.

VR’s data protection notice

19 December 2023

How we process your personal data

As we want to protect your privacy as comprehensively as possible, we take data protection seriously. We use your personal data only for the purposes we have indicated in advance and only to the extent necessary for the purpose of the processing in question. Your data will only be processed by individuals authorised to process personal data due to their work tasks. The data protection notice covers the protection of your privacy and, for example, the following information:

  • what types of personal data we collect and for which purposes
  • when and how we can share your personal data with partners
  • what rights you have and how you can access your personal data.

1 Controller

  • VR-Group Plc (hereinafter referred to as “VR”)
  • Business ID: 1003521-5
  • PO Box 488
  • FI-00096 VR, Finland
  • Tel. +358 307 10

2 Data Protection Officer and contact information

VR Group’s data protection officer: tietosuojavastaava(a)vr.fi

In any questions related to the register, please contact us through the data request form.

3 Customers who have created a VR account

Anyone over the age of 13 can create an account in VR’s services. Once you have created an account, you are responsible for your account’s login information as well as its accuracy, timeliness and appropriate use. If you suspect that someone has gained unauthorised access to your login information, please change your password immediately. You can delete your account by requesting its deletion via the feedback form.

3.1 What customer information do we collect and process?

Basic information about you and your customer account, such as

  • Name
  • Address details
  • Phone number
  • Email address
  • Date of birth
  • Language
  • Start of customer relationship and registration channel

Any consent and prohibitions related to direct marketing you have given

  • Marketing
  • Surveys and questionnaires
  • Travel-related notifications
  • Use of location data

Information relating to travel and services

  • Purchase-related service, sales, payment and travel transaction data, including the journey details, payment method and other payment information, email address and/or telephone number needed for train ticket delivery or other service.
  • When you purchase a personal ticket, we also ask you to provide your name and date of birth.
  • Travel document information required for border crossings, such as passport number.
  • Vehicle information provided by you for car transport and any photographs taken by VR of your car for processing damage cases.
  • Data required for ordering and carrying out assistance service, such as name and contact information and a description of the need of assistance.

Information relating to the use of electronic services and background processes, such as

  • Service usage data in different transaction channels, such as the Internet, vending machine and mobile services, including log and service transaction data and cookies required for combining the page view count.
  • You can read about the collection of cookies in our cookie policy.

Information relating to communications and studies

  • Information that you have submitted on feedback and claim application forms and payments and messages relating to their processing. We will only process your health data in conjunction with customer contacts requiring it.
  • Information provided in surveys related to service events, such as purchases or feedback processing.
  • In customer surveys, we request demographic information, such as gender, to assess how representative the respondents are of the Finnish population.
  • Information provided in connection with games and draws.
  • Data related to marketing and customer communications, such as what kind of messages you have been sent and which messages you have opened.
  • Information collected in surveys and questionnaires aimed at registered customers.

3.2 How do we use your information and for what purposes will your information be processed

The processing of your personal data can be based on the performance of a contract that you have entered into with VR or your consent. In addition, the basis for processing can be a legitimate interest or legal obligation.

Based on a contract made with you

We use your information to provide you with the best possible service throughout your customer relationship, both in face-to-face customer service and through our digital channels. By identifying you and your travel history and purchase behaviour, we can better address your needs and experience.

We use your information for performing the services of your choice when you contact our customer service. In customer service, we use your information to find your previous purchase and message history and be able to assist you in questions and problems relating to your bookings. We process your ticket delivery details (telephone and/or email) in order to inform you of major changes and disruptions concerning the services you have purchased. If you submit feedback to us or claim for compensation, we will store your information to process your contact. We may also compile any of your future contacts. When you take part in games and draws, we create a contact person with your details to perform any drawing.

The purpose of our surveys and questionnaires is to develop the quality and content of services. We send questionnaires targeting different customer groups, and after you have used our services, we may ask you about your experience of them. In addition, we may contact you to test new products and services. You can refuse to be sent surveys by contacting our customer service though the feedback form. We process customer information to create diverse customer profiles and segments for marketing and targeting of benefits or for the development and statistical aggregation of our services, for instance. Such profiling does not have material impacts on the subject of the profiling.

Based on your consent

When you consent to marketing, we may send you general and targeted marketing messages. In these messages, we provide information about our topical campaigns, new products and services. In the VR Matkalla app, you can enable travel-related communications to get real-time information about the progress of your journey. By enabling location in the app, we can enrich your user experience of the app. When the processing of your personal data is based on your consent, you can change your consent whenever you like. To change your consent, log in to your personal details on our website or using the VR Matkalla app. Your health data may be occasionally required for processing your claims. In this case, we will separately request your consent. In order to improve your customer experience, we may offer customised content or other individual services in our digital channels. For additional information about the customisation of services, see our cookie practices.

Based on legitimate interest VR uses a social media management tool that collects and aggregates data from social media services. VR’s service agents and marketing communications specialists use the tool for creating and reporting responses and social media posts. We may transfer your information within VR Group on the basis of a legitimate interest, if there is a particular reason to do so. Based on our legal obligations With regard to trips to Russia, we collect your information and transfer it to border and other authorities. In addition, we may process your personal data to fulfil our obligations as laid down by law and regulations given by authorities, not forgetting security and responsibility. We may also transfer your data based on the authorities’ right to obtain information.

4 Contact persons of corporate customers, administrators and business travellers

Corporate customers refer to companies that have a contract with us.

Each company has a contact person whose information is stored in our customer register.

Business travellers are employees of a customer company with a business profile linked to their VR account (see section 3 for more information) and who can travel on business trips.

The company's administrator is a business traveller who has been granted the admin rights to VR’s services in the customer company. The company’s administrator can invite the company's business travellers and administrators to the service. The user accepts the creation or linking of the VR account to their own profile. The administrator can remove a business traveller of his own company from the user.

The VR account can be connected to several different companies. The user chooses under which company they use VR's services.

4.1 What customer information do we collect and process?

We combine trips taken on a business profile with the customer company information. From the business traveller and the company administrator, we collect and process information about the company to which their account was linked as well as information about the VR account (more information in section 3). From the company's contact person, we collect the person’s name, email address, phone number and title.

Information relating to questionnaires and surveys

  • Information collected in other surveys and questionnaires
  • In customer surveys, we request demographic information, such as gender, to assess how representative the respondents are of the Finnish population.
  • In some questionnaires/surveys, the survey results can be linked to an individual. However, the information is not reviewed at the individual level, but as groups, assessing satisfaction with on-board services among passengers on a specific route, for example.

4.2 How do we use your information and for what purposes will your information be processed?

The grounds for processing your personal data can be to perform a contract you have entered into with VR, legitimate interest or legal obligation.

On the basis of a contract

Information related to the VR account can be found in section 3.

On the basis of legitimate interest

Processing the company contact person’s data is required for the controller’s legitimate interest and to perform the cooperation contract. We process the personal data of contact persons of VR’s external stakeholders for contacts necessary for the cooperation, such as communications, invoicing and to invite the contact person to different events. The data subject has been designated as the company’s contact person by the person who entered into the contract or by the data subject.

5 Other VR customers

You can use our services anonymously when you purchase a ticket from a ticket vending machine, station ticket offices and R-Kioskis. On the other hand, you can use our services without logging in. In this case, your information will be collected in our customer register when purchasing and using our services.

5.1 What customer information do we collect and process?

We collect and process the customer information listed below: Information relating to travel and services

  • Purchase-related service, sales, payment and travel transaction data, including the journey details, payment method and other payment information, email address and/or telephone number needed for train ticket delivery or other service.
  • When you purchase a personal ticket, we also ask you to provide your name and date of birth.
  • Travel document information required for border crossings, such as passport number.
  • Vehicle information provided by you for car transport and any photographs taken by VR of your car for processing damage cases.
  • Data required for ordering and carrying out assistance service, such as name and contact information and a description of the need of assistance.

Information relating to the use of electronic services and background processes, such as

  • Service usage data in different transaction channels, such as the Internet, vending machine and mobile services, including log and service transaction data and cookies required for combining the page view count.
  • You can read about the collection of cookies in our cookie policy.

Information relating to communications and studies

  • Customer service call recordings.
  • Messages that you have sent to us, such as chat, email and social media messages.
  • Information that you have submitted on feedback and claim application forms and payments and messages relating to their processing. We will only process your health data in conjunction with customer contacts requiring it.
  • Information provided in surveys related to service events, such as purchases or feedback processing.
  • In customer surveys, we request demographic information, such as gender, to assess how representative the respondents are of the Finnish population.
  • Information provided in connection with games and draws.

5.2 How do we use your information?

The processing of your personal data can be based on the performance of a contract that you have entered into with VR or your consent. In addition, the basis for processing can be a legitimate interest or legal obligation. Based on a contract made with you We use your information for performing the services of your choice when you contact our customer service. In customer service, we use your information to find your previous purchase and message history and be able to assist you in questions and problems relating to your bookings. We process your ticket delivery details (telephone and/or email) in order to inform you of major changes and disruptions concerning the services you have purchased. If you submit feedback to us or claim for compensation, we will store your information to process your contact. We may also compile any of your future contacts. When you take part in games and draws, we create a contact person with your details to perform any drawing. The purpose of our surveys and questionnaires is to develop the quality and content of services. After processing your contact, we may send you a customer survey concerning the service you received. On our site, we offer questionnaires targeting different customer groups, and after you have used our services, we may ask you about your experience of them. On our site, we may also offer you surveys with which we test new services and products. Participating in surveys is completely optional. We process customer information to create diverse customer profiles and segments for the development and statistical aggregation of our services, for instance. Such profiling does not have material impacts on the subject of the profiling. Based on your consent Your health data may be occasionally required for processing your claims. In this case, we will separately request your consent. In order to improve your customer experience, we may offer customised content or other individual services in our digital channels. For additional information about the customisation of services, see our cookie practices. When you consent to marketing in conjunction with games and draws, we can send you general and targeted marketing messages. In these messages, we provide information about our topical campaigns, new products and services and benefits of creating a VR username, for instance. Based on legitimate interest VR uses a social media management tool that collects and aggregates data from social media services. VR’s service agents and marketing communications specialists use the tool for creating and reporting responses and social media posts. We may transfer your information within VR Group on the basis of a legitimate interest, if there is a particular reason to do so. Based on our legal obligations With regard to trips to Russia, we collect your information and transfer it to border and other authorities. In addition, we may process your personal data to fulfil our obligations as laid down by law and regulations given by authorities, not forgetting security and responsibility. We may also transfer your data based on the authorities’ right to obtain information.

6 Sources of data

Customer-related data is collected primarily from the customer directly and when using our services and travelling. Customer-related data is accumulated in VR’s information systems, for instance,

  • at station ticket sales, trains, ticket vending machines, telephone service and electronic service channels and our partners’ sales channels in conjunction with orders, service purchases and use and other customer service events
  • when travelling, such as when the ticket is scanned and when using the restaurant car services
  • in conjunction with customer questionnaires and surveys
  • in conjunction with games and draws
  • at customer events, such as fairs
  • in conjunction with marketing
  • in our digital services, i.e. the website and when using the VR Matkalla app, for instance; read about cookies
  • in our social media channels.

7 Processors of personal data

As the controller, we process the personal data ourselves, but we also use reliable service providers. The service providers can vary, but their duties include the maintenance and development of IT systems, service production and various research and development tasks. The service providers of our choice process personal data commissioned by us. The data processing follows the current legislation, and it has been agreed upon in contracts between the organisations.

8 Transfer or disclosure of data

We may disclose your personal data to our partners in the following situations:

  • When you purchase our partner’s services from us, we may disclose your personal data necessary for the implementation of the service to our partner.
  • We may disclose your feedback and contact information to our partner if your feedback concerns services provided by said partner. However, we ask you to primarily contact our partner directly. If we decide to transfer feedback containing your personal data, we will inform you of the disclosure of the data.
  • When we resell HSL tickets, we provide HSL with personal data relating to your purchase, such as phone number and your device identifier.
  • When you submit feedback about HSL’s services, HSL is the controller. In this case, we will forward your feedback to HSL and inform you of the disclosure of your personal data.
  • When we impose a penalty fare, we transfer your personal data to a service provider for sending the payment.
  • If you start using a service and allow the disclosure of your data when taking it into use, data can be disclosed to the service provider in question (such as Mobile Pay).
  • In cases referred to in section 156 of the Act on Transport Services, we can disclose data/access a partner’s data for performing the partner’s services.
  • We may disclose your feedback and contact information within the VR Group, if your feedback concerns other Group companies.
  • With regard to journeys to Russia, necessary information relating to travelling is handed over to the border guard and other authorities and the Russian Railways (RZD). Personal data can be transferred outside the EU and EEA in conjunction with the provision of IT services if the personal data can be accessed from a country outside the EU and EEA. Transfer is possible when 1) a contract has been entered into with the service provider following the standard contractual clauses of the European Commission or 2) the receiving country has an adequate level of data protection as decided on by the European Commission or 3) the company that processes the data has Binding Corporate Rules or 4) there are other legal grounds for the transfer. You can see Commission decisions on standard contractual clauses here. , Opens in a new tab We will not disclose customer information to parties outside VR or parties other than those participating in the production of VR’s services without grounds based on the General Data Protection Regulation.

9 Data retention period

We store personal data only for as long as it is necessary for the purposes of use and in accordance with the legislation that is in force at each particular moment. After this, personal data will be either erased or anonymised. In storing personal data, we comply with legal obligations, taking into consideration the legislation on accounting and the EU regulation on rail passengers’ rights and obligations and the Rail Traffic Liability Act. We will store your personal data in our services as follows:

  • We will store your basic information and general customer relationship-related information, information relating to the management of the customer relationship, your consent and refusals and customer classification data throughout your customer relationship.
  • The end of your customer relationship will have an impact on the retention period. We will terminate your customer relationship without any separate measures if no journeys or contacts have been associated with your customer account for seven years. In this case, your data will be erased from the system within six months.
  • As a customer, you also always have the right to request your customer relationship to be terminated without delay. In this case, your data will be erased from the system within three months.
  • We will store our accounting-related data (such as purchases and claims) for the current year and the next six years in line with the Accounting Act.
  • We will store your feedback and other similar contacts for five years.
  • Campaign and marketing data will be stored for two years.
  • Survey and questionnaire data will be stored for five years.
  • Customer service call recordings will be stored for seven months and call history (numbers) for 12 months.
  • Information collected through competitions and games will be stored for five months.
  • We will store your passport information relating to cross-border travel for one month after your journey.
  • Ticket delivery data (email and/or phone number) will be kept for seven years.
  • Our social media tool stores data for three years.

When the contractual relation ends, the data retention period is determined according to the purpose of use and existing legislation.

10 Our customers’ rights

As our customer, you have a right to access your personal data of which VR is the controller. You can exercise your rights by submitting a data protection request with the online form on the vr.fi website. Alternatively, you can submit the request by calling VR’s customer service. You will receive a response to your request no later than one month after sending the request. We ensure these rights as described here by taking the applicable legislation and restrictions set therein into account. If you buy tickets through another service provider, the provider in question will act as an independent controller. When exercising the rights of a data subject through VR’s services, the request will not be directed or transferred to the other controller. Please contact the service provider in question directly when wishing to exercise your rights under the General Data Protection Regulation. As our customer, you have the following rights related to data protection:

  1. Right to access data: You have the right to receive a copy of your personal data from VR and a confirmation of whether we have processed your personal data. The primary method for delivering the copy is encrypted email or alternatively mailing the document. Some data, such as call recordings, can only be accessed by visiting a VR office.
  2. Right to rectification: You have the right to request us to rectify inaccurate or erroneous data about you. When you register in our digital services, you can edit your personal data directly through our website or application. Such data includes, for instance, your name, address and contact details.
  3. Right to erasure: You have the right to request us to erase your personal data. Requests are handled on a case-by-case basis. VR has a legislation-based obligation or right to store certain data; such data cannot be erased.
  4. Right to restriction of processing: You have a right in certain special situations stipulated by the regulation to request the restriction of the processing of your personal data.
  5. Right to object: You also have a right to object to the use of your data in direct marketing, for instance. On grounds relating to your particular situation, you can object to processing that is based on VR’s legitimate interest.
  6. Right to data portability: You have the right to receive your data from us in a structured and commonly used format, which will enable you to transfer your data to another controller. This right concerns data that is in electronic format and whose processing is based on consent or the performance of a contract. We will provide the data to you via encrypted email.
  7. Right to withdraw consent: You have the right to withdraw the consent you have given when it is the grounds for processing personal data. When the consent is withdrawn, the consent-based processing of personal data will be discontinued. Private customers who have registered in the service may withdraw their consent to electronic direct marketing by logging in to our website and editing their data.
  8. Right to lodge a complaint with an authority: We seek to resolve any disputes primarily with our customers. If you find that we have not processed your personal data as stipulated by law, you may lodge a complaint with a supervisory authority.

11 Principles of data protection

We ensure the data security of the processing of our customers’ personal data processing and personal data confidentiality, integrity and accessibility with appropriate technical and organisational measures in accordance with VR’s data security principles. Personal data is protected against unauthorised access and illegal or accidental processing. Personal data is processed only by persons specifically appointed by VR to such tasks. We provide data protection training and guidance to our employees who process customer data.

Joint register with Facebook

26 April 2021

This applies to VR’s Facebook pages, the tracking pixel, and messaging services. These situations arise when you like a VR Facebook page, join or follow a VR community on Facebook, or chat with VR in the messaging service. 

Controller

Facebook Ireland (“Facebook”) and VR-Group Plc act as joint controllers with regard to the fan and community pages, tracking pixel and messaging services on Facebook, as applicable. Information on the joint controllership and the data required under Articles 13(1) (a) and (b) of the GDPR are available in the Facebook privacy notice:https://www.facebook.com/about/privacy, Opens in a new tab

Facebook processes data in accordance with its privacy policy: www.facebook.com/about/privacy, Opens in a new tab, which specifies, among other things, Facebook’s legal basis for the processing of personal data and the rights of data subjects. Facebook has the primary responsibility for compliance with the data protection legislation and the implementation of data security and the rights of data subjects in the service. You can manage your Facebook-related data protection settings on Facebook. VR is responsible for processing the content of the messages.

Data that is processed and the purpose and legal basis of the processing

Regarding individual data subjects, VR receives from Facebook the name given on Facebook, public profile picture and other data that the data subject has specified as public on Facebook. The data subject can also give other personal data in the comments or messaging services of the community pages. VR processes personal data on Facebook based on its legitimate interest.

The customer service on Facebook is part of VR’s multi-channel customer service. The registered data is not used for automatic decision-making or profiling that would affect the legal rights of the customers as data subjects. VR collects anonymised data for its own data and analytics platform in order to gain an overview of the topics discussed on social media, allocate appropriate resources to customer service, and support service development. VR may organise competitions on Facebook, in which case the data is processed in accordance with VR’s data protection notice, as stated in the competition. 

VR uses social media tools to manage activities on Facebook. VR does not transfer personal data outside of the European Union or the European Economic Area without a legal basis. Some of our service providers are located outside the EU/EEA, and we may transfer personal data to these service providers if it is necessary for the purposes specified in this data protection notice. We use the necessary contractual protection measures (e.g. the standard contractual clauses on data protection approved by the European Commission) when we transfer personal data to such service providers. 

VR recommends using VR’s feedback from for personal contacting or for sending messages that contain your personal data (such as name, address, telephone number) in order to ensure the confidentiality and data security of the communication.

You can limit the processing of your personal data by unliking and/or unfollowing the community page. You can also request the removal of your data by using the data protection form. 

Rights of data subjects

You can read about the rights of data subjects against Facebook Ireland in the privacy policy of Facebook Ireland at https://www.facebook.com/about/privacy, Opens in a new tab.

In addition, you have the right to lodge a complaint with the Office of the Data Protection Ombudsman.

  • VR Group’s data protection officer: tietosuojavastaava(a)vr.fi
  • Questions concerning the register should be sent by e-mail to: palaute(a)vr.fi

Data Protection Notice for VR-Group Plc’s camera surveillance (CCTV)

25 May 2018

1 Controller

  • VR-Group Plc (hereinafter referred to as “VR”)
  • Business ID: 1003521-5
  • PO Box 488
  • FI-00101 Helsinki, Finland
  • tel. +358 307 10

2 Contact person in matters related to the data file

  • Tero Pyörökivi
  • VR-Group Plc
  • PO Box 488, 00096 VR
  • 00101 Helsinki, Finland
  • Data protection officer: tietosuojavastaava(a)vr.fi

3 Purposes of the processing of personal data

Personal data is processed to ensure the maintenance of order and safety and to look into criminal offences, incidents or accidents in VR’s premises, properties, outdoor areas and part of its rolling stock.

The processing of personal data is based on the controller’s legitimate interest.

4 Sources of data

A camera surveillance system that consists of recording surveillance cameras in VR’s premises, properties, outdoor areas and rolling stock.

There are surveillance cameras also in some of VR-Group Plc’s road transport vehicles.

VR has recording camera surveillance in the public spaces of the following stations:

Helsinki Central Railway Station, Hyvinkää, Hämeenlinna, Iisalmi, Imatra, Joensuu, Järvenpää, Kajaani, Karjaa, Kemi, Kerava, Kirkkonummi, Kokkola, Kouvola, Kupittaa, Lahti, Lappeenranta, Mikkeli, Oulu, Pieksämäki, Pori, Riihimäki, Rovaniemi, Salo, Seinäjoki, Tampere, Turku, Vaasa, Ylivieska.

5 Data content of the data file

Time- and location-specific visual recordings from VR’s premises, properties, outdoor areas and rolling stock, recorded by the camera surveillance system.

6 Recipients of personal data

Personal data is disclosed, to the extent permitted by law, to the Finnish Transport Agency and, upon request, to other authorities. Data can be disclosed to companies belonging to the same group in order to present legal claims and to insurance companies for processing accident cases.

We use external parties to support the processing of personal data in the maintenance and development of IT systems and safety monitoring room duties, for instance. These service providers process personal data commissioned by us and on our behalf. The data processing follows current legislation and is always carried out in accordance with this data protection notice. This is ensured, among other things, through contracts between the organizations.

7 Transfer or disclosure of data outside the EU or the EEA

Data will not be disclosed outside the EU or the European Economic Area or outside countries which the European Commission considers to have an adequate level of data protection, unless the adequate level of data protection has been ensured with contracts or in another manner required by law.

8 Data retention period

Normally, camera recordings are stored for one month at the maximum. However, data may be stored for a longer time, if necessary (upon authorities’ request, for instance).

9 Our customers’ rights

Right to access data / right to review data

A person has the right to access the data that has been stored about them in VR’s camera surveillance data file. After submitting a sufficiently detailed and specific access request, the person has the right to access data about them included in the recordings, subject to the rights and restrictions that are defined in more detail in the General Data Protection Regulation. The access request must be made in writing, signed and sent to: VR-Group Plc, PO Box 488, FI-00101 Helsinki, Finland.

The response to the request will be mailed to the person who submitted the request. A reasonable fee will be charged for the access request if it is less than a year since the previous access time.

Please note that in the railway network, camera surveillance in platform areas and in some of the stations falls under the responsibility of the Finnish Transport Agency.

Right to lodge a complaint with an authority

We seek to resolve any disputes primarily directly with data subjects. If a customer finds that we have not processed personal data as stipulated by law, the customer may lodge a complaint with a data protection authority.

10 Principles of data file protection

VR’s premises where personal data is processed are protected with access control as defined in the facility security guidelines.

Paper documents/records are stored in locked premises where outsider access is completely prohibited. Only separately appointed persons can access these documents/records. Documents are disposed of according to data security guidelines.

As defined in VR’s data security policy, electronic documents and data are protected with usernames and passwords as well as with firewalls against external intrusion. Only persons who have been given access rights can access the data.