Data Protection & Privacy Policy
Last updated: 12 January 2026
1. Introduction
This Data Protection & Privacy Policy explains how personal data is collected, used, stored, and protected when using CPDCert.co.uk (the “Service”).
CPDCert.co.uk is owned and operated by Andrew Slater, a UK-based sole trader.
I am committed to handling personal data lawfully, fairly, transparently, and securely in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy applies to:
- Organisations using the CPDCert platform
- Organisation users (administrators)
- Event attendees
- Visitors to the website
2. Data controller
For the purposes of UK data protection law, the data controller is:
Andrew Slater
Sole Trader – CPDCert.co.uk
United Kingdom
For any data protection enquiries, you may contact me via the CPDCert website.
3. Lawful basis for processing
Personal data is processed under one or more of the following lawful bases:
- Contract – to provide CPD event and certificate services
- Legitimate interests – to manage events, attendance, certificates, and audits
- Legal obligation – where CPD, regulatory, or record-keeping requirements apply
- Consent – where required (for example, optional communications)
4. Personal data collected
4.1 Organisation users
The following data may be collected:
- Name
- Email address
- Organisation name
- Login credentials (passwords are securely hashed)
- Login activity and IP address
4.2 Event attendees
The following data may be collected:
- First name and surname
- Email address
- GOC number or equivalent professional identifier (where applicable)
- Event attendance records
- Quiz responses and results (for quiz-based CPD events)
- Certificate issuance details
4.3 Event and audit data
- Event name, date, location, format, and CPD points
- Attendance logs uploaded by organisations
- Certificate generation metadata
- Email delivery and audit history
4.4 Technical data
- IP address
- Browser and device information
- Date and time of access
- System and security audit logs
5. How personal data is used
Personal data is used to:
- Register and administer CPD events
- Record attendance
- Generate CPD certificates
- Email certificates to attendees
- Provide audit evidence for CPD compliance
- Maintain platform security and integrity
- Monitor system usage and performance
Personal data is never sold and is not used for marketing or advertising purposes.
6. CPD and audit retention
CPD records may need to be retained for professional, regulatory, or legal audit purposes.
Unless otherwise agreed with an organisation:
- CPD event and certificate records may be retained for up to 7 years
- Attendance logs form part of the CPD audit trail
- Organisations remain responsible for determining their own regulatory retention obligations
7. Data sharing
Personal data is only shared where necessary and appropriate.
7.1 Service providers
Trusted third-party service providers are used for:
- Cloud hosting
- Secure data storage
- Email delivery
These providers act as data processors and are contractually required to comply with UK GDPR.
7.2 Legal disclosure
Personal data may be disclosed where required by law or by a competent regulatory authority.
8. International data transfers
Data is primarily processed within the United Kingdom and the European Economic Area (EEA).
Where data is transferred outside the UK or EEA (for example, through cloud infrastructure), appropriate safeguards such as Standard Contractual Clauses are in place.
9. Data security
Appropriate technical and organisational measures are in place to protect personal data, including:
- Encrypted connections (HTTPS)
- Secure cloud infrastructure
- Role-based access controls
- Password hashing
- Audit logging
- Continuous monitoring
While every effort is made to protect personal data, no system can be guaranteed to be completely secure.
10. Individual rights
Under UK GDPR, individuals have the right to:
- Access their personal data
- Request correction of inaccurate data
- Request erasure of data (where legally permitted)
- Restrict processing
- Object to processing
- Data portability
- Withdraw consent (where applicable)
Requests should normally be made via the organisation that collected the data, or directly via CPDCert where appropriate.
11. Responsibilities of organisations
Organisations using CPDCert are typically the data controllers for attendee data.
They are responsible for:
- Informing attendees how their data is processed
- Ensuring a lawful basis for collecting attendee data
- Responding to data subject requests relating to their events
Andrew Slater (CPDCert) acts as a data processor on behalf of organisations.
12. Cookies
CPDCert uses essential cookies only, including cookies required to:
- Maintain secure login sessions
- Protect against unauthorised access
No tracking, profiling, or advertising cookies are used.
13. Children’s data
The Service is not intended for use by individuals under the age of 16.
Personal data relating to children is not knowingly collected.
14. Changes to this policy
This policy may be updated from time to time. The most current version will always be available on the CPDCert website and will include the revision date at the top of the page.
15. Complaints
If you believe your personal data has been handled incorrectly, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
Website: https://www.ico.org.uk
16. Contact
For any data protection questions or requests, please contact:
Andrew Slater
Owner – CPDCert.co.uk