Processing Registry
v1.0Record of processing activities pursuant to Art. 30 of Regulation (EU) 2016/679 (GDPR).
Data Controller
IDCERT — International Digital Certification S.r.l. Benefit Corporation — privacy@idcert.io
The Controller has not appointed a Data Protection Officer (DPO) as the processing does not fall within the cases provided for by Art. 37 GDPR.
T-01
Technical operation of the portal
- Purpose
- Web service delivery and navigation
- Legal basis
- Art. 6.1.f — legitimate interest
- Data categories
- Navigation data (anonymised IP, pages visited)
- Data subjects
- All portal users
- Recipients
- Vercel Inc. (hosting, USA — SCC), Supabase (DB, EU)
- Retention
- Access logs: 30 days
- Security measures
- HTTPS, CSP, security headers, restricted access
T-02
Cookie consent management
- Purpose
- GDPR accountability — proof of consent
- Legal basis
- Art. 6.1.c — legal obligation (ePrivacy + GDPR)
- Data categories
- Session ID (anonymous UUID), cookie preferences, IP hash, user agent, policy version
- Data subjects
- All portal users
- Recipients
- Supabase (DB, EU)
- Retention
- 12 months from collection
- Security measures
- Anonymised IP (SHA-256 + daily salt), RLS, insert-only
T-03
Contact request management
- Purpose
- Responding to user enquiries
- Legal basis
- Art. 6.1.a — explicit consent
- Data categories
- Name, email, subject, message, IP hash
- Data subjects
- Users who submit the contact form
- Recipients
- Supabase (DB, EU)
- Retention
- 12 months from request
- Security measures
- Honeypot anti-bot, rate limiting, CSRF check, anonymised IP
T-04
Competence self-assessment
- Purpose
- Anonymous self-assessment tool
- Legal basis
- Art. 6.1.a — consent (voluntary save)
- Data categories
- Session ID (anonymous UUID), selected levels per competence
- Data subjects
- Users who use the dashboard
- Recipients
- Supabase (DB, EU)
- Retention
- 24 hours from session creation
- Security measures
- UUID not linkable to identity, RLS, no personal data
T-05
Google Analytics
- Purpose
- Anonymous traffic and page visit analysis
- Legal basis
- Art. 6.1.a — explicit consent (analytics cookies)
- Data categories
- Aggregated navigation data, anonymous client ID
- Data subjects
- Users who consent to analytics cookies
- Recipients
- Google LLC (USA — Data Privacy Framework)
- Retention
- 26 months (GA4 setting)
- Security measures
- IP anonymised by GA, loading conditional on consent
T-06
User interface preferences
- Purpose
- Saving language and theme preferences
- Legal basis
- Art. 6.1.f — legitimate interest
- Data categories
- Language preference (cookie), theme (localStorage)
- Data subjects
- All portal users
- Recipients
- None (local data)
- Retention
- 12 months (cookie) / indefinite (localStorage)
- Security measures
- Non-personal technical data, no transfer