Data protection notice
20 March 2019
Data protection notice VR Transpoint Partners’ contact persons
VR-Group Ltd (hereinafter referred to as “VR”)
Business ID 1003521-5
PO Box 488
FI-00101 Helsinki, Finland
tel. +358 307 10
2. Data protection officer and contact information
VR Group's Data Protection Officer: Tanja Kalliojärvi
VR Transpoint data protection responsible: Teemu Heikura
Data and contact requests using VR Transpoint’s contact requests: https://www.vrtranspoint.fi/en/vr-transpoint/contact-information/
3. Purpose of the processing of personal data
Data about the contact persons of VR’s partners is processed for the following purposes:
- Managing collaboration and related contact requests
- Creating statistics on, reporting on and planning VR's own operations
- VR’s sales and marketing
The processing of data about partners’ contact persons´is based on:
A contract: We process the contact persons’ personal data to put into effect a contract to which the partner is a party.
A legal obligation: We process the customer’s personal data in order to fulfil our statutory obligations, such as those stipulated by the provisions for the retention of information in the Accounting Act and the special requirements laid down in the Rail Transport Act.
A legitimate interest: The processing of the personal data of a partner’s contact person may be based on the legitimate interest of the data controller when the data are used to manage and develop the customer relationship or to prevent and investigate irregularities.
4. Sources of data
Data about partners’ contact persons are collected from a company acting as a partner or from the persons themselves.
5. Data subjects and the personal data groups
Contact persons of VR Transpoint’s customers
6. Recipients of personal data
We use external actors to support the processing of personal data, including the maintenance and development of IT systems. These service providers process personal data commissioned by us and on our behalf. The data processing is in compliance with the current legislation and is always carried out in accordance with this data protection notice. This is ensured, for instance, through agreements between the various organisations.
Without statutory grounds, we will not disclose customer data to parties outside VR or parties other than those participating in the production of VR’s services.
7. Transferring or handing over data outside the EU or EEA areas
In transportation outside the EEA area, in connection with handing over waybills, mandatory contact information will be handed over to transport companies from outside the EEA area and to the customs service of the country in question to ensure successful transport. The required contact information includes first name, surname, address, telephone, fax number and e-mail address.
In other cases, personal data will not be disclosed outside the EU or the European Economic Area or outside countries which the European Commission considers to have an adequate level of data protection, unless the adequate level of data protection has been ensured by means of contracts or in another manner required by law.
8. The data retention period or the definition criteria for the retention period
In data retention, the controller follows its statutory obligations. The practices of the retention of the personal data of partners’ contact persons depend on the grounds for the processing of the data.
9. Rights of the data subjects
As a partner’s contact person, you have the right to access your personal data processed by VR. You can exercise your rights by contacting VR using the online form at: https://www.vrtranspoint.fi/en/vr-transpoint/contact-information/.
You will receive a response to your request no later than one month after sending the request. Below, we have listed the general rights of data subjects:
1. Right to access data
A data subject shall have the right to receive confirmation regarding whether their data have been processed by VR and to receive a copy of their personal data.
2. Right to rectification
A data subject shall have the right to request that VR rectify inaccurate or incorrect data regarding the data subject. The incorrect nature of data is to be decided on a case-by-case basis by resolving whether the data are incorrect from the viewpoint of the processing thereof (unnecessary, incomplete, outdated).
3. Right to erasure ('right to be forgotten')
A data subject shall have the right to request that VR erase the data subject’s personal data. The requests will be processed on a case-by-case basis and data that VR has a legal obligation or right to store will not be erased.
4. Right to restriction of processing
Data subjects shall have the right in certain special situations stipulated by a decree to request the restriction of the processing of their personal data.
5. Right to object
A data subject shall have the right to object to the processing of their personal data if the processing is based on the controller’s legitimate interest or if the personal data are processed for direct marketing purposes.
6. Right to data portability
A data subject shall have the right to request their personal data in machine-readable file format. This right concerns data that are in electronic format and the processing of which is based on consent or a contract.
7. Right to withdraw consent
In situations in which the processing of the data subject’s personal data is based on consent, the data subject shall have the right to withdraw their consent. Once the consent has been withdrawn, the consent-based processing in question will be discontinued.
8. Right to lodge a complaint with an authority
We seek to resolve any disputes primarily directly with data subjects. If a customer finds that we have not processed personal data as stipulated by law, the customer may lodge a complaint with a data protection authority.
9. Principles of data protection
The data security of VR’s personal data and its confidentiality, integrity and accessibility is ensured with appropriate technical and organizational measures in accordance with VR’s data security principles. Personal data is protected against unauthorised access and illegal or accidental processing. Personal data is processed only by persons specifically appointed by VR to such tasks. We train and provide guidance to our employees in matters related to data protection.