Data Protection Notice for VR’s Partners and Their Employees

1. Controller

VR-Group Plc (hereinafter referred to as “VR”)
Business ID: 1003521-5
PO Box 488
FI-00096 VR, Finland
Tel. +358 307 10

2. Contact information and Data Protection Officer

VR’s Data Protection Officer
Email: [email protected]

3. Purposes of processing and legal bases

Personal data is processed in connection with the performance of tasks related to cooperation agreements made by VR or its group companies.

The processing of personal data of employees of VR’s partners is based on the following legal grounds:

Performance of contract 

The processing of personal data is necessary for the performance of a cooperation agreement and for fulfilling contractual obligations.

This includes, for example:

  • Management of contracts and communication
  • Coordination of tasks under the contract
  • Granting of access rights, entry permits, and ID cards
  • Organization of training and monitoring of participation

Legitimate interest

In certain cases, personal data is processed on the basis of VR’s legitimate interest when processing is necessary for ensuring operational safety, quality, or development, and when the rights of the data subject do not override this interest.

Such situations include, for example:

    • Ensuring safety and occupational safety (access control, processing of location data in specific tasks)
    • Maintaining information security
    • Recording calls or customer interactions for quality and safety purposes
    • Fulfilling or defending the company’s legal rights and obligations
    • CCTV surveillance (covered by a separate data protection notice Tietosuoja - VR Data protection - VR)

Compliance with legal obligations

Personal data may also be processed to fulfill legal obligations imposed on VR, for example in relation to accounting requirements.

4. Data subjects and categories of personal data processed

The data subjects referred to in this register are individuals who are not directly employed by VR but may gain access to VR’s premises, networks, or customer or employee data.

The following personal data may be processed about data subjects:

  • Basic information, including personal identity code and photograph
  • Contact information
  • Organizational details
  • Information relating to the cooperation agreement
  • Access rights to VR’s systems
  • Entry rights and access control data, location data (in specific roles)
  • Information on work equipment, including ID card details
  • Work shift and performance data
  • Information on participation in VR’s training sessions
  • CCTV or call recordings, where necessary for work performance or safety

Not all of the above categories of data are collected for every individual.

5. Sources of personal data 

Personal data is primarily obtained from the data subject themselves or from their employer, which acts as VR’s cooperation partner. Data may also be collected from third parties with the person’s consent, based on the cooperation agreement, or directly under law. Such third parties may include VR’s partners.

6. Processors of personal data

External service providers may be used in the processing of personal data to support the controller’s operations.

These include, for example:

  • Maintenance and development of IT systems
  • Telephone exchange services
  • Organization of training
  • Production of ID cards and communication support services

Service providers process personal data on VR’s behalf and under VR’s instructions, in compliance with applicable data protection legislation and contractual and information security obligations equivalent to this notice.

7. Disclosures of personal data

Personal data will not be disclosed outside VR without a statutory basis. Data may be disclosed within the limits permitted by law to, for example:

  • Authorities such as the Tax Administration, Traficom, OTKES, Border Guard, Customs, Police, and Finnish Transport Infrastructure Agency
  • Insurance companies
  • Educational institutions
  • Customers and suppliers, where necessary (e.g. for invoicing purposes)
  • Russian Railways (RZD), concerning staff who have travelled to or operated in Russia

8. Transfers of data outside the EU/EEA

Personal data is not, as a rule, transferred or disclosed outside the EU, the European Economic Area, or countries that the European Commission has determined to ensure an adequate level of data protection.

If a transfer is necessary, it will only take place when adequate protection has been ensured in accordance with data protection legislation, for example, by using the European Commission’s standard contractual clauses or other appropriate safeguards.

In connection with trips outside the EU or EEA, necessary travel information may be disclosed to competent authorities (e.g. border authorities). For train traffic to Russia, data may be shared with Russian Railways (RZD) where necessary for travel or operations.

Data transfers may also occur in exceptional cases permitted under the GDPR, for example, when necessary for performing a contract between the partner and the controller. Transfers may also occur when applications used are accessed from outside the EU/EEA.

9. Data retention period

VR retains personal data only as long as necessary to fulfill the purposes described in this privacy notice. Retention periods depend on the purpose of collection and the legal basis for processing. Legal obligations, such as accounting requirements, may affect the retention period.

10. Rights of the data subject

Data subjects have the right to obtain information on their personal data processed by VR and to exercise their rights under the GDPR.

Data subjects can exercise their rights by contacting VR via email at [email protected] or by mail at the address listed in section 1.

VR will verify the requester’s identity before processing the request.

  • If identification is successful, the request will be handled as described below.
  • If identification cannot be verified or the request cannot be fulfilled for another reason, VR will inform the requester and explain the decision.

VR will respond to data protection requests within one month of receipt. If the request is unusually complex or numerous, the deadline may be extended by up to two additional months, with notification and justification provided within one month.

The rights of the data subject and principles for their exercise are described below:

1. Right to access
The data subject has the right to confirm whether VR processes their personal data and to obtain a copy of such data. The copy is primarily delivered electronically via encrypted email, or alternatively as a registered letter by post.

2. Right to rectification
The data subject has the right to request the correction of inaccurate or incomplete data. The accuracy is assessed case by case, depending on the purpose of processing.

3. Right to erasure (“right to be forgotten”)
The controller retains data for the duration of the cooperation agreement and for a period thereafter. The right to erasure does not apply where processing is necessary for VR to comply with a legal obligation.

4. Right to restrict processing
The data subject has the right, in certain cases specified by law, to request restriction of processing.

5. Right to object
The data subject has the right to object to processing based on VR’s legitimate interest.

6. Right to data portability
The data subject has the right to request their data in a machine-readable format for transfer to another service provider. This applies to data in electronic form processed on the basis of consent or contract. Data is provided via encrypted email.

7. Right to withdraw consent
Where processing is based on consent, the data subject may withdraw their consent at any time. Processing based on consent will then cease.

8. Right to lodge a compaint with supervisory authority
VR aims to resolve any disputes directly with data subjects. However, if a data subject believes that their personal data has been processed unlawfully, they may lodge a complaint with the data protection authority.

11. Principles of data protection

VR ensures the security, confidentiality, integrity, and availability of personal data through appropriate technical and organizational measures, in line with VR’s information security principles. Personal data is protected against unauthorized access and unlawful or accidental processing. Only individuals specifically authorized by VR may process personal data.

Updates 6 November 2025
Created 18 May 2018