Ylläpidä ensiaputaitojasi

Privacy Statement: Competence Admin

1. Data controller

Punainen Risti Ensiapu, Training Programmes
Business ID: 2843118-7

2. Data Protection Officer contact information

tietosuoja.ensiapu@punainenristiensiapu.fi

3. Name of the data file

Punainen Risti Ensiapu, Training Programmes: Competence Admin

4. Purpose and basis of processing personal data

This Privacy Statement describes how the Training Programmes unit of Punainen Risti Ensiapu uses first aid course participants’ personal data in the context of the Competence Admin system and related services to enable the administration of FRC first aid courses and first aid instructor training.

The Competence Admin system is supplied by Kiwa Inspecta, which acts as a data processor on behalf of Punainen Risti Ensiapu. The customer service team of Kiwa Inspecta answers questions and provides guidance on any issues related to the validity of certificates or using the system.

The basis of processing is the completion of a certified FRC first aid course and the competence qualification earned on that basis. Course participants are asked for their consent to the processing of their data when they start their first aid training or sign up for the course.

Personal data are used for the following purposes:

  • Provision of a certified first aid training service
  • Administration of data subjects’ competence qualifications
  • Production of MyCertificate mobile certificates
  • Disclosures to the authorities for the purposes of, for example, professional qualifications
  • Communication with data subjects regarding their competence qualifications and course completion
  • Customer service

Personal data may also be used for the following purposes:

  • Collection of data for official statistics and reports, such as statistics on the number of first aid instructors, qualified first-aiders and courses
  • Other statistical and reporting purposes. Statistical and reporting data are numerical data from which individuals cannot be identified.

5. Content of the data file

  • Name and contact information of the data subject (such as email address, telephone number, street address, postcode, town/city and country)
  • Date of birth or national identification number (only used to identify the person, not stored in the system as plain text)
  • Details of courses and qualifications

System-generated data

  • Unique identifiers generated by the system, such as a customer number
  • Data revision history
  • Customer relationship information, such as customer feedback and interactions
  • Employer information
  • Permissions given by the user themselves for organisations or employers to view their competence qualifications

User log data may be collected to track system activity by user group. In addition, the system uses Google Analytics to analyse user traffic to improve the user experience of the website. These cookies remain on the user’s device for 2 years or until the user clears their browser’s cache.

6. Personal data retention

Information about the data subject will be stored in electronic format for two years after the expiration of their most recent certificate. At the end of this retention period, the personal data will be anonymised.

7. Data sources

The information is collected from the participants themselves or supplied by the partner organisation or the First Aid Instructor. The partner organisation or the instructor records the participants’ details into the system. The partner organisation or the instructor will also ask for the participants’ consent for the purposes mentioned in section 4 of this Privacy Statement when collecting their data.

8. Recipients and processors of personal data

The personal data held in the Competence Admin system are processed by representatives of partner organisations of Punainen Risti Ensiapu’s Training Programmes unit in accordance with the terms and conditions of the Competence Admin system and partnership agreements.

Each partner organisation has its own administrators, who are responsible for managing the access privileges of their organisation’s users. Partner organisations’ users can only store and process their own organisation’s training and qualification data.

The customer service team of Kiwa Inspecta answers questions and provides guidance on any issues related to the validity of certificates or using the system.

9. Transfer of data outside the EU or the EEA

Data may be transferred outside the European Union Member States or the European Economic Area to the extent necessary for the technical implementation of data processing, in which case the data transfer will comply with the requirements of the General Data Protection Regulation of the European Union. Data may be transferred under the standard clauses approved by the Commission.

10. Data protection principles

As the data controller, the Training Programmes unit of Punainen Risti Ensiapu is responsible for ensuring that data are processed in accordance with good data processing practices. The data in the system can only be accessed by the partner organisation that ran the course, the controller and the service providers and administrators specifically authorised by it.

People designated by the system supplier, Kiwa Inspecta, only process data to the extent necessary to provide customer service and to manage the agreed service. With regard to technical maintenance, the processing of data is the responsibility of an external service provider on whose servers the data are stored.

The data are processed in databases that are protected by firewalls, passwords and other technical means. The databases and their backups are located in locked premises, and the data can only be accessed by pre-designated processors.

Within the Training Programmes unit of Punainen Risti Ensiapu, systems containing personal data can only be accessed by employees who are authorised to process personal data in their line of work. All processors have their own usernames and passwords for the systems.

11. Rights of the data subject

The data subject has the following rights:

  • Right to access data: The data subject has the right to request a copy of their personal data file
  • Right to rectification and erasure: The data subject has the right to request that the data concerning them be corrected or deleted, unless the retention of data is required by applicable data protection or other regulations.
  • Right to restrict processing: The data subject has the right to request the restriction of processing their data.
  • Right to object to the processing of data: The data subject has the right to object to the processing of personal data to the extent that the processing of personal data is based on a legitimate interest.
  • Right to data portability: Where processing is based on consent, the data subject has the right to request the transfer of their data from one system to another in a machine-readable format.
  • Right to withdraw consent to data processing: If the processing of personal data is based on consent, the data subject has the right to withdraw their consent at any time.
  • Right to file a complaint with a supervisory authority: The data subject has the right to file a complaint about shortcomings in the processing of personal data with the controller, the processor or a supervisory authority.

The data subject has the right to be forgotten in this system. The deletion of the data subject from the system will cease the processing of data and also cause the data subject’s first aid certificate to expire. Once deleted, the data subject will not have access to their data. The data controller will review the request prior to anonymising the identifying information. The data subject’s request to be forgotten may have to be denied if the data subject has a certificate that the data controller is legally obligated to keep on file. The right to be forgotten does not extend to having personal data deleted or anonymised in the databases or systems of the partner organisation that provided the training.

FRC first aid courses are run by partners of the Training Programmes unit of Punainen Risti Ensiapu, and each partner organisation has its own customer information systems and privacy policies. If the issue relates to a partner organisation’s data file, the data subject should contact the data protection officer of that organisation.

Contacts concerning the right of access, rectification and restriction should primarily be made in writing by filling in the information request form and sending it by email to tietosuoja.ensiapu@punainenristiensiapu.fi. The sender of the request will be asked to confirm their identity. Punainen Risti Ensiapu responds to requests using the email address that the data subject has provided to Punainen Risti Ensiapu. In special circumstances, the response can be sent to the postal address that Punainen Risti Ensiapu has for the data subject.

Where appropriate, the data subject has the right to lodge a complaint with the competent authority concerning the processing of personal data by the controller. The competent authority in Finland is the Data Protection Ombudsman.

Approved on 31 August 2023