29 September 2020
Helsinki Central Railway Station website and newsletter for contact persons of the Helsinki Central Railway Station’s partners
VR Group (hereafter referred to as ‘VR’)
Business ID: 1003521–5
P.O. Box 488
tel +358 29 43 43
2. Data Protection Officer and contact information
VR Group’s Data Protection Officer: Tanja Kalliojärvi
All our emails are in the form: email@example.com
3. Purposes of processing personal data
The purposes for which we process the personal data of the contact persons of VR’s partners are following:
- Managing the cooperation based on contractual agreement at Helsinki Central Railway Station and communication related to it (e.g. by email newsletters).
The processing of personal data of partners’ contact persons is based on:
To the contract: We process the personal data of our partners in order to implement a contract in which the partner is a party (rental or cooperation agreement)
Legal obligation: We process the customers’ personal data in order to fulfil our legal obligations, such as the requirements related to the storage of data in the Accounting Act, the requirements of the Rescue Act (29 April 2011/379) and other safety-related informing and communication required by law
Legitimate interest: The processing of the personal data of the partner’s contact person may be based on the legitimate interest of the Controller when the data is processed for the purpose of managing and developing the customer relationship, preventing, or investigating abuses.
4. Data sources
The information of the partners’ contact persons is collected from the partners or their contact persons themselves.
5. Data subjects and categories of data subjects
|Data subjects||Contact persons of VR Group Ltd. / customers of property unit at the Helsinki Central Railway Station|
|Basic information||Basic information about the Customer, such as name of the company. Contact information, such as first name, last name, email address, phone number, and postal address|
6. Recipients of personal data
We use external providers to support the processing of personal data, for example, in the maintenance and development tasks of IT systems. These service providers process personal data on our behalf and at our request. The processing of data complies with the legislation in force and is always done in accordance with this privacy notice. This is guaranteed, for example, by agreements done with the service providers.
Without a legal basis, we do not disclose customer data outside of VR Group or parties participating in the production of VR services.
7. Transfer or disclosure of data outside the EU or EEA
Personal data will not be disclosed or transferred outside of countries with an adequate level of data protection as determined by the European Union, the European Economic Area or the European Commission, unless an adequate level of data protection has been ensured by agreement or otherwise, as required by law.
8. Data storage period or criteria for determining storage period
The Controller complies with the legal obligations to store the data. Practises for storing the contact information of the partners’ contact persons depend on the reasons for their processing.
9. Rights of data subjects
As a partner’s contact person, you have the right of access to your personal data, which VR processes. You can exercise your right by contacting the contact person referred to in section 2 above. Your request will be answered within one month. Below we have listed the rights of data subjects in general terms:
1. Right of access
The data subject has the right to know whether his or her personal data has been processed by VR and a copy of the personal data.
2. Right to rectification
The data subject has the right to ask VR to rectify inaccurate or incorrect information concerning him or her. The incorrectness of the data is determined case by case and on the basis of whether the data is incorrect for the purpose of processing (unnecessary, incomplete, outdated).
3. Right to get your data deleted (“Right to be forgotten”)
The data subject has the right to request VR to delete the personal data concerning him or her. Requests are processed case by case, and data for which VR has a legal obligation or right to data retention will not be removed.
4. Right to restrict processing
In certain situations, as defined in GDPR, the data subject has the right to request restrictions on the processing of his or her personal data.
5. Right to object
The data subject has the right to object to the processing of personal data when the processing is based on the legitimate interest of the Controller or if your personal data is processed for direct marketing purposes.
6. Right to data portability
The data subject has the right to request their data in machine-readable form. This right applies to data which are in electronic form and which are processed either based on consent or on the implementation of the contract.
7. Right to withdraw consent
In cases where the processing of the data subject’s personal data is based on consent, the Data Subject has the right to withdraw his or her consent. After withdrawal of consent, such data processing based on consent shall be terminated.
8. Right to lodge a complaint with a supervisory authority
We aim to resolve any disputes primarily directly with the data subjects. If the customer considers that we have not processed their personal data according to the law, the customer may lodge a complaint with the data protection authority.
10. Principles for the protection of data
The security of processing personal data at VR, and personal data confidentiality, integrity, and usability are ensured by appropriate technical and administrative measures in accordance with VR’s data security principles. Personal data is protected against access by unauthorised persons and unlawful or accidental data processing. Personal data is processed only by persons specifically authorised by VR for the processing of personal data. We give our employees who process customer data training and instructions on data protection.