Data protection notice

22 May 2018

Data protection notice VR Transpoint Partners’ contact persons

1. Controller

VR-Group Ltd
Business ID 1003521-5
PL 488, FI-00101 Helsinki, Finland
Radiokatu 3, FI-00240 Helsinki, Finland
tel. +358 (0)307 10

2. Data protection officer and their contact information

Data Protection Officer at VR-Group Ltd: Päivi Minkkinen

VR Transpoint data protection responsible: Teemu Heikura

Data and contact requests using VR Transpoint’s contact requests:

3. Purpose of the processing of personal data

Data about the contact persons of VR’s partners is processed for the following purposes:

  • Managing collaboration and related contact requests
  • Creating statistics on VR’s own operations, reporting on and planning them
  • VR’s sales and marketing

The processing of data about partners’ contact persons is based on:

A contract:  We process the contact persons’ personal data for the performance of a contract that the partner is a party at.

A legal obligation: We process the customer’s personal data in order to fulfil our statutory obligations, such as those stipulated by the provision for the retention of information by the Act on Accounting and the special requirements laid down in the Rail Transport Act. 

A legitimate interest: The processing of the personal data of a partner’s contact person may be based on a legitimate interest of the data controller when the data is used to manage and develop the customer relationship or to prevent and clarify irregularities.

4. Sources of data

The personal data of partners’ contact persons is gathered from a company acting as a partner of the persons themselves.

5. Data subjects and the groups of personal data

Regarding this data protection notice, the groups of data subjects and the related groups of personal data are described below:

Data subjects

Contact persons of VR Transpoint’s customers

Basic information

  • Customer basic information, such as name and company
  • Customer contact information such as first name, last name, email address, telephone number, fax number and mailing address

6. Recipients of personal data

We use external parties to support the processing of personal data, including the maintenance and development of IT systems. These service providers process personal data commissioned by us and on our behalf. The data processing follows current legislation and is always carried out in accordance with this data protection notice. This is ensured, among other things, through agreements between the organizations.

Without statutory grounds, we will not hand over customer data to parties outside VR or parties participating in the production of VR’s services.

7. Transferring or handing over data outside the EU or EEA areas

In transportation outside the EEA area, in connection with handing over waybills, mandatory contact information will be handed over to transport companies from outside the EEA area and to the customs service of the country in question to ensure successful transport. The necessary contact information includes first name, last name, address, telephone, fax number and email address.

In other cases, personal data will not be handed over or transferred outside of the European Union, the European Economic Area or outside countries which the European Commission considers having an an adequate level of data protection.

8. The data retention period or the criteria for the retention period

In data retention, the data controller follows its statutory obligations. The practices of the retention of the personal data of partners’ contact persons depend on the ground for the processing of the data.

9. Rights of the data subjects 

As a partner’s contact person, you have a right to your personal data processed by VR. You can exercise your rights by contacting VR using an online form found at:

You will receive a response to your request no later than one month after sending the request. We have listed below the the rights of data subject on a general level:

1. Right to access data

Data subjects have the right to obtain confirmation whether their data has been processed by VR and to receive a copy of their personal data.

2. Right to rectification

A data subject has the right to request VR rectifies unclear and inaccurate information about them. The erroneous nature of information is to be decided on a case-by-case basis by resolving whether the information is erroneous from the viewpoint of its processing (unnecessary, defective, outdated).

3. Right to erasure ('right to be forgotten')

A data subject has the right to request VR to erase personal data about them. Requests will be handled on a case-by-case basis and data that VR has a statutory or other obligation to retain will not be erased.

4. Right to restriction of processing

Data subjects have a right in certain special situations stipulated by a decree to request the restriction of processing of the personal data about them.

5. Right to object

Data subjects have the right to object to the processing of their personal data if the processing is based on the data controller’s legitimate interest or if the data is processed for direct marketing purposes.

6. Right to data portability

A data subject has the right to request VR to provide the data about her/him in a machine-readable file format. This right concerns data that is in electronic format and its processing is based on a consent or a contract.

7. Right to withdraw consent

In situations in which the processing of the data about a data subject is based on consent, the data subject has the right to withdraw their consent. After consent is cancelled, the processing based the consent in question is discontinued.

8. Right to file a complaint with an authority

We seek to resolve any disagreements primarily with data subjects. If a data subject finds that we have not processed personal data as stipulated by law, the customer may file a complaint with a privacy protection authority.

10. Principles of data protection

The data security of VR’s personal data and its confidentiality, integrity and accessibility is ensured with appropriate technical and organizational measures in accordance with VR’s data security principles. Personal data is protected against unauthorised access and illegal or accidental processing. Personal data is processed only by persons specifically appointed by VR to such tasks. We train and provide guidance to our employees in matters related to data protection.


VR Group's Data protection principles