Data protection policy

We want to work with you, our customers, partners, service providers, suppliers and trainees, in confidence, so this policy sets out what we do as a data controller with the personal data of individuals.

This document tells you what personal data we collect and that you provide to us, why we do so, when we disclose it to third parties, how we store it, secure it, and how you can exercise your rights to your data.

If you have any questions about this policy, please contact our Data Protection Officer (DPO) at


1. What do we collect and use personal data for?

We collect personal data directly from you or through your employer or an authorised person for:

  • ensure the execution of a contract or the general conditions (monitoring of the certification contract, preparation and execution of certification training, evaluation, quality control, certification assessment if applicable, feedback, issuance of a certification certificate);
  • We collect personal data from you or through your employer or an authorised person in order to
  • compliance with our legal or regulatory obligations  ;
  • the achievement of specific purposes after having obtained your explicit and positive consent
  • our legitimate interests such as customising our offers according to your needs, ensuring the security of our information system.

Some examples: we may send you via your email address a reminder notification of your certification renewal; we may inform you of new applications or services available for your industry.

Also, if you contact us, we will keep a record of your request to enable us to deal with it as best we can.

2. What personal data do you provide to us or do we collect?

When you contact us, or ask us to contact you again for the services you are interested in, you consent to provide us with the following personal data: surname, first name, email address, telephone number, information shared by yourself, cookies.

In order to provide our services, we collect personal and professional identification data such as: surname, first name, date of birth, initial and professional training,  professional experience, motivation, information contained on the identity documents presented by the Candidate, email address, mobile or fixed telephone number, signature, training certificate, employer certificate, company, function and seniority in a company, success or failure of the certification and certificate, data concerning technical skills ,  connection data, images and video of the remote surveillance, financial data related to billing.

We also use personal data generated as a result of certification: date of issue of the certificate, evaluation, certification. 

When you  wish to access the online services  you have subscribed to, you provide the following personal data: surname, first name, business email address, business telephone number.

We also store your consents to receive information, for example the news you subscribe to,  as well as your withdrawals of consent to the processing you had previously consented to.

To meet a specific purpose, we may collect health data such as medical fitness to validate certification. Further details will be provided where appropriate.



3. When do we share your personal data with third parties?

We will only disclose your personal data to third parties in the following cases:

  • To internal departments of the Apave group in charge of the execution of the purposes. 
  • For external processing purposes: we transmit this data to trusted persons who process it on our behalf, according to our instructions, in compliance with the GDPR and in compliance with any other appropriate security and confidentiality measures. In particular, we use service providers to provide data backup and hosting.
  • For legal or regulatory reasons: we may share personal data to comply with legal, regulatory and administrative obligations, to detect, prevent or deal with fraudulent activities, security breaches or any technical problems or during external evaluations and audits by authorities (or their representatives).

4. How do we store and secure your personal data?

We implement the necessary and appropriate organisational and technical security measures against unauthorised access, modification, disclosure or destruction of the data we store. The Information System Security Policy (ISSP) can be forwarded to you for further details of the measures. 

These measures include:

  • Only collect the data necessary for the specified, explicit and legitimate purposes declared.
  • Apave Certification's employees, subcontractors, service providers and interlocutors who need access to personal data to carry out their roles, functions and responsibilities:
    • are authorized and have access that is strictly reserved for them;
    • are aware of and/or trained, depending on their roles, functions and responsibilities;
    • have signed a confidentiality undertaking and have been informed of the risks and sanctions in the event of a breach of this obligation.
  • We carry out internal audits and audits of our suppliers processing personal data on behalf of Apave Certification.

When Apave Certification uses subcontractors to carry out specific processing activities, we ensure  that they comply with the same obligations and present sufficient guarantees regarding the implementation of appropriate technical and organisational measures so that the processing of personal data meets the requirements of the regulations in force. An agreement on the outsourcing of personal data will then be formally concluded.

We retain personal data for the duration of the business relationship and then archive or delete it. In some cases, we reserve the right to retain it for a longer period, in particular to prevent possible litigation and to meet our legal and regulatory obligations. 

For data processed as part of a processing operation subject to consent, we delete it upon withdrawal of consent.

We do not transfer personal data outside the European Union. In the event that we are required to do so for the purposes of a contract, we undertake to put in place appropriate security measures and the application of requirements in accordance with the models adopted by the European Commission. In any event, we remain accountable for our undertakings on such personal data.


5. How to exercise your personal data rights

In accordance with the law transposing the General Regulation on the protection of personal data, you have rights that we are required to respect: 

  • A right to information about the processing of your data  in a clear, fair and transparent manner;   
  • A right of access to your personal information transmitted  : you have the right to obtain from us confirmation as to whether or not your data is being processed, the purposes of the processing, the recipient of the data, the possible transfer of the latter as well as a copy of the said data; 
  • A right to rectify inaccurate or incomplete data  : you can obtain from us the rectification of your data if the latter turns out to be erroneous or inaccurate; 
  • A right to object to certain processing, in particular those whose purpose is commercial prospecting; 
  • A right to withdraw consent to data processing, without the effects of such withdrawal being retroactive;
  • A right to erasure of your data subject to unlawful processing  : you have a right to be forgotten only when the processing of your data does not relate to the performance of the contract and you have terminated the said contract;
  • A right to portability allowing you to receive in a usable format your provided data in order to transmit it to another provider. Data portability is only exercised on the data you have even provided to us about yourself and only if the processing is based on consent or contract; 
  • A right to limitation of processing; 
  • A right to give instructions regarding the retention, erasure and disclosure of your data after your death;

To exercise your rights, simply contact the DPO  at the email address, or by post to Apave Certification for the attention of the DPO at 6 Rue du Général Audran - 92412 Courbevoie.  There is also the possibility of lodging a complaint with a Data Protection Control Authority, in France the CNIL.


6. How do we handle personal data breaches?

We take personal data breaches very seriously.

In the event of a breach of your personal data that may pose a risk to your rights and freedoms, Apave's DPO will notify the CNIL of the breach as soon as possible, and, if possible, no later than 72 hours after becoming aware of it. Apave will also inform the person concerned, as soon as possible in accordance with the provisions of Article 34 of the RGPD.


7. Review and update of our data protection policy

We are committed to processing personal data in accordance with applicable legal requirements. 

This policy will be reviewed in line with changes in legislation. You will be regularly informed of this update.

Please note that this policy will be updated regularly.

Processor: Apave Certification - 6 Rue du Général Audran - 92412 Courbevoie