GDPR and Training Certificates: What Organizations Should Document
Certificate platforms process personal data. Here is what training providers should document.
GDPR and training certificates intersect whenever you store learner names, emails, and completion records. Training providers are typically data controllers; your certificate platform acts as a processor when generating and delivering credentials.
What personal data is involved
Recipient names, email addresses, course titles, issue dates, and verification logs may all qualify as personal data under GDPR.
Controller and processor roles
Your organization decides why data is collected and how long it is kept. Certify.App processes that data on your instructions when creating PDFs, sending email, and logging verification events.
Documentation checklist
Maintain a Data Processing Agreement, publish retention periods, and honor deletion requests through your privacy policy and support process.
Practical next steps
Review Certify.App privacy documentation and DPA at usecertify.app/dpa before issuing certificates to EU learners. Document your lawful basis and retention schedule internally.