Controller

The controller of the personal register is Redicom Oy. Redicom Oy Kutomotie 16 00380 HELSINKI, Finland

Persons responsible for matters related to the register

The person responsible for the register is the project manager appointed by Redicom Oy. The contact person in matters related to the register is Juha Männistö, CIO, Viinikankatu 49, 33800 Tampere, Finland, tel: +358 40 844 2301. Redicom Oy takes care of the information systems for the personal register. The information system for the personal register is maintained by Redicom Oy.

Name of register

The name of the personal register is “Safetypass.EU”.

Purpose of use of the personal register, legal basis and grounds for processing

The purpose of use of Safetypass.eu is fourfold:

• The system provides people with an electronic portfolio of their competences and accomplishments in their training account for them to share with others or to demonstrate their eligibility for employment.
• For companies, the system provides the connection to data required to administer and manage competences and meet requirements through the person’s data authorisations.
• The system provides owners of training programmes for qualifications with performance management, an accomplishment platform and a management system.
• For trainers, the system provides a place for people to sign up for training events, course management, course training history and automated qualification reporting and course history in personal folders.

The legal basis for processing personal data in accordance with the EU General Data Protection Regulation is:

• the person’s consent, which is requested and logged at the start of the service
• a company-specific agreement in which a person is requested to provide consent and consent is logged.
• (potentially) sector-specific legislation binding upon employers, such as the Act on Nuclear Power Plants
• the controller’s legitimate interest (customer relationship, demonstrating completion of training, employment relationship or membership)

The purpose of processing personal data is to build a register of competences for the person to use at work and in leisure time, enabling the person to share the data they own, request supplementation or delete the information.

When the service is taken into use, every use authorises Safetypass.eu and any employer companies to process their data on the service in order to provide the service. The service enables private individuals to perform data queries on third-party registers in accordance with the European Union’s GDPR article. The person is able to perform data queries to retrieve their own information or to transfer their information to another register.

In the initial phase, the service will also include training entities from pan-European qualification owners and the related descriptions.

Data contained on the personal register

The person’s data is stored on the system in the extent to which the person decides to submit data to the service. At a minimum, the following data is required:

• First name and last name
• Date of birth
• Email address
• Phone number

Company details are stored in the extent to which the company decides to submit data to the service or, at the very least:

• Name
• Company type
• Business ID
• Address details
• Email
• Website address and
• The qualification training programmes owned by the company, if applicable

Logging contains different levels of information:

• Who sent the query
• Who is being queried
• What is being queried
• When the query was submitted
• From where the query was submitted

Regular data sources

In data queries, efforts are always made to confirm the source of data about people. As regards training data, this takes the form of an information query sent to the owner of the training programme or, for company connections, on the basis of the company’s confirmed training data list.

As regards personal data, people provide data about themselves and their competences. The company is able to supplement a person’s competence data. The source of course information is either the course module and thereby the trainer and training event or the timing of the course performance via the training programme confirmation.

Transfer of data outside the EU or European Economic Area

Data is not transferred onward. Data repositories are not transferred outside the EU or European Economic Area.

Principles for protecting the register

Service process

Care is taken when the register is processed, and appropriate protection is in place for the data processed using information systems and the systems’ operating environment. The physical security of hardware and digital information security are handled appropriately. The controller ensures that saved data and the access rights to services and other critical data with regard to the security of personal data are processed in confidence and only by the employees whose jobs require them to process such data.

Public address

The personal register operates on Redicom Oy’s internal and external network in such a way that the users on the external network can only access the Safetypass.eu service. Data connections are encrypted when payments are made and for signed-in users using HTTPS_SSL encryption, and remote administration connections are encrypted using HTTPS_SSL and VPN connections.

A personal user account is required to update data, and every account is linked to a role that determines which content can be accessed.

Publicity and confidentiality of information

The service includes access rights profiles for users in such a way that the user’s access rights are limited to browsing or editing the user’s own data and content. Every profile is linked to a personal user account + password.

To protect the data on the register, every system-level user has an individual personal user account and password. Personal sign-ins and movements within the application generate log data, which can be used to monitor and retrospectively check the use of the application.

Restricting access rights and disclosing personal data

The project manager decides on system-level access rights. The project manager decides on partner-level access rights. Data is not regularly disclosed. The data on the personal register may be disclosed with the express written consent of the data subject or under specific legislation. The disclosure of personal data for research use is subject to permits (Act on the Openness of Government Activities, 621/1999, sections 26 and 28).

Data subjects’ right of inspection

Person’s right of inspection

In line with the MyData principle, people have the right to administer their own data. The service system includes user interfaces for administering data. The person may realise their right to inspect their own data using this functionality.

Correction, deletion or supplementation of incorrect or unnecessary, incomplete or outdated information

Any clear errors in the personal data will be corrected as a part of the normal maintenance procedure. People have the opportunity to correct any errors in their own personal data, or delete or supplement their data.

The administrator may make corrections on the behalf of a person, company, trainer or owner of a training programme upon the party’s written request if the requesting entity can be identified in accordance with jointly agreed rules.

If a request for rectification is not granted, the requester will be issued a written certificate of refusal related to the matter, stating the reason for the refusal (Personal Data Act, 325/1999, section 29).

Destruction and archiving of data

Individuals have the option of exercising their “right to be forgotten” in accordance with the European General Data Protection Regulation. After activating the function enabling the person to be forgotten and passing through the confirmation phase, the person’s data will be deleted entirely, including all personal data, training data and qualifications, and it will not be possible to restore this data retrospectively.

In certain cases, it is possible that national legislation requires data and competences for certain sectors to be retained, overriding the person’s rights. In such cases, Safetypass.eu will invoke its “legitimate interest” based on legislation to store the data on the service in accordance with the legislation applying to the company’s business sector. In such cases, the person will not be able to delete their data from the service.

The data is backed up normally, and the data is deleted from backups as a normal part of the backup process.

Safetypass.eu does not archive data.