Data Processing Agreement (DPA)
Last updated: 12 January 2026
This Data Processing Agreement (“Agreement”) forms part of the contractual relationship between CPDCert.co.uk and its customers (“Controllers”) and governs the processing of personal data under the UK General Data Protection Regulation (UK GDPR).
1. Parties
1.1 Data Processor
Andrew Slater
Sole Trader
Trading as CPDCert.co.uk
(“Processor”)
1.2 Data Controller
Any organisation or individual using CPDCert.co.uk to manage CPD events,
attendance, and certificates
(“Controller”)
2. Purpose of this agreement
This Agreement ensures compliance with:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
It sets out the responsibilities of the Processor when processing personal data on behalf of the Controller.
3. Definitions
- Personal Data – any information relating to an identified or identifiable natural person.
- Processing – any operation performed on Personal Data (e.g. collection, storage, transmission).
- Data Subject – an individual whose Personal Data is processed (e.g. CPD attendees).
- Services – the CPDCert platform and associated features.
4. Subject matter and duration
4.1 Subject matter
Processing of Personal Data for the purpose of:
- Managing CPD events
- Recording attendance
- Generating and emailing CPD certificates
- Audit and compliance record-keeping
4.2 Duration
Processing will continue for the duration of the Controller’s use of the Services, unless otherwise required by law.
5. Nature and purpose of processing
The Processor processes Personal Data solely to:
- Deliver the Services as instructed by the Controller
- Maintain platform security and integrity
- Provide customer support
- Meet legal and regulatory obligations
The Processor does not process Personal Data for its own independent purposes.
6. Categories of data subjects
Personal Data may relate to:
- CPD event attendees
- Organisation users
- Administrative users
7. Categories of personal data
Depending on usage, this may include:
- Name
- Email address
- GOC number (where provided)
- Event attendance records
- Certificate issuance records
- Audit timestamps
The Processor does not intentionally process special category data.
8. Controller obligations
The Controller warrants that:
- It has a lawful basis for processing Personal Data
- It has provided appropriate privacy information to Data Subjects
- It has obtained any required consents
- Instructions given to the Processor comply with UK GDPR
9. Processor obligations
9.1 Act on instructions only
Process Personal Data only on documented instructions from the Controller.
9.2 Confidentiality
Ensure persons authorised to process Personal Data are bound by confidentiality obligations.
9.3 Security
Implement appropriate technical and organisational measures to protect Personal Data, including:
- Encrypted connections (HTTPS)
- Secure authentication and session handling
- Access controls
- Regular platform updates
9.4 Data subject rights
Assist the Controller in responding to requests relating to:
- Access
- Rectification
- Erasure
- Restriction
- Data portability
9.5 Personal data breaches
Notify the Controller without undue delay upon becoming aware of a Personal Data breach.
10. Sub-processors
The Controller authorises the use of sub-processors necessary to deliver the Services, including but not limited to:
- Cloud hosting providers
- Email delivery services
The Processor ensures sub-processors provide sufficient guarantees of UK GDPR compliance.
A current list of sub-processors is available upon request.
11. International transfers
Where Personal Data is transferred outside the UK:
- Appropriate safeguards are in place (e.g. adequacy decisions or standard contractual clauses)
- Transfers are limited to what is necessary to provide the Services
12. Data retention and deletion
Upon termination of Services, the Processor will:
- Retain data only as required by law or for legitimate audit purposes
- Delete or anonymise Personal Data upon request where reasonably practicable
13. Audits and compliance
The Processor shall:
- Make available information necessary to demonstrate compliance
- Allow reasonable audits by the Controller, subject to notice and proportionality
14. Liability
Each party shall be liable for its own breaches of data protection law.
Nothing in this Agreement limits liability where prohibited by law.
15. Governing law
This Agreement is governed by the laws of England and Wales.
16. Contact details
For data protection matters, contact:
Andrew Slater
Owner – CPDCert.co.uk
17. Acceptance
By using CPDCert.co.uk, the Controller confirms acceptance of this Data Processing Agreement.