1. Data controller
Punainen Risti Ensiapu, Training Programmes
Business ID: 2843118-7
2. Data Protection Officer’s contact details
tietosuoja.ensiapu@punainenristiensiapu.fi
3. Name of the register
Punainen Risti Ensiapu, Training Programmes: Competence register – Competence Admin
4. Purpose and basis for processing personal data
This privacy statement describes how the Punainen Risti Ensiapu Training Programmes unit, as the controller, processes the personal data of first aid training participants in the Competence Admin system and associated services intended for the management of courses organised in accordance with the Red Cross training programmes and First Aid Instructor training.
The system provider of Competence Admin is Kiwa Inspecta, which acts as a processor of personal data on behalf of Punainen Risti Ensiapu. Kiwa Inspecta’s customer service responds to and instructs in questions related to the validity of qualifications or the use of the system.
The processing of personal data is based on the completion of certified first aid training in accordance with the Punainen Risti Ensiapu training programmes and the qualifications granted to participants on the basis of such training. The person will be asked for consent to the processing of their data in connection with the first aid training or when registering for the training.
Personal data are used for:
- providing a certified first aid training service
- maintaining the qualifications of persons
- providing MyCertificate mobile certificates
- official notifications, such as professional qualification training
- informing the data subject about qualifications and completed training performances
- customer service
The data can also be used for:
- collecting statistical and reporting data required by the authorities, such as the number of First Aid Instructors, the number of trained persons and the number of courses
- other statistical and reporting purposes. Statistical and reporting data are numerical data from which an individual person cannot be identified
5. Data content of the register
- Name and contact information of the data subject (such as e-mail address, telephone number, street address, postal code and city, country)
- Date of birth or personal identity code (used only to identify the person and will not be stored in the register in plain text)
- Information on training and qualifications
System-generated data
- Unique identifiers generated by the system, such as customer number
- Change history of personal data
- Information concerning the customer relationship, such as customer feedback and contacts
- Employer information
- Permissions granted by the user to the company or employer to view the user’s qualification information
User log data concerning the use of the system may be collected for all user groups. In addition, the system includes Google Analytics tools for analysing user traffic in order to improve the site’s user experience. Such cookies remain on the user’s terminal for two years or until the user deletes their browser’s cache memory.
6. Retention period of personal data
The data subject’s data is stored in electronic form for two years after the last qualification has expired. At the end of this retention period, personal data will be anonymised.
7. Data sources
The information is obtained from the person themselves or from the partner organisation that arranged the first aid training or from the First Aid Instructor. The partner organisation or instructor records the information of the course participants. In connection with collecting participant data, the partner organisation or instructor has collected consent from the participants for the purposes mentioned in section 4 of this privacy statement.
8. Recipients and processors of personal data
The processors of personal data in the competence register are representatives of the partner organisations of the Punainen Risti Ensiapu, Training Programmes unit in accordance with the terms of use of the Competence Admin system and the documents guiding the partnership.
The administrators of the partner organisations are responsible for the up-to-date user management in their own organisation. Users in a partner organisation can only store and process training and qualification data of their own partner organisation.
Kiwa Inspecta’s customer service responds to and instructs in questions related to the validity of qualifications or the use of the system.
9. Transfer of data outside the EU or EEA
Data may be transferred outside the area of the Member States of the European Union or the European Economic Area to the extent necessary for the technical implementation of data processing, in which case the transfer of data shall comply with the requirements of the European Union’s General Data Protection Regulation. Data may be transferred on the basis of standard clauses approved by the Commission.
10. Register’s principles of protection
As the data controller, the Punainen Risti Ensiapu, Training Programmes unit is responsible for ensuring that data are processed in accordance with good data security practices. The data in the register can only be accessed by the partner organisation that arranged the training, the controller and the service providers and administrators specifically authorised by the controller.
Persons designated by the system provider Kiwa Inspecta shall only process data to the extent necessary to implement customer service and maintain the agreed service. With regard to technical maintenance, the processing of data is the responsibility of an external service provider on whose servers the data are stored.
The data are processed in databases that are protected by firewalls, passwords and other technical means. The databases and their backups are located in locked premises, and the data can only be accessed by pre-designated processors.
In the Punainen Risti Ensiapu Training Programmes unit, only the employees who have the right to process personal data as part of their work duties are entitled to use systems containing personal data. Each processor has their own usernames and passwords for the systems.
11. Rights of the data subject
The data subject has the following rights:
- Right to access data: right to request a copy of your personal data
- Right to rectification and erasure: right to request that the data concerning them be corrected or deleted, unless the retention of data is required by applicable data protection or other regulations
- Right to restrict processing: right to request the restriction of processing their data
- Right to object to processing: insofar as the processing of personal data is based on legitimate interest, object to the processing of their data
- Right to data portability: when the processing of data is based on consent, the right to request the transfer of their data from one system to another in a machine-readable format
- Right to withdraw consent to data processing: if the processing of personal data is based on consent, the data subject has the right to withdraw their consent at any time
- Right to file a complaint with a supervisory authority: the data subject has the right to lodge a complaint about shortcomings in the processing of personal data with the controller, the processor or a supervisory authority.
The data subject has the right to be forgotten in this register. Deleting the data subject in this register terminates the processing of their data and also means that their first aid qualification shall expire. After deletion, also the data subject will not be able to access their data. The controller will review the request before anonymising the identifying data. Determining the data subject to be forgotten may be prevented if they have a qualification that the controller is legally obliged to register. Being forgotten in this register does not mean the deletion or anonymisation of the data subject’s personal data in the registers or systems of the partner organisation providing the training service.
First aid training in accordance with the Punainen Risti Ensiapu training programmes is organised by partner organisations that have their own customer registers and privacy statements. If the matter is related to the partner organisation’s registers, the data subject must contact the data protection officer of the partner organisation.
Contacts concerning the right of access, rectification and restriction should primarily be made in writing by filling in the information request form and sending it to the e-mail address tietosuoja.ensiapu@punainenristiensiapu.fi. The sender of the request will be asked to confirm their identity. Punainen Risti Ensiapu will send all replies to the data subject’s e-mail address known to Punainen Risti Ensiapu. In exceptional cases, the replies can be delivered to a postal address known to Punainen Risti Ensiapu.
If necessary, the data subject always has the right to lodge a complaint with the competent authority regarding the controller’s processing of personal data. The competent authority in Finland is the Office of the Data Protection Ombudsman.
Approved 22 September 2023