Privacy policy
1. Introduction
VR Snabbtåg Sverige AB (“VR”) safeguards your personal privacy. This privacy policy explains how we collect and use your personal data. It also describes your rights in relation to us, and how you can exercise those rights.
The policy applies to persons who are customers of or who travel with us, are members of My VR, visit our digital channels or who otherwise come into contact with us, e.g. via our customer services.
It is important that you read and understand our privacy policy before using our services. If you have any questions about how your personal data are processed, please contact us via the contact details listed in section 5.
2. How we process your personal data
Personal data are any information which can be directly or indirectly (i.e. together with other data) linked to you, such as name, image, personal ID number, IP address, travel history and information about interests and preferences.
In principle, processing means any operation performed with your personal data, such as collection, registration, organization, structuring, storage, adaptation, transfer and erasure.
In this section, we explain how your personal data are used to provide you with relevant experiences, services and offers.
2.1 What personal data do we collect?
We process personal data from various sources.
DATA YOU GIVE US, E.G.:
- Name and contact details (e-mail and phone number)
- Details on whether you require assistance or space for a wheelchair
- Correspondence when you contact us (recordings of phone calls, e-mails, letters etc.)
- Information from customer surveys
- If you are a My VR member, you also have the opportunity to provide information about commuter cards and/or connection to a company contract.
2.1.2 Data we create or which are generated when you make a reservation or travel with us
- Information about your trip (booking number, departure date, price, destination etc.)
- Data about your geographic location (if you consent)
- Your IP address and information about your visits to our website, collected through so-called cookies. For further information about how we use cookies, please see our cookie policy.
- Data from photographs and moving images in connection with camera surveillance.
If you are a Mitt VR member, we also process data about your membership (membership number, membership benefits, password, bonus balance and transactions) as well as information about your purchase and travel history and how you use our other services (e.g. our website).
2.2 Purposes for which we use your personal data
We always process your personal data in accordance with current data protection legislation. This means that each processing operation has a legal basis. Most processing operations are performed to enable us to deliver the service, i.e. to fufil our contract with you or because we have a legal obligation to do so. In certain cases – when we have a legitimate interest – our processing is based on a balancing of interests. If we process your personal data for any purpose which requires your consent, we will obtain your consent before commencing such processing.
Some examples of the purposes for which we process your personal data, and the legal bases on which this takes place, are presented below.
2.2.1 Delivering trips, goods or services
We process your personal data in order to:
- Identify you as a passenger when we check your ticket
- Manage your trip in accordance with the Terms and Conditions of Purchase and Travel
- Administer any link to company contracts (e.g. invoicing)
- Notify you about changes to your trip, e.g. in the event of delays or changed departure times
- Correct faults and deal with complaints or claims, including claims for compensation
- Maintain safety and prevent criminal behavior on our trains, e.g. through camera surveillance
Legal basis: Fulfillment of contract, legal obligation (when applying for compensation for a delayed train) and balancing of interests (with camera surveillance).
Storage period: Your data are saved for one year after the end of your trip. In the event of a complaint or claim, data are saved for two years after the case has closed.
2.2.2 Communication with you
We process your personal data in connection with other communications with you, such as when you contact us to ask questions and to analyze phone calls, e-mails and chats to improve our communication and for quality assurance purposes.
Legal basis: Balancing of interests
Storage period: Your data are saved for two years after the matter has closed.
2.2.3 Preventing security breaches and misuse of services
We process your personal data to ensure the security of our services (e.g. the website), to detect or prevent different types of unlawful use or use that otherwise violates the Terms and Conditions of Purchase and Travel. We also process the data to prevent abuse, and to detect and prevent fraud, virus attacks etc.
Legal basis: Fulfillment of contract and balancing of interests
Storage period: Your data are saved for two years after the end of your trip
2.2.4 Legal duty
We also process your personal data when we are obliged to do so by law, e.g. as a result of our accounting obligations or obligations arising from traffic law.
Legal basis: Legal obligation
Storage period: Your data are saved for one year after the end of your trip
2.2.5 Other
Improving our services: We process your personal data to develop and improve our services and travel, inter alia, by compiling statistics for analytical purposes.
Marketing: We process your personal data to provide you with offers, news, recommendations and information as well as customer surveys from us or our partners, by social media and other digital channels, post, e-mail, phone and text. If you to opt out from receiving direct marketing, you can notify us via a link in each e-mail or contact our customer services.
We also process data about how you use our services. This concern, inter alia, data about how you use our website (browsing patterns, booking history etc.) and data about your purchasing and travel history. This data forms the basis for analyzing and categorizing you in order to improve our services, as well as to provide you with relevant and customized offers.
Legal basis: Balancing of interests or consent
Storage period: Your data are saved for two year after the end of your trip. If you are a My VR member your data are erased when your membership expires.
2.3 Who do we share you personal data with?
We may share your personal data with:
- Any of the companies within the VR Group group, e.g. for marketing purposes or for the development of new services
- External partners, both within and outside the EU/EEA, e.g. to provide marketing and IT services as well as for analyses or statistics
- Other travel operators for the purpose of ongoing travel in event of service disruption
- Other parties when required by law or public authority decision
Companies that manage personal data on our behalf must always enter into a so-called data processor agreement with us so that we are able to ensure a high level of protection for your personal data with our partners and suppliers. We only share personal data for purposes that are consistent with the purposes for which the data were collected (e.g. to fulfill our obligations under the Terms and Conditions of Purchase or the Terms and Conditions of My VR membership).
Special safeguards are taken when using partners and suppliers outside the EU/EEA, such as signing agreements that include the standardized model clauses for data transfer adopted by the EU Commission and which are available on the EU Commission’s website.
2.4 How do we protect you personal data?
We protect your personal data through technical and organizational security measures. We use IT systems to protect confidentiality, privacy, and access to personal data. We have implemented specific security measures to protect your personal data against unauthorized or unlawful processing (such as unlawful access, loss, destruction or damage). Only those persons who actually need to process your personal data in order for us to fulfill our stated purposes have access to them.
3. Cookies
When you visit our website, we may also collect information and data about you by using so-called cookies. For more information on how we use cookies, please see our cookie policy.
4. Your rights
You have certain rights in relation to us. If you wish to exercise any of your rights, please contact us via the contact details in the next section.
- Right of access (register transcript) – a right to obtain confirmation of and information about the processing of your personal data
- Right to rectification – a right to have erroneous data rectified
- Right to erasure – a right to have data removed
- Right to restriction – a right to request that the personal data processing is restricted,for example, if you oppose the accuracy of the data
- Right to object – a right to object to processing if it is based on a balancing of interests, e.g. for direct marketing
- Right to data portability – a right to request that personal data are transferred from us to another party. This right is restricted to data that you have supplied to us yourself
If you feel that our processing of your personal data does not comply with the data protection legislation, you are also entitled to lodge a complaint with the competent supervisory authority.
5. Contact details
VR Snabbtåg Sverige AB is the data controller for the data processing performed in accordance with this privacy policy. If you would like more information on how your personal data are processed, or if you wish to exercise any of the rights listed above, please contact us:
VR Data Protection Officer
Address: Klarabergsviadukten 90
SE-111 64 Stockholm, Sweden
E-mail: kundservice@vrresa.se
6. Privacy policy updates
This privacy policy was last updated in March 2024 and may change. If we make significant changes to the policy, we will notify you at least 30 days before the changes come into effect by e-mail, text message, through the service or by publishing a new version on our website.