Engaging in any new activity entails considerations around the processing and storage of personal data. Adherence to the General Data Protection Regulation (GDPR) – or in the case of European Digital Credentials for Learning (EDC) the EUDPR (i.e., the data protection Regulation applicable to EU institutions, agencies and other bodies) –, has become a given. In this context, institutions need to investigate how integrating new digital tools into their existing internal systems impacts their compliance with GDPR  (or the EUDPR) rules. Therefore, ensuring adequate handling of personal data is a key factor for institutions considering the adoption of digital credentials, including the use of the European Digital Credentials for Learning infrastructure. Furthermore, ensuring control over their personal data is a growing interest of EU citizens. This includes understanding how their personal data is processed by organisations and also the knowledge of how to use the tools at their disposal to share their data securely.  

With this in mind, this article aims to provide an overview of how adherence to the EUDPR is applied within the EDC infrastructure, and which aspects remain the responsibility of the institution gathering the personal information of learners to issue their credentials to them in the form of EDCs.  

The EDC infrastructure is designed to ensure that when used in combination with comprehensive internal data protection policies, the rights of credential recipients are respected. It is however important to highlight that this requires that the organisation issuing credentials has a legal basis for processing the personal data of credential recipients. For further information on the grounds for processing personal data, please refer to Article 6 of the GDPR.  

Personal data in the EDC infrastructure  

The European Digital Credential for Learning (EDC) infrastructure is available both as directly usable web tools and services, as well as an open-source package. While both are offered by the European Commission, the information presented above only apply to the web tools. The use of the infrastructure’s open-source version does not entail the sharing of personal data with external parties (the generation of credentials would happen within the organisation’s own IT systems).  

In the EU Login based and password protected Online Credential Builder (OCB), account holders can build and store reusable credential templates that do not contain any personal data. The personal data is only added when a template is used to issue actual credentials. The issuing institution then needs to supply the personal data of their learners (at minimum a name and email address, but this can be complemented with additional data if deemed necessary by the institution) that is afterwards converted into EDC-compliant digital credential files using the EDC issuer. This personal data should already be held by the organisation, and is simply reused to form part of the credential’s data content.  

When supplying credential recipients’ personal information, the credential issuer must accept a check that confirms that their organisation’s data protection policy allows them to share this data with Europass for the duration of the session, for the purpose of creating and issuing credentials. If the credential issuer’s existing legal or contractual obligation and legitimate interest does not already authorise them to process this data, it is their responsibility to ask for the credential recipients’ consent to convert this personal data into a digital credential. It is important to note that by sealing the digital credentials with an advanced or qualified electronic seal (a prerequisite to issuing the credentials), issuing organisations assume legal responsibility for the credentials’ authenticity and integrity.

Once provided, the credential recipients’ personal data is only stored temporarily in cache while the credentials are being created and issued. No personal data is stored in a database or other storage system at any point.  

However, before being issued to their recipients, credentials already containing personal information but not yet sealed by the organisation may be downloaded (by the person who provided the data) in a single zip file. Additionally, once the credentials are sealed and sent, the issuer can download a csv file that contains high level details (namely the date and time of issue, credential titles and IDs, names of credential recipients and confirmation, error or warning messages about successful or failed EDC deliveries). This is the only time at which the record of an issuing session, including some of the personal information, can be downloaded from the EDC issue. Note that only the same individual that has inputted the information to the issuer will be able to download it, nonetheless this record should only be downloaded by organisations who can explicitly do so as per their data privacy rules. After this point all information related to the credential issuing flow is erased from the EDC issuer cache.

In conclusion, the EDC issuer does not store or process any personal data, and only provides a tool to create and issue digital credentials by converting the learner data, collected by the issuing institution, into European Digital Credentials for Learning.  

Issuing EDCs to learners  

Credential issuers are free to choose from the following available options to deliver credentials to their recipients:  

• Send credentials to learners via e-mail. In this case the credentials are received as attachments, and recipients can choose how they store them.  
• Send credentials to existing Europass or another compliant digital credential wallets. In this case the learners are informed about the credential deposit via email, and also receive the credentials as an attachments.  
• Send credentials to temporary Europass wallets created for the recipients. When issued via email, besides sending a credential as attachment, issuers can choose to also deposit it into a temporary wallet that is linked to the learner’s email address. Temporary wallets can be retrieved by creating a Europass account using the same email address. Otherwise, after 6 months of the issuance of the credential, and following a couple of reminders sent to the credential holder, unclaimed temporary wallets are deleted. This should only be done by organisations who can explicitly do so as per their data privacy rules.    

Learners do not need to have a Europass wallet (temporary or registered) to store their credentials. EDCs can also be stored offline on personal devices or virtual drives. However, learners can choose to keep their credentials in Europass, by either creating a new wallet or claiming a temporary wallet.  

Credentials can be directly deposited to the wallet by the issuer, or manually uploaded by the credential recipient. In either case, these credentials, including the personal data, will be stored in Europass in accordance with the Europass Privacy Statement.  

If a person chooses to store their credential offline, they can view its content by uploading it to the EDC viewer. When a credential is uploaded to the viewer, the data will be temporarily stored in (server-side) cache to allow it to be viewed and verified. Once the credential is closed, all data is wiped from the cache.

Ensuring control even when sharing  

Finally, Europass ensures that learners remain in control of their own data even when sharing their credentials with third parties. Europass allows its users to create share links to individual credentials or a collection of data included in their Europass account (such as an Application or their Europass Profile). These share links always have an expiry date and can be sent for viewing and verification to prospective employers individually for each job application. This means that learners are fully in control of who they share their data with, and for how long. The Europass platforms allows users to manage these links, extending their validity or deleting them.  

For further information about data privacy for European Digital Credentials for Learning, we invite you to consult the Europass Data Privacy Statement.