PRACTICAL ANSWER

A proposed attendance list including personal data not only in the form of the employee's first name and surname but also their date and place of birth may expose the data controller to an allegation of a personal data breach as defined in Article 4(12) GDPR. As a rule, an attendance list should include only the first name and surname of the person taking part in the training, as an employee's first name and surname are business data closely linked to their professional role. Including date and place of birth in addition to first name and surname would mean that all persons who have access to the list, and in particular the other participants in the training, would be able to view those data even though they are not authorised to do so by the data controller.

A personal data breach under Article 4(12) GDPR includes, among other things, unauthorised disclosure of or unauthorised access to personal data. Accordingly, an attendance list should include only the first and last names of persons participating in the training. A person authorised by the data controller (an employee of the controller, e.g. from HR) should then supplement that list with dates and places of birth of the employees. Only on that basis should certificates of completion of health and safety training be issued.