Aller au contenu principal

GDPR: How to Track the Distribution of Your Data Protection Policies

Published on November 22, 2025

GDPR is built on a key principle: accountability. You must be able to demonstrate your compliance—not just claim it. And that includes awareness training for your teams.

The GDPR awareness requirement

Article 39 of GDPR defines the DPO's missions, including:

To raise awareness and train staff involved in processing operations.

And Article 5.2 requires being able to demonstrate this compliance:

The controller shall be responsible for, and be able to demonstrate compliance with [the principles].

In other words: if you can't prove your teams have been made aware, you're not compliant.

What regulators expect

During an inspection, data protection authorities may request:

  • The list of people who received awareness training
  • The dates of awareness sessions
  • The content distributed (document version)
  • Proof of acknowledgement

A simple email sent doesn't constitute sufficient evidence. Regulators expect robust traceability.

Documents concerned

GDPR awareness covers several types of documents:

  • Internal privacy policy: how the company processes employee data
  • Personal data charter: rules for teams handling customer data
  • Rights management procedures: how to respond to access, rectification, erasure requests
  • Data security policy: technical and organizational measures
  • Subcontracting rules: obligations when using vendors

Why email isn't enough

Sending a PDF by email has several problems:

  1. No proof of reading: read receipt proves sending, not reading
  2. No versioning: which version was distributed?
  3. No consolidation: impossible to see who read what
  4. No export: how do you present this evidence to regulators?

The solution: traceable acknowledgement

Acknowledgement (read confirmation) provides:

  • Identification: who confirmed (OAuth2 authentication)
  • Timestamp: when the confirmation occurred
  • Integrity: document hash to guarantee version
  • Non-repudiation: Ed25519 cryptographic signature
  • Export: report ready for regulators

How Ackify meets GDPR requirements

Privacy by design

Ackify doesn't store the documents themselves—only confirmation metadata. No excessive collection.

Self-hosting

Your evidence stays on your servers. No transfers to US third parties. Digital sovereignty guaranteed.

Data minimization

Only necessary information is retained: user identifier, email, timestamp, signature.

Controlled retention period

You define the retention policy according to your legal requirements.

Example: new privacy policy

Your DPO updates the internal privacy policy. Here's the workflow:

  1. Publish the document on your wiki or SharePoint
  2. Create an Ackify campaign with the link
  3. Send to relevant teams
  4. Track confirmations in real-time
  5. Remind people who haven't confirmed
  6. Export the report for the compliance registry

During a regulatory inspection, you present this report: immediate proof of awareness.

Conclusion

GDPR requires being able to prove your teams' awareness. Email isn't enough. Timestamped and signed acknowledgement is the appropriate answer.

Ackify is the open-source tool designed for this need: simple, self-hosted, and GDPR-compliant by design.

➡️ Try Ackify — GDPR awareness proof.

Ready to secure your proofs of acknowledgment?

Create your account in 30 seconds and start tracking reading of your critical documents.