DATA PROTECTION POLICY
ARTICLE 1. PREAMBLE
This personal data protection policy (“Privacy Policy”, hereinafter the “Policy”) applies to data collected and processed in connection with the “Staying Alive LU” application (the “Application”).
The Application is developed by FDBS‑STAYING ALIVE, a French single‑member limited liability company (SARLU), with registered office at 57, rue du Docteur Blanche, F‑75016 Paris (France), registered in the French National Business Register under number 840 498 406.
The Application is promoted by the public establishment Corps grand‑ducal d’incendie et de secours (“CGDIS”), established with registered office at 3, boulevard de Kockelscheuer, L‑1821 Luxembourg, registered in the Luxembourg Trade and Companies Register under number J64, represented by its current board of directors.
ARTICLE 2. DEFINITIONS
ALERT: means the message by which a User is notified of the need to intervene nearby in the context of an Incident before the arrival of the Public Emergency Services.
APPLICATION: means the software developed by FDBS‑Staying Alive, named Staying Alive LU, and available via the Apple App Store and Google Play Store.
CARDIAC FIRST RESPONDER (CFR): means Users registered as volunteer collaborating responders, with or without specific qualifications, who are alerted by the Application to intervene in emergency situations.
UNTRAINED CARDIAC FIRST RESPONDER: means registered Users guided to the nearest defibrillator with a timed route in order to bring it to the victim.
TRAINED CARDIAC FIRST RESPONDER: means registered Users trained in first aid, alerted to intervene and perform chest compressions until the arrival of the Public Emergency Services.
CGDIS: means the Corps grand‑ducal d’incendie et de secours, a public establishment established at 3, boulevard de Kockelscheuer, L‑1821 Luxembourg, registered in the Luxembourg Trade and Companies Register under number J64.
CNPD: means the Luxembourg independent public authority Commission nationale pour la protection des données (National Commission for Data Protection).
ACCOUNT: means each User’s personal account enabling sign‑in, modification of information and access to the Services.
DATA SUBJECT’S CONSENT: a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to processing.
CONTRIBUTOR: means Users of the Application who contribute to mapping AEDs.
CSU or CSU‑112: means the 112 Emergency Services Control Centre.
AED: automated external defibrillators used in the event of cardiac arrest.
PERSONAL DATA: any information relating to an identified or identifiable natural person.
FDBS‑STAYING ALIVE: the French single‑member limited liability company FDBS‑STAYING ALIVE.
CREDENTIALS: personal access codes enabling the User to authenticate to the Application.
INCIDENT: cardiac arrest reported to the CSU resulting in the dissemination of an Alert.
RESTRICTION OF PROCESSING: marking of stored data with the aim of limiting their future processing.
PROFILING: automated processing to evaluate certain personal aspects.
REGULATION or GDPR: Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data.
CONTROLLER: the person or body which determines the purposes and means of Processing.
PUBLIC EMERGENCY SERVICES: CSU / Ambulance / SAMU / Police / Firefighters.
SERVICES: all features offered by the Application.
PROCESSOR: a body which processes personal data on behalf of the Controller.
THIRD PARTY: any person or body other than the Data Subject, the Controller and the Processor.
PROCESSING: any operation performed on personal data.
USER / DATA SUBJECT: any person accessing the Application whose data are processed.
PERSONAL DATA BREACH: a security breach leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
ARTICLE 3. ROLES AND RESPONSIBILITIES
The Controller of the Personal Data collected in the course of visiting and using the Application’s Services is FDBS‑Staying Alive.
The purpose of the Application is to reduce mortality linked to cardiac arrest by facilitating rapid intervention by emergency services, connecting Cardiac First Responders with the Public Emergency Services, improving access to AEDs and raising Users’ awareness of first‑aid measures.
ARTICLE 4. INFORMATION ON PERSONAL DATA PROCESSED
Personal data provided by the User
All data concerning the Data Subjects are collected directly from them via registration forms in the Application, in accordance with the registration procedure described in the Application’s Terms of Use.
FDBS‑Staying Alive undertakes to inform every User of the modalities of Processing of his or her Personal Data and of his or her rights in this respect.
Personal data collected automatically
Technical information: device model, operating system, IP address, system language, service/diagnostics/performance data, user identifier.
Location information: GPS data when location is enabled (settings via Android/Apple).
Purposes of the Processing of Personal Data
The Personal Data collected are used exclusively to provide the Services, in particular to enable the intervention of Cardiac First Responders (CFR) in the event of a medical emergency.
FDBS‑Staying Alive collects and processes only the data that are strictly necessary (data minimisation principle, Art. 5(1)(c) GDPR).
Processing operations performed
- Creation of a “Contributor” User Account.
- Creation of an “Untrained Cardiac First Responder” User Account.
- Creation of a “Trained Cardiac First Responder” User Account.
- Requesting the intervention of CFRs at the request of the Public Emergency Services (use of geolocation). Only the most recent location data are retained, for a maximum of fifteen (15) days.
- Collection of logs to improve the stability of the Application.
- Post‑mission report, retained for an indefinite period.
Legal bases
- Consent of the Data Subjects.
- Performance of a contract or pre‑contractual measures taken at the data subject’s request.
- Compliance with a legal obligation.
- Legitimate interests, task carried out in the public interest or in the exercise of official authority.
Types of Personal Data processed
Contributor: first name, email address — deletion upon Account closure or after 18 months of inactivity.
Cardiac First Responder: identity (surname, given name(s)), date of birth, email, postcode, telephone number, skills/training (for trained CFRs) — deletion upon Account closure or after 18 months of inactivity.
Geolocation: only the latest position is retained and is deleted after 15 days without further communication.
Logs: IP address, device brand, OS version, Application configuration, date/time — retained for a maximum of 24 months.
DATA RETENTION TERMS AND DURATION
Hosting
All personal data collected in the Application are hosted in Europe by Amazon Web Services EMEA S.à r.l.
Retention periods
- Qualification data / Contributor / CFR accounts: until Account closure or 18 months of inactivity.
- Latest location data: maximum of 15 days.
- Intervention reports: indefinite period.
- Logs: until correction and at most 24 months.
ARTICLE 5. SHARING AND DISCLOSURE OF PERSONAL DATA
The main recipients are the staff and service providers of FDBS‑Staying Alive and CGDIS. The data may be disclosed, strictly as necessary, to professional and volunteer firefighters, authorised personnel and processors acting within their remit.
No disclosure to commercial or advertising actors.
Possible disclosures: public authorities (where provided for by law), transmission of intervention reports to CGDIS and authorities, compliance with legal obligations / defence of rights / security, associated entities, third‑party providers (technical support, QA, email delivery, analytics) with GDPR‑compliant contractual safeguards.
Data Protection Officer (DPO): the managing director of FDBS‑Staying Alive in office.
ARTICLE 6. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Measures implemented: strict access management, hosting in Europe (AWS), systematic encryption of connections between the Application and the servers.
Limitations: it is not possible to guarantee absolute protection. No liability in the event of user fault, hosting provider failure or incident attributable to a processor.
ARTICLE 7. USERS’ RIGHTS
Right to withdraw consent
May be exercised at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Right of access
Access to data and to the information listed in Article 15 GDPR.
Right to rectification
Rectification of inaccurate data and completion of incomplete data (Art. 16 GDPR).
Right to erasure
Erasure in accordance with Article 17 GDPR, subject to legal exceptions (freedom of expression, legal obligations, public health, research, justice).
Right to restriction
Restriction in the cases provided for in Article 18 GDPR.
Right to data portability
To receive / transmit the data in a structured, commonly used and machine‑readable format, where applicable.
Right to object
To object to processing based on Article 6(1)(e) or (f), unless there are compelling legitimate grounds or for the establishment, exercise or defence of legal claims.
Automated decision‑making and profiling
Right to obtain human intervention, to express one’s point of view and to contest a decision (Art. 22 GDPR), where applicable.
Fate of data after death
Possibility to define instructions; failing that, destruction unless evidential necessity or legal obligation.
ARTICLE 8. ASSISTANCE AND CONTACT
For any question or complaint concerning this Policy or Processing practices, or to report a security breach:
- E‑mail: contact@stayingalive.org ; juridique@cgdis.lu
Response in principle within one month.
CNPD complaint: 15, Boulevard du Jazz L‑4370 Belvaux — online form: cnpd.public.lu