ComplianceUpdated 29 Jun 20261 min read

GDPR and Training Certificates: What Organizations Should Document

Certificate platforms process personal data. Here is what training providers should document.

GDPR and training certificates intersect whenever you store learner names, emails, and completion records. Training providers are typically data controllers; your certificate platform acts as a processor when generating and delivering credentials.

What personal data is involved

Recipient names, email addresses, course titles, issue dates, and verification logs may all qualify as personal data under GDPR.

Controller and processor roles

Your organization decides why data is collected and how long it is kept. Certify.App processes that data on your instructions when creating PDFs, sending email, and logging verification events.

Documentation checklist

Maintain a Data Processing Agreement, publish retention periods, and honor deletion requests through your privacy policy and support process.

Practical next steps

Review Certify.App privacy documentation and DPA at usecertify.app/dpa before issuing certificates to EU learners. Document your lawful basis and retention schedule internally.