Skip to content

Privacy Policy

Heartsafety Solutions Data Protection Policy

Scope of Policy

This policy is developed in line with the General Data Protection Regulation (EU) 2016/679, the Irish Data Protection Act 2018, the requirements of the ISO 9001:2015 Quality Management System, and the accreditation frameworks of PHECC and RTITB.

Data Controller Information

HSS Management Ltd trading as Heartsafety Solutions is your data controller for all personal data you enter on this website or provide via other channels. We are committed to protecting your privacy and safety of your data as described in this privacy policy.

Please read the policy in full, as it sets out the basis for processing of all personal data. We also provide an outline of your rights. We will not process personal data given to us via our website in ways not specified in this Privacy policy.

Heartsafety Solutions is committed to complying with the General Data Protection Regulation (EU) 2016/679, the Data Protection Act 2018 (Ireland), and relevant sectoral requirements under the Pre-Hospital Emergency Care Council (PHECC), Road Transport Industry Training Board (RTITB), and ISO 9001:2015 accreditation standards.

Responsibilities

  • Data Protection Officer (DPO): Manages data protection compliance, responds to data access or deletion requests, and reports breaches.
  • Instructors and Assessors: Handle student data securely during and after training. Ensure records for PHECC, RTITB, and IHF are protected and returned as required.
  • Office and Admin Staff: Collect, store, and process student and customer data in line with this policy. Ensure paperwork and digital records are handled securely.
  • IT Support: Keeps systems secure and ensures data is backed up and protected from unauthorised access.
  • All Staff and Contractors: Must follow this policy, protect personal data, and report any concerns or breaches to the DPO.

When We Collect Your Data

We collect and process your personal data in the following cases, if you:

  • Contact us via our website www.hearts.ie, via a contact form, phone or e-mail
  • register to make a purchase via our website
  • register/ attend our courses
  • visit our website (analytics and necessary data)
  • sign up for our newsletter
  • purchase a defibrillator, to contact you for maintenance purposes
  • email addresses are collected via QR code on PHECC FAR/CFR training courses solely for the purpose of e-certification only

We may also sometimes obtain data from other third parties. If this is the case, we will contact you as a data subject immediately, notifying you that we have received the data.

Which Data We Collect

Depending on the purpose of data collection, we might collect the following data:

  • name and surname
  • e-mail address
  • credit card details (not stored)
  • address
  • phone number
  • health data
  • course attendance and related assessments
  • cookie data (identifiers, IP addresses)

Legal Basis for Data Processing

  • Consent – marketing emails, health data (special category).
  • Contract – course registration, certification.
  • Legal obligation – compliance with PHECC and RTITB QA.
  • Legitimate interest – analytics, defibrillator follow-up.

Data Collection – Specific Cases

This section contains a more detailed description of when, how and why we collect your data, and what we use it for.

When You Contact Us

We will use your contact details in order to respond to your query and better understand your question. Depending on your question, we might forward it to third party experts who will provide you with a quality answer.

When You Make a Purchase

You can register on our website for easy purchasing and cart management. Regardless of registration, when you make a purchase with us, you will have to provide a billing and delivery address to let us know where to deliver the parcel.

Billing details are processed via Stripe payment gateway in accordance with all the relevant laws. We do not have access to such data.

Ongoing Maintenance

We will periodically notify you when we detect that your defibrillator needs periodical maintenance or a battery change as part of our post-purchase customer service. We will use the contact details provided to us during the purchase process.

During Our Courses

Your personal data, such as name, surname, signature, and qualifications, will be processed to better understand our audience, improve our lessons and for certification purposes. Third parties, such as instructors or accreditation bodies (eg PHECC, Irish Heart Foundation, IOSH) will also have access to this data in order to provide their services.

Heartsafety Solutions is an Approved Training Institution (ATI) with PHECC and therefore processes personal data in line with obligations under the Pre-Hospital Emergency Care Council (Establishment) Order 2000 and PHECC’s Quality Review Framework. Third parties, such as instructors or accreditation bodies (e.g. the Pre-Hospital Emergency Care Council (PHECC), Irish Heart Foundation, RTITB), may receive student data for certification and quality assurance purposes. Student records are retained for a minimum of 5 years in accordance with these requirements

Information collected during our courses will be handled and transported securely by our instructors and stored securely once processed for certification. Certification data is only shared with relevant accreditation bodies (like PHECC) and that retention is compliant with PHECC QA standards.

When You Visit Our Website

We use analytics cookies that help us better understand what our users are doing and how in order to improve our website. For more information, refer to our Cookie Policy. Some data is collected automatically when you visit our website; such data is necessary for the website to function.

When You Sign up for Our Newsletter

We will send you newsletters and periodic communication either with your explicit consent or on the basis of our legitimate interest, if you are our existing customer. We reserve the right to periodically contact our existing customers with offers, news and promotions. You can unsubscribe at any time. We use Constant Contact as our newsletter and contact management system.

Third Party Data

Sometimes, third parties can send us your health data (ECGs) recorded by the defibrillator. Consent is required for such data and must be obtained by these third parties. We will notify you if we receive such data. Third parties send us the data which we forward to manufacturers for the purpose of improving further models of defibrillators.

Data Belonging to Minors

We do not offer our services specifically to children and minors. In case we come into possession of such data, we will demand parental consent or notify the parent of processing.

Data Training

All personnel including instructor faculty undergo mandatory GDPR and data handling training every 3 years.

Data Safety

We keep your data safe by working together with our IT consultants who are responsible for data safety. Any third parties are bound by special agreements guaranteeing data protection at least as adequate as those in this policy. This includes accountants, IT specialists, consultants etc.

Our server is hosted by an Irish company and secured in accordance with modern safety best practices. We hold our servers, data centres and course paperwork in a safe, access-controlled room.

Data Retention Period

Data is only kept for as long as it is necessary. When you contact us by writing/email, we will delete the data within a reasonable time frame after your query. Most contact details are deleted after 2 years, but you can demand we delete the data sooner, along with other rights outlined below. Training and certification records may be retained for up to 5 years or longer, where required by accreditation bodies such as PHECC.

Retention of training and certification records aligns with sectoral requirements. For example, student records related to PHECC-accredited programmes are retained for a minimum of 5 years as required by the PHECC Quality Review Framework. RTITB-accredited training records are maintained in accordance with RTITB's certification and audit standards.

When you purchase a defibrillator from us, we will periodically notify you when your defibrillator needs maintenance or battery replacement. You can demand that we stop with this processing at any time.

Your Other Rights

You have the following rights when it comes to your personal data:

  • The right to access: You can request at any time that we provide access to your personal data.
  • The right to rectification: You can make a request to update your personal data, as long as you provide the correct data.
  • The right to erasure: You can demand deletion of your personal data if:
    • the data is processed unlawfully
    • we use your data for direct marketing
    • there is no legal basis to retain your data
    • there is a legal obligation to delete it
    • you withdraw your consent
  • The right to restrict processing: You can demand that we stop processing your personal data at any time on reasonable grounds. This does not apply if we are required to process or store your personal data by law.
  • The right to portability: Upon your request, we will give you a copy of your data or transfer the data to another controller of your choice.
  • The right to withdraw consent: We will stop processing your personal data and delete it immediately, unless required by law to continue processing it.

You can object to our processing of your personal data at any time. We will stop the processing in that case, while we determine whether our legitimate interests outweigh the risks to your freedoms and security. We will never process your personal data if the impact on your security and freedom outweighs our legitimate interests, unless you give us explicit consent or if we are required by law to do so.

We will respond to your requests within a month. We will notify you if we need more time (up to two additional months) to process your request.

Data Breach Procedures

A personal data breach refers to a variety of data security incidents that may occur during everyday business operation. It comprises a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your personal data stored with us.

In case we experience a data breach, we will report the breach to the supervisory in 72 hours at most. We will provide all the necessary information as soon as it becomes available.

We will not notify you of a breach if:

  • data in question was stored using adequate technical and organisational measures (such as encryption or anonymisation), which means your data is unreadable even if stolen
  • if we took subsequent measures ensuring that a high-risk breach is unlikely
  • if it would involve disproportionate effort. In this case we will notify you via public communication or in a similar equally effective manner.

Lodging a Complaint

At any time, but especially if you feel we you cannot solve a dispute in an amicable way or believe we have infringed upon your rights, you have the right to lodge a complaint with the Office of the Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland; or via email [email protected] and phone at +353 (0761) 104 800.

If you are a resident of an EU member state, you can also lodge a complaint with your local supervisory authority which will forward your complaint.

Data Protection Officer

If you wish to exercise your rights or have any other questions, please contact your Data Protection Officer. Their name and contact information are as follows:

Liz Donohoe [email protected]

Legislation & Industry Reference

  • GDPR (Regulation (EU) 2016/679)
  • Data Protection Act 2018 (Ireland)
  • PHECC Establishment Order 2000 (S.I. No. 109/2000)
  • Electronic Commerce Act 2000 (for marketing)
  • ISO 9001:2015 for quality assurance framework
  • RTITB Quality Assurance Criteria

Related Policies, Procedures and Systems

  • Records Retention Policy
  • Cookie & Website Privacy Policy
  • Learning Management System