Article
Jun 12, 2026
QR-based credential verification: how it works, what it stores and what it deliberately hides
QR-based credential verification: how it works, what it stores and what it deliberately hides. The code contains no personal data; the screen shows the minimum. Verification design as GDPR data minimisation.
When a compliance pass QR is scanned, the code itself contains no personal data: it carries a signed link to a live record. The verification screen then shows the minimum a checker needs (first name and initial, the credential type, status and expiry date) and nothing else. That design is not politeness; it is GDPR data minimisation applied to verification.
What is actually inside the QR code?
A web address with two parts: a short random credential identifier and a cryptographic signature. The identifier looks nothing like a name or a number sequence anyone could guess; the signature proves the link was issued by the registry and has not been altered. Change one character and the verification screen reports invalid.
Why a live lookup rather than data in the code?
Because truth changes. A credential can expire or be revoked, and a live lookup reflects that on the very next scan. Codes that embed the data itself stay "valid" forever on a screenshot. Live verification is also what makes the audit trail possible: each scan is logged as an event, which is evidence the paper world never had.
What does the checker see, and what can they never see?
See: first name and initial, credential type, current status, expiry date. Never: the worker's contact details, date of birth, training answers, other credentials or employment history. Scoped disclosure means a gate scan in one context reveals nothing about credentials issued for another. The person holds one pass; each checker sees only their slice.
How does this sit with GDPR?
Comfortably, when built for it. The registry stores a minimal data set, processing and hosting stay within the EU, retention is defined and time-limited, workers receive a privacy notice in their own language and roles between client, agency and provider are fixed in a data processing agreement. Verification systems handle personal data; the obligation is to handle as little as possible, as transparently as possible. That is the standard EdXactly Pass and EdXactly Verify are built to.
The question to ask any credential vendor
"Show me exactly what a scan reveals." If the answer includes anything a doorway check does not need, the system was designed for convenience rather than for the worker. Ask to see the screen.
Last reviewed: June 2026. This article is general information and is not legal advice.