1. Data controller

Punainen Risti Ensiapu, Training Services

Business ID: 2843118-7

Sturenkatu 16, 6th floor, 00510 Helsinki

2. Data Protection Officer contact details

3. Name of the register

Punainen Risti Ensiapu, Training Services: Customer Register

4. Purpose and basis for processing personal data

The basis for the processing of personal data is a customer relationship or other similar relationship with the Training Services of Punainen Risti Ensiapu, in which case the legal basis for the processing is a contract. Individuals will be asked to consent to the processing of their data in connection with the formation of the customer relationship.

The purpose of the processing is to manage and develop the customer relationship. The data may be used for communication purposes. Personal data may be processed in the manner described in this Privacy Notice. In addition, the processing is based on a legitimate interest of Punainen Risti Ensiapu and possible third parties to process personal data. The legitimate interest is based on the relevant and appropriate relationship formed when an organisation or other similar entity acts on behalf of Punainen Risti Ensiapu.

The personal data in the Customer Register are used for different purposes, such as:

Management of customer data
Management and development of customer relationship, sending out course invitations and signing up for events and training sessions
Management and tracking of a customer’s completed training courses
Provision of support and advisory services and management and quality control of service activities
Management of users of the digital services of Punainen Risti Ensiapu
Management of contracts
Billing
Profiling and segmentation of customer relationships
Communication and marketing
Statistics and reporting
Market or opinion surveys
Recordings of customer calls may be used to authenticate service transactions, to ensure the legal protection of customers and Punainen Risti Ensiapu, for training purposes, to improve the quality of the service, and to prevent misuse and for security reasons.

5. Data content of the register

The following data may be processed in the register:

Identifying information
- Metadata and tags generated in the system
- Name
- Contact information:
  - Address
  - Telephone number
  - Email address
- Preferred language
- Customer ID number

Information about the customer relationship
- Training and event registration and attendance information
- Training records, management of completed training sessions and qualifications
- Purchase history
- Requests for quotation
- Contact requests
- Campaign and contact details
- Company or employer, as well as the position and role in the organisation related to the customer relationship
- Contracts, if any
- Notes concerning the customer relationships

Service usage data
- Any attachments, such as signed contracts
- Permits and consents
- Direct marketing and survey prohibitions
- Identifiers used in targeted marketing
- Grouping data and other analytics-derived data concerning the customer relationship
- Cookie data
- Log data
- Session IDs
- IP addresses
- Payment information and payment brokerage information
- Customer call recordings
- Customer feedback and other survey responses
- Communications related to customer relationship management
- User IDs for digital services managed by Punainen Risti Ensiapu
- Log data from the user accessing digital services managed by Punainen Risti Ensiapu

Punainen Risti Ensiapu only stores data necessary for its own operations and data processing purposes when there are legal conditions for the processing of data. Any data that are no longer fit for purpose, outdated data, or data with no basis for processing are anonymised or disposed of securely.

6. Personal data storage time

Punainen Risti Ensiapu stores personal data in the register for as long as the customer relationship or other similar relationship continues for the purposes defined in this privacy statement. Punainen Risti Ensiapu stores personal data related to billing for a period of time in accordance with legal obligations.

At the end of the appropriate processing of personal data, the data are anonymised or disposed of. The necessity requirement for the processing of personal data is considered to have ended when six (6) years have elapsed since the last contact, procedure, amendment or entry, or at the end of the statutory retention period.

7. Data sources

Customer information is collected for the register in connection with requests for quotation, contact requests, orders, direct contacts and registration for and participation in training sessions and events. As a rule, the information is obtained from the data subjects themselves or from a representative of the data subject’s employer. In some situations, information may be obtained from the employer’s website or other public sources. Data collection is a requirement for entering into a contract and fulfilling contractual obligations.

Cookies

The website of Punainen Risti Ensiapu uses cookies. A cookie is a small text file sent to and stored on the user’s computer that allows the website owner to recognise frequent visitors to the site, to help visitors log in to the site, and to enable the generation of aggregated data about the visitors. With this feedback, Punainen Risti Ensiapu is able to continuously improve the contents of the website. Cookies do not damage the user’s computer or files. They are used in such a way that the Punainen Risti Ensiapu can provide its customers with information and services that meet their specific needs.

If the user visiting the Punainen Risti Ensiapu website does not want Punainen Risti Ensiapu to receive the above data with the help of cookies, then the use of cookies may be declined when accessing the site and upon being asked to accept/decline the use of cookies, or later by turning cookies off in the browser’s settings. However, cookies may be necessary for some of the pages and services maintained by Punainen Risti Ensiapu to function properly, so Punainen Risti Ensiapu does not guarantee the functionality of all services if cookies are disabled.

We also use Leadoo’s user tracking technology on our website to combine the data collected using the technology with data collected from other sources, such as chat logs. This tracking is based on ETag tracking, which is different from cookie-based tracking, by combining the data from multiple sessions. If you do not want to be tracked, you can clear the cache of your browser. For more information on user tracking provided by Leadoo, please visit https://leadoo.com/privacy-policy/ and https://leadoo.com/privacy-policy-processor/.

8. Recipients and processors of personal data

The personal data in the customer register are processed and maintained by the employees of Punainen Risti Ensiapu responsible for customer relationship management.

External service providers responsible for the technical maintenance of the customer register act as processors of personal data. Data may be disclosed to a service provider contracted by the controller involved in customer acquisition or customer relationship management as the process progresses.

9. Regular disclosure of data

Personal data may be disclosed to third parties, such as financial administration, as permitted by applicable legislation. The third parties are partners who support the mission of the register and whose purpose of use of the data is not incompatible with the purposes of Punainen Risti Ensiapu. Punainen Risti Ensiapu has signed necessary agreements with such third parties for the processing of personal data. In addition, the data controller has the right to disclose material in the register to a third party if required by law, decrees, or authorities.

Data are transferred, to the extent necessary, to the training and qualification system of Punainen Risti Ensiapu, and bookkeeping materials are transferred to financial management software. Any contracts are signed electronically through a service provider to whom data are disclosed to the extent necessary.

Data will be disclosed to authorities when disclosure is required by law, such as for the purposes of resolving and preventing misconduct.

In connection with the user IDs of the systems related to the customer relationship, information such as the name, e-mail address and phone number of the data subject may be disclosed to the supplier’s system.

Personal data of data subjects who have granted the permission may be transferred to the direct marketing register of Punainen Risti Ensiapu. Data subject’s personal data may be disclosed to the partners involved in the implementation of the marketing of Punainen Risti Ensiapu in order to form target groups for the services of marketing partners.

Otherwise, personal data will not be disclosed to third parties.

10. Transfer of data outside the EU or EEA

Data may be transferred outside the European Union Member States or the European Economic Area to the extent necessary for the technical implementation of data processing, in which case the data transfer will comply with the requirements of the General Data Protection Regulation of the European Union. Data may be transferred, for instance, under the model clauses approved by the Commission.

11. Register’s principles of protection

As the data controller, Punainen Risti Ensiapu is responsible for ensuring that data are processed in accordance with good data processing practices. The data in the register can only be accessed by the controller and the service providers and administrators specifically authorised by it. Personal data in the register will only be processed by people whose responsibilities include sales, customer relationship management, billing, or course arrangements.

People designated by the system provider process data only to the extent necessary to maintain the service. With regard to technical maintenance, the processing of data is the responsibility of an external service provider on whose servers the data are stored. People designated by the system provider process data only within the system.

Technical protection of the systems in the register and the interfaces between them has been agreed on with the system suppliers. The data are processed in databases that are protected by firewalls, passwords, and other technical means. The databases and their backups are located in locked premises, and the data can only be accessed by pre-designated processors.

Only those employees who have the right to process personal data as part of their work are entitled to use systems containing personal data. Each processor has signed a non-disclosure agreement and has their own usernames and passwords for the systems.

12. Rights of the data subject

The data subjects have the following rights:

Right to access data: The data subject has the right to request a copy of the personal data.
Right to rectification and erasure: The data subject has the right to request that the data concerning them be corrected or deleted, unless the retention of data is required by applicable data protection regulation or other regulation.
Right to restrict processing: The data subject has the right to request the restriction of processing their data.
Right to object to data processing: The data subject has the right to object to the processing of their data if there are grounds for this.
Right to data portability: The data subject has the right to request the transfer of their data from one system to another in a machine-readable format.
Right to withdraw consent to data processing: If the processing of personal data is based on consent, the data subject has the right to withdraw their consent at any time.
Right to file a complaint with a supervisory authority: The data subject has the right to file a complaint about shortcomings in the processing of personal data with the controller, the processor or a supervisory authority.

Contacts concerning the right of access, rectification and restriction should primarily be made in writing by filling in the information request form and sending it to the e-mail address tietosuoja.ensiapu@redcross.fi. The sender of the request will be asked to confirm their identity. Punainen Risti Ensiapu will send all replies to the data subject’s e-mail address known to Punainen Risti Ensiapu. In exceptional cases, the replies can be delivered to a postal address known to Punainen Risti Ensiapu.