1. Data controller

Punainen Risti Ensiapu, Training Services

Business ID: 2843118–7

2. Data Protection Officer contact details

3. Name of the register

Punainen Risti Ensiapu, Training Services: Register of Certified First Aiders

4. Purpose and basis for processing personal data

As the data controller, the Training Services unit of Punainen Risti Ensiapu processes the personal data of certified first aiders in the eTaika system for managing first aid training sessions and in the Competence Admin system for managing first aid qualifications and related services.

The basis for the processing of personal data is the customer relationship between Punainen Risti Ensiapu Training Services and the certified first aider, their employer or other organisation affiliated with the certified first aider. Individuals are asked to consent to the processing of their data when they sign up for first aid training. The participants accept the release of training participation information to their employer when providing the details of their employer when signing up for training. If the certified first aider also pays for the training, the legal basis for processing is the contract.

The purposes for which we use personal data include:

Providing a certified first aid training service
Maintaining qualifications of data subjects
Issuing OmaEnsiaputodistus mobile certificates
Providing other training events
Notifying authorities of certificates such as vocational qualifications
Informing the data subject of qualifications and completed training events
Customer service
Billing and accounting
Managing the customer data of certified first aiders
Managing and developing the customer relationship, course invitations and registration for training events of certified first aiders
Statistics and reporting
Communication and marketing concerning first aid training events and validity of first aid certificates
Collecting feedback (link to anonymous feedback survey)
Market and/or opinion surveys
User and access control to digital services provided by Punainen Risti Ensiapu
Recordings of customer calls may be used to authenticate service transactions, to ensure the legal protection of customers and Punainen Risti Ensiapu, for training purposes, to improve the quality of the service, and to prevent misuse and for security reasons.

5. Data content of the register

Identifying information

Name
Contact details, such as:
- Email address
- Telephone number
- Street address
- Postal code and city
- Country
Date of birth or national identification number (only used to identify the person, not stored in the register in plain text)
Any information collected separately by the employer or other similar organisation on the registration form, such as an identifier for exporting data to the company’s own HR system
Metadata and tags generated by the system
Employer details or other similar organisational affiliation
Preferred language

First aid training records

Details of training and qualifications
Payment information and payment brokerage information
If the training is conducted partially or completely online, the data subject’s responses to any questions will also be recorded.

Service usage data

Permissions and consents given by the user themself, such as allowing their employer or similar organisation to view the user’s qualifications
Data change history
Information, records and communication concerning the customer relationship
Cookie data
Log data
Session IDs
IP addresses
Customer call recordings
Customer feedback and other survey responses
User IDs and access codes for digital services managed by Punainen Risti Ensiapu
Log data from the user accessing digital services managed by Punainen Risti Ensiapu

Punainen Risti Ensiapu only stores data necessary for its own operations and data processing purposes when there are legal conditions for the processing of data. Any data that are no longer fit for purpose, outdated data, or data with no basis for processing are anonymised or disposed of securely.

6. Personal data storage time

Information about the data subject will be stored in electronic format for two years after the expiration of their most recent certificate. At the end of this retention period, the personal data will be anonymised.

Records will be retained for the statutory period.

7. Data sources

Data are obtained in connection with registration, customer service or first aid training from the individuals themselves, their employer or other similar organisation. The instructor can also save the course participant details. At the time of collecting the participant’s data, the instructor will receive the participant’s consent for the purposes mentioned in section 4 of this Privacy Notice.

Cookies

The website of Punainen Risti Ensiapu uses cookies. A cookie is a small text file sent to and stored on the user’s computer that allows website owners to recognise frequent visitors to the site, to help visitors log in to the site, and to enable the generation of aggregated data about the visitors. With this feedback, Punainen Risti Ensiapu is able to continuously improve the contents of the website Cookies do not damage the user’s computer or files. They are used in such a way that the Punainen Risti Ensiapu can provide its customers with information and services that meet their specific needs.

If the user visiting the Punainen Risti Ensiaopu website does not want Punainen Risti Ensiapu to receive the above data with the help of cookies, then the use of cookies may be declined when accessing the site and upon being asked to accept/decline the use of cookies, or later by turning cookies off in the browser’s settings. However, cookies may be necessary for some of the pages and services maintained by Punainen Risti Ensiapu to function properly, so Punainen Risti Ensiapu does not guarantee the functionality of all services if cookies are disabled.

We also use Leadoo’s user tracking technology on our website to combine the data collected using the technology with data collected from other sources, such as chat logs. This tracking is based on ETag tracking, which is different from cookie-based tracking, by combining the data from multiple sessions. If you do not want to be tracked, you can clear the cache of your browser. For more information on user tracking provided by Leadoo, please visit https://leadoo.com/privacy-policy/ and https://leadoo.com/privacy-policy-processor/.

In addition, the system uses Google Analytics tools to analyse user traffic to improve the user experience of the website. These cookies remain on the user’s device for 2 years or until the user clears their browser’s cache.

8. Recipients and processors of personal data

The data processors are users of the Training Services unit of Punainen Risti Ensiapu as required by their responsibilities and in accordance with the terms and conditions of use of the eTaika and Competence Admin systems.

The employer or other similar organisation affiliated with the course participant may be provided with a view of the details of first aid training events and qualifications in the organisation’s Omapalvelu user interface, if the training was ordered by the entity in question and the data subject has consented to this arrangement. The organisation’s Omapalvelu service requires a separate agreement and a personal data processing agreement between the training services of Punainen Risti Ensiapu and the organisation. There is a possibility to transfer data concerning completed training courses from the organisation’s Omapalvelu service to the organisation’s own HR system.

Information will be provided to the payment service provider to the extent necessary to complete the payment process. Records of payments are sent to the accounting department.

If the training is carried out partially or completely online, data will be disclosed, to the extent necessary, to the service provider of the digital training platform or eLearning platform, in order to enable access control and necessary access rights. The instructor can see the answers to questions, if there are any.

The eTaika event management system is provided by Visma Public, which acts on behalf of Punainen Risti Ensiapu as a processor of personal data.

The Competence Admin system is supplied by Kiwa Inspecta, which acts on behalf of Punainen Risti Ensiapu as a processor of personal data. The customer service team of Kiwa Inspecta oversees and provides guidance on any issues related to validity of certificates or using the system.

An interface has been built between the key systems of the register of certified first aiders, or the training management (eTaika) and competence admin (Competence Admin) systems to enable the transfer of details of completed courses after the assigned training has been completed, retrieval of data on qualifications, and, in the case of e-learning events, the provision of access codes to the participant.

Processing of personal data has been agreed on with the system suppliers and other service providers.

The customer service team of Kiwa Inspecta oversees and provides guidance on any issues related to validity of certificates or using the mobile certificate.

Personal data may be disclosed to third parties, such as financial administration, as permitted by applicable legislation. The third parties are partners who support the mission of the register and whose purpose of use of the data is not incompatible with the purposes of Punainen Risti Ensiapu. Punainen Risti Ensiapu has signed necessary agreements with such third parties for the processing of personal data. In addition, the data controller has the right to disclose material in the register to a third party if required by law, decrees, or authorities.

9. Transfer of data outside the EU or EEA

Data may be transferred outside the European Union Member States or the European Economic Area to the extent necessary for the technical implementation of data processing, in which case the data transfer will comply with the requirements of the General Data Protection Regulation of the European Union. Data may be transferred under the standard clauses approved by the Commission.

10. Register’s principles of protection

As the data controller, the Training Services unit of Punainen Risti Ensiapu is responsible for ensuring that data are processed in accordance with good data processing practices. The data in the register can only be processed by the controller and the service providers and administrators specifically authorised by it. Personal data in the register will only be processed by people whose responsibilities include sales, customer service, customer relationship management, training, billing, or course arrangements.

People designated by the system provider process data only to the extent necessary to provide customer service and/or to maintain the agreed service. With regard to technical maintenance, the processing of data is the responsibility of an external service provider on whose servers the data are stored.

Technical protection of the systems in the register and the interfaces between them has been agreed on with the system suppliers. The data are processed in databases that are protected by firewalls, passwords, and other technical means. The databases and their backups are located in locked premises, and the data can only be accessed by pre-designated processors.

Within the Training Services unit of Punainen Risti Ensiapu, systems containing personal data may only be used by the employees and others contracted by the data controller who are entitled to process personal data in their line of work. All processors have their own usernames and passwords for the systems.

11. Rights of the data subject

The data subject has the following rights:

Right to access data: The data subject has the right to request a copy of their personal data.
Right to rectification and erasure: The data subject has the right to request that the data concerning them be corrected or deleted, unless the retention of data is required by applicable data protection or other regulations.
Right to restrict processing: The data subject has the right to request the restriction of processing their data.
Right to object to the processing of data: The data subject has the right to object to the processing of personal data to the extent that the processing of personal data is based on a legitimate interest.
Right to data portability: Where processing is based on consent, the data subject has the right to request the transfer of their data from one system to another in a machine-readable format.
Right to withdraw consent to data processing: If the processing of personal data is based on consent, the data subject has the right to withdraw their consent at any time.
Right to file a complaint with a supervisory authority: The data subject has the right to file a complaint about shortcomings in the processing of personal data with the controller, the processor, or a supervisory authority.

The data subject has the right to be forgotten in this registry. The deletion of the data subject from this register will cease the processing of data and also cause the data subject’s first aid certificate to expire. Once deleted, the data subject will not have access to their data. The data controller will review the request prior to anonymising the identifying information. The data subject’s request to be forgotten may not be fulfilled if the subject has a certificate that the data controller is legally obligated to maintain in a register.

Contacts concerning the right of access, rectification and restriction should primarily be made in writing by filling in the information request form and sending it to the e-mail address tietosuoja.ensiapu@redcross.fi. The sender of the request will be asked to confirm their identity. Punainen Risti Ensiapu will send all replies to the data subject’s e-mail address known to Punainen Risti Ensiapu. In exceptional cases, the replies can be delivered to a postal address known to Punainen Risti Ensiapu.

Where appropriate, the data subject has the right to lodge a complaint with the competent authority concerning the processing of personal data by the controller. The competent authority in Finland is the Data Protection Ombudsman.