The controller of the personal register is Redicom Oy. Redicom Oy Kutomotie 16 00380 HELSINKI, Finland
The person responsible for the register is the project manager appointed by Redicom Oy. The contact person in matters related to the register is Juha Männistö, CIO, Viinikankatu 49, 33800 Tampere, Finland, tel: +358 40 844 2301. Redicom Oy takes care of the information systems for the personal register. The information system for the personal register is maintained by Redicom Oy.
The name of the personal register is “Safetypass.EU”.
The purpose of use of Safetypass.eu is fourfold:
The legal basis for processing personal data in accordance with the EU General Data Protection Regulation is:
The purpose of processing personal data is to build a register of competences for the person to use at work and in leisure time, enabling the person to share the data they own, request supplementation or delete the information.
When the service is taken into use, every use authorises Safetypass.eu and any employer companies to process their data on the service in order to provide the service. The service enables private individuals to perform data queries on third-party registers in accordance with the European Union’s GDPR article. The person is able to perform data queries to retrieve their own information or to transfer their information to another register.
In the initial phase, the service will also include training entities from pan-European qualification owners and the related descriptions.
The person’s data is stored on the system in the extent to which the person decides to submit data to the service. At a minimum, the following data is required:
Company details are stored in the extent to which the company decides to submit data to the service or, at the very least:
Logging contains different levels of information:
In data queries, efforts are always made to confirm the source of data about people. As regards training data, this takes the form of an information query sent to the owner of the training programme or, for company connections, on the basis of the company’s confirmed training data list.
As regards personal data, people provide data about themselves and their competences. The company is able to supplement a person’s competence data. The source of course information is either the course module and thereby the trainer and training event or the timing of the course performance via the training programme confirmation.
Data is not transferred onward. Data repositories are not transferred outside the EU or European Economic Area.
Care is taken when the register is processed, and appropriate protection is in place for the data processed using information systems and the systems’ operating environment. The physical security of hardware and digital information security are handled appropriately. The controller ensures that saved data and the access rights to services and other critical data with regard to the security of personal data are processed in confidence and only by the employees whose jobs require them to process such data.
The personal register operates on Redicom Oy’s internal and external network in such a way that the users on the external network can only access the Safetypass.eu service. Data connections are encrypted when payments are made and for signed-in users using HTTPS_SSL encryption, and remote administration connections are encrypted using HTTPS_SSL and VPN connections.
A personal user account is required to update data, and every account is linked to a role that determines which content can be accessed.
The service includes access rights profiles for users in such a way that the user’s access rights are limited to browsing or editing the user’s own data and content. Every profile is linked to a personal user account + password.
To protect the data on the register, every system-level user has an individual personal user account and password. Personal sign-ins and movements within the application generate log data, which can be used to monitor and retrospectively check the use of the application.
The project manager decides on system-level access rights. The project manager decides on partner-level access rights. Data is not regularly disclosed. The data on the personal register may be disclosed with the express written consent of the data subject or under specific legislation. The disclosure of personal data for research use is subject to permits (Act on the Openness of Government Activities, 621/1999, sections 26 and 28).
In line with the MyData principle, people have the right to administer their own data. The service system includes user interfaces for administering data. The person may realise their right to inspect their own data using this functionality.
Any clear errors in the personal data will be corrected as a part of the normal maintenance procedure. People have the opportunity to correct any errors in their own personal data, or delete or supplement their data.
The administrator may make corrections on the behalf of a person, company, trainer or owner of a training programme upon the party’s written request if the requesting entity can be identified in accordance with jointly agreed rules.
If a request for rectification is not granted, the requester will be issued a written certificate of refusal related to the matter, stating the reason for the refusal (Personal Data Act, 325/1999, section 29).
Individuals have the option of exercising their “right to be forgotten” in accordance with the European General Data Protection Regulation. After activating the function enabling the person to be forgotten and passing through the confirmation phase, the person’s data will be deleted entirely, including all personal data, training data and qualifications, and it will not be possible to restore this data retrospectively.
In certain cases, it is possible that national legislation requires data and competences for certain sectors to be retained, overriding the person’s rights. In such cases, Safetypass.eu will invoke its “legitimate interest” based on legislation to store the data on the service in accordance with the legislation applying to the company’s business sector. In such cases, the person will not be able to delete their data from the service.
The data is backed up normally, and the data is deleted from backups as a normal part of the backup process.
Safetypass.eu does not archive data.