CertCardBack to home

GDPR Commitment

Last updated: 17 February 2026

1. Our commitment

Code Strategy Limited (Company No. 16243141), trading as CertCard, is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take data protection seriously and have implemented measures to ensure the personal data we process is handled lawfully, fairly, and transparently.

2. Our role

2.1 As a data controller

We act as a data controller when processing data for our own purposes, such as managing your account, processing payments, and communicating with you. Full details are in our Privacy Policy.

2.2 As a data processor

When your organisation uses CertCard to manage employee certifications and ID cards, your organisation is the data controller and we act as a data processor. We process employee data only in accordance with your organisation’s instructions and applicable data protection law.

We offer a Data Processing Agreement (DPA) to all customers. Contact privacy@certcard.net to request a copy.

3. Data protection principles

We adhere to the core data protection principles:

  • Lawfulness, fairness, and transparency – we process personal data lawfully with clear and honest communication about how data is used.
  • Purpose limitation – data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Data minimisation – we collect only the data that is necessary for the purposes for which it is processed.
  • Accuracy – we take reasonable steps to ensure personal data is accurate and kept up to date.
  • Storage limitation – data is kept only for as long as necessary for the purposes for which it was collected.
  • Integrity and confidentiality – we implement appropriate security measures to protect personal data against unauthorised access, loss, or destruction.
  • Accountability – we can demonstrate compliance with all of the above principles.

4. Your rights

The UK GDPR provides the following rights to individuals. We are committed to facilitating these rights:

  • Right of access – you can request a copy of all personal data we hold about you. We will respond within one month.
  • Right to rectification – you can request correction of inaccurate or incomplete personal data.
  • Right to erasure – you can request deletion of your personal data where there is no compelling reason for its continued processing.
  • Right to restrict processing – you can request that we limit how we use your data in certain circumstances.
  • Right to data portability – you can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to object – you can object to processing based on legitimate interests or for direct marketing purposes.
  • Rights related to automated decision-making – we do not currently make decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, email privacy@certcard.net. We will respond within one calendar month. In complex cases, we may extend this by up to two further months, and will inform you of any such extension.

5. Technical and organisational measures

We have implemented the following measures to protect personal data:

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Role-based access controls ensuring staff can only access data relevant to their role.
  • Regular security assessments and vulnerability scanning.
  • Secure hosting with UK/EEA-based infrastructure providers.
  • Automated backups with encryption.
  • Incident response procedures for identifying and responding to data breaches.
  • Staff training on data protection and information security.

6. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  • Notify your organisation (as data controller) without undue delay where we are processing data on their behalf.
  • Document all breaches and remedial actions taken.

7. Sub-processors

We use carefully selected sub-processors to help deliver the Service. All sub-processors are bound by data processing agreements and are required to implement appropriate security measures. We maintain a list of current sub-processors and will notify customers of any changes.

To request our current sub-processor list, contact privacy@certcard.net.

8. International transfers

We primarily store and process data within the UK and EEA. Where transfers outside these regions are necessary, we rely on appropriate safeguards such as:

  • UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs).
  • Adequacy decisions by the UK Government or European Commission where applicable.

9. Supervisory authority

Our lead supervisory authority is the UK Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

10. Contact us

For any data protection enquiries or to exercise your rights, contact us at:

Code Strategy Limited (trading as CertCard)
Email: privacy@certcard.net
Registered in England & Wales, Company No. 16243141