Heartsafety Solutions Data Protection Policy
Policy Number: HS001
Policy Name: Data Protection Policy
Data Controller Information
Any third parties that process your data do it on our behalf and are also bound to provide the same level of protections and rights as Heartsafety Solutions.
When We Collect Your Data
We collect and process your personal data in the following cases, if you:
- Contact us via our website www.hearts.ie, via a contact form, phone or e-mail
- register to make a purchase via our website
- register for our courses
- visit our website (analytics and necessary data)
- sign up for our newsletter
- purchase a defibrillator, to contact you for maintenance purposesWe may also sometimes obtain data from other third parties. If this is the case, we will contact you as a data subject immediately, notifying you that we have received the data.
Which Data We Collect
Depending on the purpose of data collection, we might collect the following data:
- name and surname
- e-mail address
- credit card details
- phone number
- health data
- course attendance and related assessments
- cookie data (identifiers, IP addresses)
Data Collection – Specific Cases
This section contains a more detailed description of when, how and why we collect your data, and what we use it for.
When You Contact Us
We will use your contact details in order to respond to your query and better understand your question. Depending on your question, we might forward it to third-party experts who will provide you with a quality answer.
When You Make a Purchase
You can register on our website for easy purchasing and cart management. Regardless of registration, when you make a purchase with us, you will have to provide a billing and delivery address to let us know where to deliver the parcel.
Billing details are processed via Stripe payment gateway in accordance with all the relevant laws. We do not have access to such data.
We will periodically notify you when we detect that your defibrillator needs periodical maintenance or a battery change as part of our post-purchase customer service. We will use the contact details provided to us during the purchase process.
During Our Courses
Your personal data, such as name, surname, signature, and qualifications, will be processed to better understand our audience, improve our lessons and for analytics purposes. Third parties, such as instructors, will also have access to this data in order to provide their services.
When You Visit Our Website
When You Sign up for Our Newsletter
We will send you newsletters and periodic communication either with your explicit consent or on the basis of our legitimate interest, if you are our existing customer. We reserve the right to periodically contact our existing customers with offers, news and promotions. You can unsubscribe at any time. We use Constant Contact as our newsletter and contact management system.
Third Party Data
Sometimes, third parties can send us your health data (ECGs) recorded by the defibrillator. Consent is required for such data and must be obtained by these third parties. We will notify you if we receive such data. Third parties send us the data which we forward to manufacturers for the purpose of improving further models of defibrillators.
Data Belonging to Minors
We do not offer our services specifically to children and minors. In case we come into possession of such data, we will demand parental consent or notify the parent of processing.
We keep your data safe by working together with our IT technicians who are responsible for data safety. Any third parties are bound by special agreements guaranteeing data protection at least as adequate as those in this policy. This includes accountants, IT specialists, consultants etc.
Our server is hosted by an Irish company and secured in accordance with modern safety best practices. We hold our servers and data centres in a safe, access-controlled room.
Data Retention Period
We generally keep your data only for as long as it is necessary. When you contact us, we delete the data within a reasonable time frame after your query. Most contact details are deleted after 2 years, but you can demand we delete the data sooner, along with other rights outlined below.
When you purchase a defibrillator from us, we will periodically notify you when your defibrillator needs maintenance or battery replacement. You can demand that we stop with this processing at any time.
Your Other Rights
You have the following rights when it comes to your personal data:
- The right to access: You can request at any time that we provide access to your personal data.
- The right to rectification: You can make a request to update your personal data, as long as you provide the correct data.
- The right to erasure: You can demand deletion of our personal data if:
- the data is processed unlawfully
- we use your data for direct marketing
- there is no legal basis to retain your data
- there is a legal obligation to delete it
- you withdraw your consent
- The right to restrict processing: You can demand that we stop processing your personal data at any time on reasonable grounds.
- This does not apply if we are required to process or store your personal data by law.
- The right to portability: Upon your request, we will give you a copy of your data or transfer the data to another controller of your choice.
- The right to withdraw consent: We will stop processing your personal data and delete it immediately unless required by law to continue processing it.
You can object to our processing of your personal data at any time. We will stop the processing in that case, while we determine whether our legitimate interests outweigh the risks to your freedoms and security.
We will never process your personal data if the impact on your security and freedom outweighs our legitimate interests unless you give us explicit consent or if we are required by law to do so.
We will respond to your requests within a month. We will notify you if we need more time (up to two additional months) to process your request.
Data Breach Procedures
A personal data breach refers to a variety of data security incidents that may occur during everyday business operation. It comprises a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your personal data stored with us.
In case we experience a data breach, we will report the breach to the supervisory in 72 hours at most. We will provide all the necessary information as soon as it becomes available.
We will not notify you of a breach if:
- data in question was stored using adequate technical and organisational measures (such as encryption or anonymization), which means your data is unreadable even if stolen
- if we took subsequent measures ensuring that a high-risk breach is unlikely
- if it would involve a disproportionate effort. In this case, we will notify you via public communication or in a similar equally effective manner.
Lodging a Complaint
At any time, but especially if you feel we you cannot solve a dispute in an amicable way or believe we have infringed upon your rights, you have the right to lodge a complaint with the Office of the Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland; or via email [email protected] and phone at +353 (0761) 104 800.
If you are a resident of an EU member state, you can also lodge a complaint with your local supervisory authority which will forward your complaint.
Data Protection Officer
If you wish to exercise your rights or have any other questions, please contact your Data Protection Officer. Their name and contact information are as follows:
Liz Donohoe [email protected]