Processing of personal data

Personal data is any data that allows a person to be identified (see the definition in section 4 of the Personal Data Protection Act). Processing of personal data is any act performed with personal data (see section 5 of the Personal Data Protection Act). Personal data is processed and maintained at the Emergency Response Centre in accordance with the procedure and requirements established by law. Upon processing of personal data, we are guided by the European Union General Data Protection Regulation (GDPR), the Personal Data Protection Act,  the Public Information Act, and other relevant legislation.

Processing of personal data to perform the tasks of the Emergency Response Centre

The functions of the Emergency Response Centre include responding and processing the information received via an emergency call (112) or other manner, providing the Emergency Response Centre and the emergency care provider with the risk assessment and dispatch order for rescue work, explosives removal, and provision of emergency medical care, as well as forwarding information to the Police and Border Guard Board (subsection 5 (1¹) of the Rescue Act). Upon performing tasks, personal data, including sensitive personal data, is collected and processed (see the definition in section 4 of the Personal Data Protection Act):

• the name and telephone number of the emergency contact person;
• the data of the person in need (for example, name, sex, age, personal identification code);
• the reason of the need;
• the address of the scene of an event;
• other information about a person obtained in the course of processing the emergency notice.

The emergency calls received at the Emergency Response Centre are recorded and the content of an emergency notification is stored in the information system for management of emergency notifications.

Transfer of personal data to another authority or person

The Emergency Response Centre records the information collected during the processing of emergency notifications and forwards it to the ambulance crew and rescue team with a dispatch order, and provides the operational information service of the Police and Border Guard Board with the information on a police event. Personal data will only be transferred to another authority or person if there is a legitimate right and need to do so.

Applying for a position at the Emergency Response Centre

The documents related to the application contain personal data, which is processed by the public servants employed in the corresponding positions. Other public servants of the Emergency Response Centre have no access to the personal data of candidates. 

According to the Rescue Service Act (section 7²) the candidate for the position of a rescue servant provides the Emergency Response Centre with a personal form that contains additional data about his or her close ones. The Emergency Response Centre also consults the national and local government authorities, as well as natural and legal persons to verify the data submitted in the personal form.

All documents related to the person’s candidacy have restriction on access. Information about the person’s participation in the application is also not disclosed. Information about appointing a candidate is public. The candidate has the right to know what information the Emergency Response Centre has collected about him or her; he or she is also entitled to consult such data and provide his or her own explanations.

Personal data in correspondence

Information about correspondence with the Emergency Response Centre is available on the website of the Emergency Response Centre in the public document register according to the Public Information Act. Based on the public view of the document register, it is not possible to identify a natural person, only the initials or the word “private person” have been published.

Personal data (for example, name and contact details, description of a person related problem, etc.) contain requests for explanation, memoranda, requests for information, and other inquiries submitted by natural persons. Personal data may also be included in a letter received from another authority (for example, a copy of the response to the person’s inquiry).

The requests and inquiries from people are registered in an electronic document management system, and these are recognised as information with restriction on access. Personal data is stored electronically in the document management system and used only to respond to inquiries. If it is required to communicated with a third party to reply to an inquiry, personal data will be published in the least necessary amount.

If a third person requests to consult the correspondence between a natural person and the Emergency Response Centre and submits the corresponding request for information, it will be reviewed and decided whether the requested document can be issued partially or fully. Restriction on access depends on the contents of the document. Possible principles for restriction on access are provided in section 35 of the Public Information Act.

Despite restriction on access, we issue a document to an authority or a person having a direct statutory right to request it (for example, investigative body, body conducting extra-judicial proceedings or court).

The Emergency Response Centre uses email, and simple and registered post to send letters. In certain cases, an email sent to a natural person may be encrypted or contain encrypted documents to protect the recipient’s personal data. The recipient’s personal identification code is required for encryption, and it is requested, if necessary. Encryption software, ID-card, ID-card reader are required to open encrypted documents. See instructions here.

Rights of a person when accessing information concerning him or her

• Everyone has the right to access information that has been collected about him or her. Disclosed personal data can be viewed on the website, or it is possible to submit a request for information to obtain such data. If possible, information will be sent to the requesting party in a requested form within 5 working days of registering the request for information.
• In order to send personal data to a private person, the Emergency Response Centre should establish the identity of the requesting party.
• The Emergency Response Centre does not issue personal data to a requesting party if it is not possible to rule out the issue of data of other persons for the processing of which the requesting party does not have a legal basis.
• Everyone has the right to request the correction of incorrect personal data concerning him or her by submitting the corresponding application.
• Every person has the right to file a complaint or challenge to the Data Protection Inspectorate on the processing of personal data in the Emergency Response Centre, or file a petition with an administrative court.

Preservation of personal data

• The content of medical, rescue, and police emergency messages is preserved in the information system for management of emergency notifications for three years according to subsection 8 (1) of the establishment of a database for the handling of emergency communications and the statutes for maintenance of the database. According to subsection 2 of the same section, the data is stored in the database in a personalised form for one year, after which the data is unpersonalised.
• The recordings of emergency calls will be preserved for one year.
• The data of non-selected candidates will be stored to the extent of the contestation term (one year).
• The data of the next best candidate in order to make a proposal to assume office will be preserved for 150 days of the moment the person who has been selected receives the proposal to assume office.
• In order to make a proposal for participation in a future competition with the candidate’s consent.
• Employment contracts, personal forms, and other staff data will be stored according to the requirements provided by law.
• The correspondence with persons is generally stored at the Emergency Response Centre for a period of five years or until the term established in legislation.

After the retention period expires, the documents/data will be deleted or destroyed.

Personal data breach

If the Emergency Response Centre identifies a personal data breach that is likely to endanger the rights and freedoms of natural persons, the Data Protection Inspectorate will be immediately informed and measure will be taken to promptly bring such violation to an end.

If a personal data breach may result in a serious risk to a person, the person will be informed so that he or she can take mitigation measures soothing the situation.

Visiting the website of the Emergency Response Centre

When you visit the website of the Emergency Response Centre, the following data is collected for statistical purposes:

• the Internet address (IP-address) of a computer or computer network that is not associated with information identifying a person;
• the name and address of the Internet service provider or a computer or computer network;
• the date and time of visit;
• the parts of website you visit.

Visiting the buildings of the Emergency Response Centre

Upon entering the buildings of the Emergency Response Centre, the security guard asks the visitor to present an identity document to establish his or her identity and issue an access card. The person’s name, personal identification code, and the document number will be entered in an electronic database, which can only be accessed by security service.