Data Protection Policy
European Resuscitation Council vzw
The ERC is ready to meet the challenges of the General Data Protection Regulation (“GDPR”).
Let us explain in a bit more detail...
The ERC relies on the continuous support of the Processors as listed in Attachment (1). The ERC has agreements
with these Processors (art. 28-29 GDPR Regulation) and is supervising that
these Processors comply with the GDPR Regulations.
Neither the Controller, nor the Processor are involved
in selling personal data of their users to third parties.
In order to provide certain contractually agreed
services in the context of the ERC applications, the Processor has recruited
the third party services as listed in Attachment
(2) as Recipients for the given
purposes and may have to share personal data with such third parties. These
third parties are authorised to process personal data for the stated purposes
and within the given limitations.
In case of transfer of personal data to a third
country, such access is only granted upon the adequacy decision of the
Commission or the appropriate or suitable safeguards as specified in art. 45-46
Each registered person can visualise his CoSy data by
logging in on
All suppliers are thoroughly vetted before being
engaged by the ERC for their services. Compliance with applicable data
protection legislation (including GDPR compliance) is included in the vetting
requirements for all such suppliers. The collaboration with suppliers and the
conditions of that collaboration are annually reviewed, including continued
compliance with any applicable legal and regulatory requirements. Collaboration
may be ceased when a supplier no longer meets such requirements.
To the extent permitted by applicable law, the
Controller or the Processor may also disclose your personal data to the
Governmental/regulatory authorities and law
In response to subpoenas, court orders, or other
legal, regulatory or judiciary process; to establish or exercise the legal
rights of the Controller or the Processor; to defend against legal claims; or
as otherwise required by law or binding order.
When the Controller or the Processor believes it is
necessary to investigate, prevent, or take action regarding illegal activities;
to protect and defend the rights, property, or safety of Processors, their
users, or others.
In connection with a corporate transaction, such as
divestiture, merger, consolidation, or asset sale, or in the unlikely event of
With affiliates of the Controller or the Processor.
The Controller or the Processors may ONLY share
aggregated or anonymous information with third parties, including partners,
advertisers and investors.
Data is processed for the legal reason of the
legitimate interests pursued by the ERC
(art. 6, first subparagraph, point (f) GDPR regulation), as listed in the table
During the design process of the applications, the
Controller compiled a data inventory. We intend to acquire and process only the
data that is strictly necessary for fulfilling the purposes described below.
(3) lists the information that can be collected (non-exhaustive list),
and their interests/purposes.
If you wish to consult the detailed data inventory or
wish to acquire more information about the purpose of the data processing
activities, please contact the DPO.
As required by applicable data protection legislation,
the Controller strives to remove your personal data as soon as it is no longer
necessary to accomplish the purpose for which it was originally collected. In
view of this principle, the following retention periods apply (executed on an
- Courses and
certificates data: anonymisation 5 years after the expiry date of a certain
qualification (is kept: country, appraisal result, year of birth, profession).
data: anonymisation 5 years after the last membership date (is kept: country,
year of birth, profession)
data: information older than 10 years is deleted.
- Personal data:
anonymisation 5 years after last login (is kept: country, year of birth,
profession, courses/certificates data (see above), membership data (see
questions: removal 2 years after closing support ticket.
- The data will
be fully removed from the backups within 180 days after the backup.
Please see: Removing your data
The following security measures have been implemented
to help protect personal data processed through our applications against
unauthorized access, alteration, loss, or destruction (non-exhaustive list):
All data is encrypted both at rest and in transit
(check) between the service and your browser.
Personal data is only accessible after logging in with
a personal – unique – username and password.
Passwords are not visible and are neither communicated
via email, nor accessible to any person, including Processor’s staff.
All data is fully backed up.
Our CoSy application offers two factor authentication
Actions in your personal data are logged with the
identity of the person performing the action, the time stamp and the IP
For recipients having access to information they did
not enter themselves, the two factor authentication is mandatory.
We do not provide export facilities of user data to
recipients; only Course Centres are capable of producing an export of course
participants of a certain course with the purpose of shipping course manuals.
In the case of a personal data breach that may be a
risk to your rights and freedoms, the Controller shall also – within 72 hours
after having become aware of it – notify the supervisory authority.
In case of a high risk – and without prejudice to the
provisions of art. 34, paragraph 3 GDPR Regulation - the Controller will notify
you about such personal data breach, with information about the nature, the
likely consequences and a contact point for further information.
● Request information concerning the
processing of your personal data.
● Request the Controller to modify
or correct your personal data if it is wrong.
● Have your personal data erased in
certain circumstances as specified under applicable data protection
● Request the restriction of certain
processing activities in certain circumstances as specified under applicable
data protection legislation.
● Request a copy of all your data in
possession of the Controller and the Processor in a standard format, as well as
request for data portability.
● Withdraw your consent.
For a full review of your rights as Data Subject,
please consult the General Data Protection Regulation.
You can easily exercise any of your rights by
completing and submitting our online form.
reserves the right to charge a reasonable fee in case your request is deemed
excessive at our sole discretion.
CoSy allows Data Subjects to manage the processed
personal data themselves. If you are unable to complete the modifications or
corrections to the data, then you can request the Controller to perform this
action by submitting a request via the support widget in CoSy.
The following procedure will be applied when a request
for removal of data from the Data Subject is presented to the ERC:
Because of the
irreversibility of such action, in order to request a removal of personal data,
the Data Subject must submit such request by logging in on CoSy and include a
copy of their ID/Passport for identification purposes. The Controller may send
an email reply first to check the authenticity of the request.
will assess without undue delay the nature of the request and check which data
need to be removed from which database in accordance with the GDPR
If the personal
data is present in the application, the Controller will remove the personal
data from the database of the application/system and apply the anonymisation
procedures within 30 calendar days following the personal data removal request.
The Controller notifies (by email) the Data Subject about removal within 30
Controller cannot grant the request for removal, the DPO will notify the Data
Subject about such decision and the motivation within 30 days following the
data removal request.
All personal data that you have selected for deletion
will be fully purged from the backups within 180 days.
WARNING: removing personal data may lead to irreversibly
losing any personal link or trace of membership, trainings, certificates or
qualifications. The controller however will keep a printed record of the
request of removal for reasons of proof and Controller’s liability. Such
printed records will not be processed by automated means and neither in a
filing system or with the intention to form part of a filing system, hence the
GDPR regulation does not apply.
A dedicated CoSy page in the Data Subject’s account
gives the possibility to subscribe or unsubscribe individually from the
different newsletters, groups and other communication types. Changes made by
the Data Subject are applied within one week at the latest.
Unsubscribing from emails containing news facts, event
or services provided by the can alternatively be executed by using the
unsubscribe button or hyperlink included in every newsletter or group email.
However, when registered for a course and until the
course is closed administratively, identity and contact details are shared with
the Course Centre. As a Course Centre cannot run a course without the
possibility to contact the participants, this permission is mandatory in order
to register for a course.
(1) lists how a Data Subject can create an overview of all available data
in the Controller’s (Processor’s) systems.
The Data Subject can apply for an export in an
electronic format of his personal data and qualifications, for data portability
purposes. The Controller is not responsible for the format of this data in
order to be uploaded in other systems.
You have the right to withdraw your consent at any
time. However, such withdrawal does not affect the lawfulness of processing
based on consent before its withdrawal.
In case you do not agree with decisions of the
Controller or in other situations, you may lodge a complaint at the Belgian
Or at the supervisory authority of your own country
which can be found on
By accepting this privacy statement and furnishing
personal data via CoSy, you expressly give consent to the Controller to process
the data for the stated purposes.
Only upon your individual consent, the Controller will
pass on specific personal data to third parties. The foregoing also applies to
processing of personal data outside of
the EU, both in countries or recognised and not recognised by the European
Commission to offer adequate data protection. Where required, a data transfer
agreement will be entered into, in accordance with the contractual clauses set
out in EU Commission Decision C(2010)593 Standard Contractual Clauses
(processors) for the purposes of Article 26(2) of Directive 95/46/EC).
Approved by the GPC on 17.05.2018
 Except where such interests are overridden by the interests of
fundamental rights and freedoms of the Data Subject which require protection of
personal data, in particular where the Data Subject is a child.
 But updated
 Described in
art. 55 GDPR Regulation
 Art. 2,
paragraph 1 GDPR Regulation.