PRIVACY NOTICE REMOTE FIRST AID
Remote First Aid are the information controller for the information we process, unless otherwise stated.
There are many ways you can contact us, including by phone, email, live chat and post.
Our postal address is:
Remote First Aid, Unit 5 Riverside Court, Beaufort Park, Chepstow, Monmouthshire, NP116 5UH. Wales, United Kingdom.
Our Data Protection Officer is: Peter Cook. You can contact him at firstname.lastname@example.org or via our postal address above.
How do we get information?
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- You have made a enquiry to us.
- You have made an information request to us.
- You wish to attend, or have attended, an event.
- You subscribe to our e-newsletter.
- You have applied for a job or secondment with us.
- You are representing your organisation.
- You wish to make a purchase from us.
We also receive personal information indirectly, in the following scenarios:
- We have contacted an organisation about issuing of a certificate for you
- Your personal information is contained in courses registers
- We have information about you passed from public authorities, regulators or law enforcement bodies.
- An employee of yours gives your contact details as an emergency contact or a referee.
If it is not disproportionate or prejudicial, we’ll contact you to let you know we are processing your personal information. When enrolling on to any course, you have to give us explicit permission to share your personal data with the awarding bodies and trade organisations who we work with in respects to issuing your certification. We and they also request that you can be contacted directly by them in respects to the issuing of a regulatory certificate for the lawful purpose of quality control, for the lawful purpose of confirming your identity or other lawful reason.
Your data protection rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
Your right of access:
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
Your right to rectification:
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. This is closely linked to the data protection principle of Accuracy. Individuals can request inaccurate personal data to be corrected or completed if it is incomplete. Any request can be made verbally or in writing to us and we have one calendar month to respond to amy request. Our policy of 28 days covers any request received in any calendar month.
We have the right to verify your identity and accuracy of the data before the data subject’s request, and if we are satisfied that the data is accurate we will notify the individual and tell them we will not be amending it. We will fully explain our decision and inform you of your rights to complain to the information commissioner’s office or other supervisory authority, and your right to seek a judicial remedy.
Your right to erasure:
Your right to erasure or the “right to be forgotten” is not absolute and only applies in certain circumstances. An individual has the right to have their personal data erased if the personal data is no longer necessary for the purpose you initially collected and processed it for, or where you are relying on consent as your lawful basis processing and the individual then withdraws their consent. If you are relying on legitimate interests as your lawful basis for processing and the individual objects yet there is no overriding legitimate interest to continue the processing, the right to erasure remains.
If we are processing your data for direct marketing, if the individual is a child or if we have processed your data unlawfully, the individual has the right to erasure. This will also apply where we have to erase your data to comply with a legal obligation.
If you have shared your data with us and that is subject to erasure with another organisation you will need to inform them.
Your right to restriction of processing:
The next right is the right to restrict processing, which allows an individual to limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data. If an individual exercises this right, you may store their data but you must not process it in any other way, unless you have the individual’s consent, or if it is for the establishment, exercise or defence of legal claims, or for the protection of the rights of another person either legal or natural, or, when the data is processed for reasons of public interest.
If the data has been shared with another organisation, then they must be notified of the restriction. If the individual asks for information about who the data is shared with you must provide them with that.
If you wish to refuse to comply with the restriction, you would need to be able to prove that it is manifestly unfounded or excessive, taking into account whether or not the request is repetitive in nature.
If you consider that a request is manifestly unfounded or excessive you can request a “reasonable fee” to deal with the request, or simply refuse to deal with the request. In either case, you will need to justify your decision.
You would need to inform the relevant individual as to the reasons you are not taking action so that they can have the right to complain to the ICO or another supervisory authority and tell them about their ability to seek to enforce this right through a judicial remedy.
Your right to object to processing:
All individuals have the right to object under the GDPR. This right is absolute when they object to their data being used for direct marketing. This objection can be made verbally or in writing and you have to respond when you receive an objection and you must respond within one month.
In some circumstances, we can refuse an objection if we have a compelling reason to do so, as long as we provide the individual concerned with the right information.
Individuals can object if the processing is for a task carried out in the public interest or for your legitimate interests or those of a third party, however, in these cases, their right is not absolute.
Where we process your data for legitimate interests, we will consider the reasons why you have objected if you believe that our processing is causing you substantial damage or distress, for example, financial loss, this will give any objection more weight. Before deciding whether we are going to stop the processing or continue to process and refuse, we will provide you with a balanced response outlining why we have rejected your request.
If we have made the decision not to stop processing your personal data, we will must inform the individual concerned and explain why. We will also inform you of your right to make a complaint to the ICO or another supervisory authority. Finally, you must also advise them of their ability to seek to enforce their rights through a judicial remedy.
Your right to data portability:
This gives individuals the right to obtain and reuse their personal data for their own purposes across services. One example would be bank details and information, where an individual may need to transfer information such as direct debit details.
Providing data with this way allows them to move, copy or transfer personal data safely and easily from one IT environment to another, without affecting its usability. This right only applies to information the individual has provided to the controller and where the organisation’s lawful basis is consent or for the performance of a contract and where the processing is being carried out by automated means.
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
If we are processing your information for criminal law enforcement purposes, your rights are slightly different.
How long we keep it:
We only hold your personal information for the following time scales relating to the services we offer and in accordance with HMRC rules regarding any financial transactions made between us.
Certification information with expiry dates, such as first aid certificates, life time of the certificate PLUS 24 months.
Certificates without expiry date, such as teaching and training qualifications, six years in total.
Financial Transaction information is stored for six years in accordance with HMRC rules.
Personal information regarding using our other services, such as emails and postal addresses we hold this information for as long as you give us permission for. For instance you may give permission for us to contact you by email when you allow us to, you can change this permission at anytime by clicking the link provided by us at the time of you signing up. If you write to us for any reason, we will only keep this information for as long as you gave us permission for, such as you are seeking information on a course date, we would reply to your request and then destroy your personal data 30 days thereafter.
Do you always need my consent to use my data?
No. We don’t always need your consent to use your personal data. We can use it without consent if we have a valid reason. These reasons are known in the law as a ‘lawful basis’, and there are six lawful bases organisations can use. These are:
Please go to our dedicated page on how, why and where you can adjust your own settings when using our site HERE
Contacting the Regulator
We are registered with the Information Commissioner’s Office so if you think that your data has not been processed correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with them.
You can contact them by calling 0303 123 1113 and our data protection registration number is ZA116252 . Or visit www.ico.org.uk.
Updated 25th October 2019.