Training providers: destroying participant data
A training provider processes the data of every participant: name and address, enrolments, attendance and progress records, tests and evaluations, issued certificates and the invoicing. Part falls under the tax retention obligation, part you keep as long as a participant can fall back on it, and part should be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.
The quick answer: the invoicing falls under the tax seven years. Attendance and progress records you keep as long as they are needed for the course and any complaint. Tests and evaluations you clear out once the assessment is final. Of issued certificates you keep a verifiable overview. What may go disappears confidentially and with a certificate of destruction.
Two frameworks: administration and GDPR
At a training provider two things run together. The tax retention obligation requires you to keep your administration for seven years, including invoices and payment data of participants and clients. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary. The tax obligation sets the floor for the administration, the GDPR the ceiling for the rest of the participant file.
So treat the participant data per type. An invoice has a different status than an attendance list, and a test result a different one again than an issued certificate. If you make that distinction, you keep exactly what you must and clear out the rest on time. Anyone who keeps everything for years without distinction builds a growing mountain of personal data with no valid ground.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the end of the course.
| Part | Starting point | Period |
|---|---|---|
| Invoicing and administration | Tax retention obligation | 7 years |
| Enrolment and contact data | Until completion and tax | purpose-bound + 7 years |
| Attendance and progress records | As long as needed for the course | purpose-bound |
| Tests and evaluations | Until assessment final | clear out after objection period |
| Issued certificates and diplomas | Verifiable overview | as long as participant falls back |
| Correspondence and drafts | No retention obligation | clear out at once |
Use this as a guideline, not a substitute for agreements with clients or a quality mark you fall under. When in doubt, consult your trade association or privacy adviser. The tax side is in the 7-year tax retention obligation, and a full overview per document type is in the GDPR retention periods cheatsheet.
Attendance and progress: keep purpose-bound
Attendance lists and progress records belong to the course itself. You need them to determine whether a participant has met the requirements and to substantiate a certificate. As long as that purpose runs, you keep them. Once the course is complete and no complaint or objection is in play, the ground lapses and you clear them out. Attendance lists with signatures are personal data and should not stay in a drawer for years simply because they happen to be there.
If you work on behalf of an employer, record in advance who may keep which data and for how long. The outcome of a course may be relevant to the employer, but that does not automatically make you obliged to retain the full file. Anyone wanting to sharpen the role of participant data alongside personnel data will find guidance in the approach to applicant data retention and destruction.
Certificates, tests and evaluations
An issued certificate or diploma is valuable proof for the participant. So keep a verifiable overview of who obtained which certificate, for as long as participants can reasonably fall back on it. That overview is something other than the underlying tests, worked answers and assessments. Those you clear out earlier, once the assessment is final and the objection period has passed. Test questions, completed answer sheets and interim evaluations no longer have a purpose after that.
The logic resembles that of education. A school keeps core data limited and clears out files after the statutory period, as described in student files and the 5-year retention. A driving school too separates the administration from the single pupil data, as seen with driving schools destroying pupil data. For a training provider the same line applies: keep the proof verifiable, clear out the working material on time.
How to handle it in 6 steps
- Split the data into administration, enrolment, attendance, tests and certificates.
- Keep the administration seven years under the tax retention obligation.
- Keep attendance and progress as long as the course and any complaint require.
- Clear out tests and evaluations once the assessment is final.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Participant data is destroyed confidentially, because it contains names, contact data, performance and sometimes special-category data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old course administration on a laptop or a backup with participant lists belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Participant data to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping participant lists forever. After completion and the tax period the purpose lapses.
- Retaining tests and worked answers. After a final assessment they no longer have a ground.
- Treating attendance lists as scrap paper. Signatures are personal data.
- Throwing away unshredded. A participant file on the street is a reportable data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long does a training provider keep participant data?
The invoicing falls under the seven-year tax retention obligation. Attendance and progress records you keep as long as they are needed for the course and any complaint. Other participant data you keep no longer than necessary for the training and its settlement.
Must I keep certificates and diplomas I have issued?
Keep a verifiable overview of who obtained which certificate, for as long as participants can reasonably fall back on it. The underlying tests and assessments you clear out earlier, once the course is complete and no objection is in play.
How long do I keep tests and evaluations?
Test results and evaluations you keep until the assessment is final and a complaint or objection period has passed. After that the purpose lapses and you clear them out confidentially.
How do I destroy participant data in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
A training provider works with enrolments, attendance, tests, evaluations and certificates of every participant, between a tax retention obligation and the GDPR. Keep the administration seven years, keep attendance and progress as long as the course requires and clear out tests once the assessment is final. Of certificates you keep a verifiable overview. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect your participants' data.
Read also: universities: destroying student data, exam bodies: destroying candidate data, tutoring services: destroying student data and the GDPR retention periods cheatsheet.
Have participant data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.