In brief: GDPR (General Data Protection Regulation) is the European legal framework governing the processing of personal data. For training organisation managers, school directors and student-records officers, it imposes concrete obligations on the collection, retention and security of learner data: names, attendance records, assessments, contact details. Non-compliance can result in fines of up to 20 million euros or 4% of global annual turnover.
GDPR, or General Data Protection Regulation (in French RGPD, Règlement Général sur la Protection des Données), is a European regulation that came into force on 25 May 2018. It replaces the 1995 Data Protection Directive and harmonises the legislation of all EU member states on the processing of personal data.
Personal data is any information that directly or indirectly identifies a natural person: name, email address, identification number, biometric data, or even a combination of elements that together allow identification. This covers both digital files and paper archives.
GDPR applies to any organisation, regardless of size or country of establishment, whenever it processes data relating to European residents. For training organisations, apprenticeship centres, universities and corporate training departments, this means that all data relating to learners, trainees, employees and trainers is subject to this regulation.
GDPR is built on seven fundamental principles that guide the processing of personal data:
For a training organisation manager, GDPR translates into specific operational obligations:
GDPR is not a purely theoretical constraint. Data protection supervisory authorities across Europe have extensive powers of investigation and sanction.
Two levels of fines are provided:
Beyond fines, supervisory authorities can impose corrective measures such as limiting or suspending data processing, which can paralyse the operations of a training organisation whose core processes rely on non-compliant digital tools.
Learners, trainees and students represent the most sensitive population for training organisations under GDPR. Their data is extensive: identity, contact details, attendance tracking, assessment results, health data in some contexts, training funding information.
Three specific points of attention for training managers:
Edusign was designed with GDPR compliance as a core design constraint, not an afterthought. In practice, this translates into several guarantees:
For organisation directors, student-records officers and Data Protection Officers who need to simplify their GDPR compliance while maintaining the traceability required by their funders, Edusign offers a turnkey solution that reduces regulatory risk without adding to the daily burden on teams.
Before GDPR, each EU member state had its own national data protection law, based on a 1995 EU directive. These laws varied between countries and had limited extraterritorial reach. GDPR, which came into force in May 2018, is a directly applicable regulation across all member states, creating a single harmonised framework. It significantly strengthened individuals' rights (erasure, portability, objection) and introduced much higher penalties for non-compliance. It also introduced the concept of accountability: organisations must not only comply, but be able to demonstrate their compliance at any time. For training organisations operating across several European countries, GDPR simplified cross-border compliance considerably.
Appointing a Data Protection Officer (DPO) is mandatory for organisations that process sensitive data at large scale or carry out systematic large-scale monitoring of individuals. For most small and medium-sized training organisations, a DPO is not legally required. However, it is strongly recommended as soon as the organisation manages data for hundreds of learners, uses digital tracking tools (LMS, digital attendance) or processes sensitive data (health, disability). Even without a legal obligation, designating an internal GDPR contact is good practice that facilitates incident management.
Retention periods depend on the nature of the data and its purpose. For professional training-related data, the main periods are: training agreements and contracts should be retained for 5 years after the end of the training to respond to funding-body inspections. Attendance sheets and presence certificates are generally kept for 5 years. Unsuccessful application data should not be kept for more than 2 years. Digital tool login data typically does not exceed 12 months. Beyond these periods, data must be deleted or anonymised. It is recommended to formalise these periods in the record of processing activities.
In the event of a data breach (unauthorised access, loss, accidental destruction or disclosure), the training organisation has 72 hours to notify the competent supervisory authority. The notification must describe the nature of the breach, the categories and number of individuals concerned, the probable consequences and the measures taken. If the breach is likely to result in a high risk to the rights and freedoms of the individuals concerned, they must also be informed without undue delay. Good prior organisation (processing register, emergency procedures, identified supervisory authority contacts) considerably reduces response time.
Yes, with specific rules. For learners under 16 (the threshold varies slightly by country, being 15 in France), parental or legal guardian consent is required for any data processing based on consent that is not strictly necessary for delivering the training. Over 16, the minor can consent in most cases. For training organisations that enrol minors (vocational schools, apprenticeship centres, certifying programmes for young people), it is essential to integrate this point into enrolment forms and to ensure that the digital tools used (LMS, digital attendance) process minor learner data in a compliant and secure way.
