GDPR Privacy Policy

Last Updates: 2 April 2025

Effective Date: 27 February 2025

1. Coverage

1.1 What this GDPR Privacy Policy Covers

This GDPR Privacy Policy applies only to our processing of personal information covered by the following:

  • General Data Protection Regulation (GDPR);
  • United Kingdom Data Protection Act; and
  • Swiss Federal Data Protection.

Because these laws are virtually identical, we will refer to each of them “GDPR” in this GDPR Privacy Policy. Also, when we say “processing,” we mean collecting, using, sharing, or performing similar actions on personal information.

How GDPR applies to Checkr depends on whether Checkr is processing your personal information as a “processor” or a “controller” under GDPR. We explain those terms more in the sections ahead.

1.2 Checkr as Processor

If Checkr is processing your personal information on behalf of a Customer, Checkr is acting as a processor. This arises when Checkr performs a background check on you at the Customer’s instruction.

When we are processing your personal information in this capacity, we are not responsible for identifying the lawful basis for processing, along with other information about the processing. For instances where Checkr is acting as a processor, please contact the relevant Customer to learn about its lawful bases for processing your personal information, the identity of its EU representative, and other information on how your personal information is being processed.

1.3 Checkr as Controller

If Checkr processes your personal information for its own purposes, Checkr is acting as a controller. An example would be when Checkr uses analytics technologies on its Site so that it better understands how Site Visitors are interacting with the Site. For instances where Checkr is acting as a controller, we provide you with the information in this GDPR Privacy Policy, as required by GDPR.

Relatedly, where Checkr is disclosing personal information to social media platforms for advertising purposes, as we describe more fully here, Checkr is likely acting as a joint controller with those social media platforms. Checkr’s joint controllership, however, would extend only to the processing necessary to display an advertisement to you on those platforms.

If you would like more information about how those social media platforms such as Meta, Instagram, and LinkedIn process your personal data, please read their privacy policies. You can find those policies on their websites.

1.4 What We Cover in Other Policies

In this GDPR Privacy Policy, we address only matters specific to Candidates and Visitors covered by GDPR and that our Privacy Policy does not already describe. Please see our Privacy Policy to learn more about the following:

  • The categories of personal information we process
  • Sources of personal information we process
  • What policies we have on storing personal information
  • Our data protection officer's contact information

2. Why We Process Your Personal Information

In most cases, we will process your personal information as necessary for the following lawful bases:

  • To perform a contract with you (“Contract”);
  • With your consent (“Consent”);
  • To comply with our legal obligations (“Legal Obligation”);
  • To protect your or someone else’s vital interest (“Vital Interest”); and
  • For our legitimate interests in carrying out our business (“Legitimate Interest”).

Under those lawful bases, we process your personal information when acting as a controller for the below purposes.

Lawful BasisPurpose
Contract
  • Providing requested services
  • Contacting customers
    • Consent
  • Contacting you to provide information you have requested
  • Marketing communications
  • Product notifications
    • Legal Obligation
  • Sending legally required notices about our services and your personal information
  • Responding to EU subpoenas, court orders, warrants, or law enforcement requests
    • Vital Interest
  • Handling emergencies threatening a person’s health or safety.
    • Legitimate Interests
  • Securing Checkr systems and protecting against abuse
  • Recording and reviewing communications
  • Determining whether a prospect is interested in our services
  • Marketing outreach
  • Customer support
  • Performing quality assurance checks and candidate satisfaction feedback surveys
  • Improving our services and technologies
  • Responding to non-EU subpoenas, court orders, warrants, or law enforcement requests

    • Where we listed Legitimate Interest as the lawful basis in the table above, you can find the specific interests we rely on listed below.

    Our PurposesOur Legitimate Interests
    Securing Checkr systems and protecting against abuse Providing users with assistance and service continuity
    Recording and reviewing communicationsEnsuring compliance, quality assurance, and security
    Determining whether a prospect is interested in our ServicesPromoting Checkr’s services and reaching prospective customers
    Marketing outreachPromoting Checkr’s services and reaching prospective customers
    Customer SupportEnhancing the quality, performance, and competitiveness of Checkr’s offerings
    Performing analytics to provide better servicesEnhancing the quality, performance, and competitiveness of Checkr’s offerings
    Performing quality assurance checks and candidate satisfaction feedback surveysEnhancing the quality, performance, and competitiveness of Checkr’s offerings
    Improving our services and technologiesEnhancing the quality, performance, and competitiveness of Checkr’s offerings
    Responding to non-EU subpoenas, court orders, warrants, or law enforcement requestsProtecting Checkr’s legal interests in international matters

    3. Necessary Disclosures to Checkr

    Where we rely on the Contract lawful basis, we might not be able to perform our contract with you if you do not provide us with certain personal information. For example, if we engaged you as a contractor and signed a contract with you agreeing to pay a specified fee, we would likely need certain personal information such as your bank details. Otherwise, we might not be able to pay you the fee established in that contract.

    Please review our separate privacy notice if you are a Worker and want to learn more about how we process your personal information.  

    4. Your Rights

    Under GDPR, you may have the following rights regarding your personal information:

    • Access. You may confirm whether we process personal information about you, request access to that information, and receive details about how we process that information. We may charge a fee for exercising this right if you ask for more than one copy of your personal information. We may also charge a fee or refuse your request if it is manifestly unfounded or excessive.
    • Erasure. You may request deletion of your personal information in certain circumstances, such as where you withdraw your consent to processing or where your personal information is no longer needed to fulfill the purpose for which it was processed. We may charge a fee or refuse your request if it is manifestly unfounded or excessive.
    • Rectification. You may request that we correct your personal information if inaccurate or otherwise required by GDPR. We may charge a fee or refuse your request if it is manifestly unfounded or excessive.
    • Restriction. You may restrict our processing of your personal information in certain instances, such as where you have disputed the accuracy of your personal information we hold or where you object to our processing of your personal information for a Legitimate Interest. In the latter case, we will restrict the processing of your information while we determine whether we may continue processing the information under compelling legitimate grounds or as necessary to establish, exercise, or defend a legal claim. We may charge a fee or refuse your request if it is manifestly unfounded or excessive.
    • Portability. You may request to receive your personal information in a structured, commonly used, and machine readable format and, where permitted by GDPR, to have it transferred to someone else. This right applies only where you have provided us with the personal information and we relied on your consent or the performance of a contract with you to justify our processing of that information. We may charge a fee for exercising this right or refuse your request if the request is manifestly unfounded or excessive. We may charge a fee or refuse your request if it is manifestly unfounded or excessive.
    • Consent Withdrawal. Where we rely on consent to process your personal information, you may withdraw your consent at any time. If you withdraw that consent, it will not affect the lawfulness of our processing before that withdrawal.

    You also have the right to object to our processing of your personal information under the Legitimate Interest lawful basis or for direct marketing. In the former case, we may continue processing your personal information if we determine we have compelling legitimate grounds to do so or if necessary to establish, exercise, or defend a legal claim.

    If you would like to exercise any of the above rights regarding your background check, we will direct you to the controller that requested your background check. Click here for more information about who acts as a controller in the background check process.

    5. Data Transfer

    5.1 Possibility of International Transfers

    As a global company, Checkr performs services for Customers and Candidates all over the world. To make that possible, Checkr may transfer your personal information to countries outside your home country, including to countries whose privacy laws might not offer the same level of personal information protection as your own. Depending on your relationship with us, such countries could include the United States, Chile, Canada, and Romania.

    5.2 What Safeguards We Have for These Transfers

    When we transfer your personal information to countries outside the EEA, Switzerland, or the UK, we use certain legal mechanisms that are required or permitted under GDPR or similar laws. These mechanisms include the following:

    • Standard Contractual Clauses. We use standard contractual clauses approved by the European Commission and other relevant authorities. These clauses help ensure that your personal information remains protected during international transfers in accordance with the GDPR. If you would like a copy of Checkr’s standard contractual clauses or have any questions about them, you may contact us at dpo@checkr.com.
    • Adequacy Decisions. We may transfer your personal information to countries that the European Commission or relevant governmental authorities have determined offer an adequate level of data protection. You can read the full list of countries with adequacy decisions on the European Commission’s website. To that end, for transfers to the United States, Checkr participates in the following (together, the Data Privacy Framework):
      • EU-U.S. Data Privacy Framework;
      • The UK Extension to the EU-U.S. Data Privacy Framework; and 
      • The Swiss-U.S. Data Privacy Framework. 
      You can learn more about our participation here. Under the Data Privacy Framework, when we transfer your personal information to the United States, the GDPR will treat that transfer as if it were made to a country with adequate protection.
    • Derogations. In limited circumstances, we may use other legal ways under GDPR to transfer your personal information. For example, we may transfer your personal information if you have given explicit consent or where the transfer is otherwise permitted or required by law.

    6. Automated Decisionmaking

    6.1 Biometric-Based Identity Verification

    For certain Services in the UK, we use a vendor to process your biometric information. The reason is that the UK Disclosure and Barring Service (DBS) requires us to verify your identity before performing a DBS check on you.

    To verify your identity, the vendor we use processes your biometric information, such as measurements of your facial geometry. To that end, the vendor asks you to upload a selfie and a picture of your governmental identification. Then, it will extract facial measurements from those uploaded photographs. From there, it will use automated decision making to compare the facial measurements of your selfie with those of your photograph on your governmental identification. This will help it determine whether those measurements sufficiently match.

    At all stages of this vendor’s process, Checkr does not receive any of your biometric information from this vendor. Checkr engages in this processing activity only on the Customer’s behalf as a processor.

    6.2 Other Automated Decision Making

    Other than the biometric-based identity verification mentioned earlier, we do not use any automated decisionmaking technologies or algorithms that affect your legal rights in processing your personal information for our Services. That said, if you are a Candidate, our Customers might use such technologies to make a decision about you. These processes would be separate from any in which we are involved. Therefore, we recommend that you contact them if you have questions about their use of automated decision making.

    7. Questions and Complaints

    If you have a question or complaint about Checkr’s privacy practices, you can contact us at dpo@checkr.com.

    You may also contact the following data protection authorities if you have a complaint about Checkr’s privacy practices:

    • UK Information Commissioner’s Office
    • Swiss Federal Data Protection and Information Commissioner
    • If you live in the EEA, the data protection authority in your home country.

    Click here for a list of EEA data protection authorities and their contact details. Before complaining to a data protection authority, we would be grateful if you contacted us first so we can try to resolve your complaint for you.