Privacy Notice – Certified First Aiders

Last updated: 10 April 2025

1. Data controller

Punainen Risti Ensiapu, Training Services

Business ID: 2843118–7

2. Data Protection Officer contact information

tietosuoja@punainenristiensiapu.fi

3. Name of the data file

Register of Certified First Aiders

4. Purpose and legal basis for the processing of personal data

As the data controller, the Training Services unit of Punainen Risti Ensiapu processes the personal data of certified first aiders in its training course and participant management system, first aid qualifications management system and related services.

The legal basis for the processing of personal data is enrolment or participation in first aid training or a customer relationship between the Training Services unit of Punainen Risti Ensiapu and the employer or other organisation of the certified first aider.

Individuals are asked to consent to the processing of their data when they sign up for first aid training. Participants consent to the sharing of their qualifications with a representative of their employer, if the employer has booked and paid for the training. Participants are required to provide information about their employer when they enrol. If a participant pays for their first aid training themselves, the legal basis for processing is the contract.

The purposes for which we use personal data include the following:

  • Managing the customer data of certified first aiders
  • Providing first aid training services
  • Keeping records of data subjects’ qualifications
  • Coordinating mobile certificates
  • User and access control to digital services provided by Punainen Risti Ensiapu
  • Keeping data subjects informed of training events and qualifications
  • Customer relationship management and development
  • Customer service
  • Billing and accounting
  • Statistics and reporting
  • Communication and marketing related to first aid training events and the validity of first aid certificates
  • Collecting feedback (link to anonymous feedback survey)
  • Market and/or opinion surveys
  • Regulatory notifications
  • Recordings of customer calls may be used to authenticate service transactions, to ensure the legal protection of customers and Punainen Risti Ensiapu, for training purposes, to improve quality of service, to prevent misuse and for security reasons.

5. Data content of the register

Identifying information

  • Name
  • Contact information, such as
    • Email address
    • Telephone number
    • Street address
    • Postcode and town/city
    • Country
  • Date of birth or national identification number (only used to identify the person, not stored in the register in plain text)
  • Employer details or other similar organisational affiliation
  • Any information collected separately by the employer or other similar organisation on the registration form, such as an identifier for exporting data to the company’s own HR system
  • Metadata and tags generated by the system
  • Preferred language

First aid training records

  • Details of training and qualifications
  • Payment information and payment transmission information
  • If the training is conducted partially or completely online, the data subject’s answers to exercises will also be recorded.

Service usage data

  • Permissions and consents given by users themselves, such as allowing their employer or similar organisation to view their qualifications
  • Data change history
  • Information, records and communication concerning the customer relationship
  • Cookie data
  • Log data
  • Session IDs
  • IP addresses
  • Customer call recordings
  • Customer feedback and other survey responses
  • User IDs and access codes for digital services managed by Punainen Risti Ensiapu
  • Log data from the user accessing digital services managed by Punainen Risti Ensiapu

Punainen Risti Ensiapu only stores data necessary for its own operations and data processing purposes when there are legal grounds for the processing of data. Any data that are no longer fit for purpose, outdated data or data with no basis for processing are anonymised or disposed of securely.

6. Personal data storage time

Information about data subjects is stored in an electronic format for a period of two years after the expiry of their most recent certificate or as instructed by the relevant authorities. At the end of this retention period, all personal data are anonymised.

Accounting records are retained for the statutory period.

7. Data sources

Data are obtained in connection with registration, customer service or first aid training from the individuals themselves, their employer or other similar organisation. The instructor can also enter course participants’ details into the system. At the time of collecting the participants’ data, the instructor will ask each participant for their consent for the purposes mentioned in section 4 of this Privacy Notice.

Cookies

The website of Punainen Risti Ensiapu uses cookies. A cookie is a small text file sent to and stored on the user’s computer that allows the website administrator to recognise frequent visitors to the site, to help visitors log in to the site and to enable the generation of aggregated data about visitors. This feedback helps Punainen Risti Ensiapu to continuously improve the contents of the website Cookies do not harm the user’s computer or files in any way. Their purpose is to allow Punainen Risti Ensiapu to provide its customers with information and services that meet their specific needs.

If a user visiting the Punainen Risti Ensiapu website does not want Punainen Risti Ensiapu to use cookies to collect the aforementioned information, they can refuse to accept cookies when first accessing the site and being asked about the use of cookies, or later by disabling cookies in their browser settings. However, cookies may be necessary for some of the pages and services maintained by Punainen Risti Ensiapu to function properly, and Punainen Risti Ensiapu therefore cannot guarantee the functionality of all services if cookies are disabled.

We also use Leadoo’s user tracking technology on our website to combine the data collected using the technology with data collected from other sources, such as chat logs. This tracking is based on ETags, which are different from cookies, and involves combining data from multiple sessions. If you do not want to be tracked, you can clear the cache of your browser. For more information on user tracking provided by Leadoo, please visit https://leadoo.com/privacy-policy/ and https://leadoo.com/privacy-policy-processor/.

In addition, the system uses Google Analytics tools to analyse user traffic to improve the user experience of the website. These cookies remain on the user’s device for 2 years or until the user clears their browser’s cache.

8. Recipients and processors of personal data

The data processors are employees of the Training Services unit of Punainen Risti Ensiapu as required by their responsibilities. Personal data are also processed by system suppliers and service providers on behalf of Punainen Risti Ensiapu. All system suppliers and other service providers have signed a contract on the processing of personal data. System suppliers and service providers process personal data only to the extent necessary for the implementation, maintenance and development of the service in question.

The employer or other similar organisation affiliated with a course participant may be provided with a view of the details of first aid training events and qualifications in the organisation’s Omapalvelu user interface. The organisation’s Omapalvelu service requires a separate contract and a personal data processing agreement between the Training Services unit of Punainen Risti Ensiapu and the organisation. There is a possibility to transfer data concerning completed training courses from the organisation’s Omapalvelu service to the organisation’s own HR system.

Information will be provided to the payment service provider to the extent necessary to complete the payment process. Records of payments are sent to the accounting department.

If the training is carried out partially or completely online, data will be disclosed, to the extent necessary, to the service provider of the digital training platform or eLearning platform, in order to enable access control and necessary access rights. The instructor can see the participants’ answers to exercises, if there are any.

The first aid training event management system is used to keep records of training courses, participants and their qualifications. The instructor or a customer service representative enters the details of participants at a training event into the system.

The provider of the first aid qualifications management system acts as a processor of personal data on behalf of Punainen Risti Ensiapu. The system supplier’s customer service team answers questions and provides guidance on any issues related to the validity of certificates or using the system.

Data related to the coordination of training courses, participants and first aid qualifications as well as the delivery of services are transferred between systems through interfaces built on an integration platform or through direct interfaces.

Personal data may be disclosed to third parties, such as financial administration, as permitted by the applicable legislation. These third parties are partners who support the mission of the register and whose purpose of use of the data is not incompatible with the purposes of Punainen Risti Ensiapu. Punainen Risti Ensiapu has signed agreements for the processing of personal data with such third parties. In addition, the data controller has the right to disclose data from the register to third parties if required by law, decrees or the authorities.

9. Transfer of data outside the EU or the EEA

Data may be transferred outside the European Union Member States or the European Economic Area to the extent necessary for the technical implementation of data processing, in which case the data transfer will comply with the requirements of the General Data Protection Regulation of the European Union. Data may be transferred under the standard contractual clauses approved by the Commission.

10. Data protection principles

As the data controller, the Training Services unit of Punainen Risti Ensiapu is responsible for ensuring that data are processed in accordance with good data processing practices. The data in the register can only be processed by the controller and the service providers and administrators specifically authorised by it.

Within the Training Services unit of Punainen Risti Ensiapu, systems containing personal data may only be used by the employees and others contracted by the data controller who are entitled to process personal data in their line of work. All processors have their own usernames and passwords for the systems.

People designated by the system supplier process data only to the extent necessary to provide customer service and/or to maintain the agreed service. With regard to technical maintenance, the processing of data is the responsibility of an external service provider on whose servers the data are stored.

The technical security of the systems included in the register and the interfaces between them has been agreed upon with the system suppliers. The data are processed in databases that are protected by firewalls, passwords and other technical means. The databases and their backups are located in locked premises, and the data can only be accessed by pre-designated processors.

11. Rights of the data subject

The data subjects have the following rights:

  • Right to access data: Data subjects have the right to request a copy of their personal data file.
  • Right to rectification and erasure: Data subjects have the right to request that the data concerning them be corrected or deleted, unless the retention of data is required by the applicable data protection laws or other regulations.
  • Right to restrict processing: Data subjects have the right to request the restriction of the processing of their data.
  • Right to object to the processing of data: Data subjects have the right to object to the processing of their personal data to the extent that the processing of personal data is based on a legitimate interest.
  • Right to data portability: Where processing is based on consent, data subjects have the right to request the transfer of their data from one system to another in a machine-readable format.
  • Right to withdraw consent to data processing: If the processing of personal data is based on consent, data subjects have the right to withdraw their consent at any time.
  • Right to file a complaint with a supervisory authority: Data subjects have the right to file a complaint about shortcomings in the processing of personal data with the controller, the processor or a supervisory authority.

Data subjects have the right to be forgotten in this system. The deletion of a data subject’s personal data from the system will cease all processing of their data and also cause the data subject’s first aid certificate to expire. Once deleted, the data subject will not have access to their data. The data controller will review the request prior to anonymising the identifying information. A data subject’s request to have their data deleted may not be fulfilled if the data subject has a certificate that the data controller is legally obligated to keep on file.

Data subjects have the right to inspect their personal data file and to demand the rectification, erasure or completion of any personal data of theirs that are incorrect, outdated, incomplete or unnecessary for the purpose of processing. Requests for access to personal data files can be submitted as instructed at www.ensiapukoulutus.fi/en/data-protection. We respond to requests within one month.

Where appropriate, data subjects have the right to lodge a complaint with the competent authority concerning the processing of personal data by the controller. The competent authority in Finland is the Data Protection Ombudsman.

12. Automated decision-making

Punainen Risti Ensiapu does not make decisions based on automated processing.

Approved on 10 April 2024