Effective Date: 27 February 2025
1. Coverage
1.1 What this GDPR Privacy Policy Covers
This GDPR Privacy Policy applies only to our processing of personal information covered by the following:
- General Data Protection Regulation (GDPR);
- United Kingdom Data Protection Act; and
- Swiss Federal Data Protection.
Because these laws are virtually identical, we will refer to each of them “GDPR” in this GDPR Privacy Policy. Also, when we say “processing,” we mean collecting, using, sharing, or performing similar actions on personal information.
How GDPR applies to Checkr depends on whether Checkr is processing your personal information as a “processor” or a “controller” under GDPR. We explain those terms more in the sections ahead.
1.2 Checkr as Processor
If Checkr is processing your personal information on behalf of a Customer, Checkr is acting as a processor. This arises when Checkr performs a background check on you at the Customer’s instruction.
When we are processing your personal information in this capacity, we are not responsible for identifying the lawful basis for processing, along with other information about the processing. For instances where Checkr is acting as a processor, please contact the relevant Customer to learn about its lawful bases for processing your personal information, the identity of its EU representative, and other information on how your personal information is being processed.
1.3 Checkr as Controller
If Checkr processes your personal information for its own purposes, Checkr is acting as a controller. An example would be when Checkr uses analytics technologies on its Site so that it better understands how Site Visitors are interacting with the Site. For instances where Checkr is acting as a controller, we provide you with the information in this GDPR Privacy Policy, as required by GDPR.
Relatedly, where Checkr is disclosing personal information to social media platforms for advertising purposes, as we describe more fully here, Checkr is likely acting as a joint controller with those social media platforms. Checkr’s joint controllership, however, would extend only to the processing necessary to display an advertisement to you on those platforms.
If you would like more information about how those social media platforms such as Meta, Instagram, and LinkedIn process your personal data, please read their privacy policies. You can find those policies on their websites.
1.4 What We Cover in Other Policies
In this GDPR Privacy Policy, we address only matters specific to Candidates and Visitors covered by GDPR and that our Privacy Policy does not already describe. Please see our Privacy Policy to learn more about the following:
- The categories of personal information we process
- Sources of personal information we process
- What policies we have on storing personal information
2. Why We Process Your Personal Information
In most cases, we will process your personal information as necessary for the following lawful bases:
- To perform a contract with you (“Contract”);
- With your consent (“Consent”);
- To comply with our legal obligations (“Legal Obligation”);
- To protect your or someone else’s vital interest (“Vital Interest”); and
- For our legitimate interests in carrying out our business (“Legitimate Interest”).
Under those lawful bases, we process your personal information when acting as a controller for the below purposes. For processing under the Legitimate Interest lawful basis, we specify the legitimate interest in the right column.
Lawful Basis | Purpose |
---|---|
Contract | |
Consent | |
Legal Obligation | |
Vital Interest | |
Legitimate Interests |
3. Necessary Disclosures to Checkr
Where we rely on the Contract lawful basis, we might not be able to perform our contract with you if you do not provide us with certain personal information. For example, if we engaged you as a contractor and signed a contract with you agreeing to pay a specified fee, we would likely need certain personal information such as your bank details. Otherwise, we might not be able to pay you the fee established in that contract.
Please review our separate privacy notice if you are a Worker and want to learn more about how we process your personal information.
4. Your Rights
Under GDPR, you may have the following rights regarding your personal information:
- Access. You may confirm whether we process personal information about you, request access to that information, and receive details about how we process that information. We may charge a fee for exercising this right if you ask for more than one copy of your personal information. We may also charge a fee or refuse your request if it is manifestly unfounded or excessive.
- Erasure. You may request deletion of your personal information in certain circumstances, such as where you withdraw your consent to processing or where your personal information is no longer needed to fulfill the purpose for which it was processed. We may charge a fee or refuse your request if it is manifestly unfounded or excessive.
- Rectification. You may request that we correct your personal information if inaccurate or otherwise required by GDPR. We may charge a fee or refuse your request if it is manifestly unfounded or excessive.
- Restriction. You may restrict our processing of your personal information in certain instances, such as where you have disputed the accuracy of your personal information we hold or where you object to our processing of your personal information for a Legitimate Interest. In the latter case, we will restrict the processing of your information while we determine whether we may continue processing the information under compelling legitimate grounds or as necessary to establish, exercise, or defend a legal claim. We may charge a fee or refuse your request if it is manifestly unfounded or excessive.
- Portability. You may request to receive your personal information in a structured, commonly used, and machine readable format and, where permitted by GDPR, to have it transferred to someone else. This right applies only where you have provided us with the personal information and we relied on your consent or the performance of a contract with you to justify our processing of that information. We may charge a fee for exercising this right or refuse your request if the request is manifestly unfounded or excessive. We may charge a fee or refuse your request if it is manifestly unfounded or excessive.
- Consent Withdrawal. Where we rely on consent to process your personal information, you may withdraw your consent at any time. If you withdraw that consent, it will not affect the lawfulness of our processing before that withdrawal.
You also have the right to object to our processing of your personal information under the Legitimate Interest lawful basis or for direct marketing. In the former case, we may continue processing your personal information if we determine we have compelling legitimate grounds to do so or if necessary to establish, exercise, or defend a legal claim.
If you would like to exercise any of the above rights regarding your background check, we will direct you to the controller that requested your background check. Click here for more information about who acts as a controller in the background check process.
5. Data Transfer
5.1 Possibility of International Transfers
As a global company, Checkr performs services for Customers and Candidates all over the world. To make that possible, Checkr may transfer your personal information to countries outside your home country, including to countries whose privacy laws might not offer the same level of personal information protection as your own.
5.2 What Safeguards We Have for These Transfers
When we transfer your personal information to other countries, we use appropriate safeguards to protect your information. These include the following:
- Using standard contractual clauses approved under data protection laws in the European Economic Area (EEA), Switzerland, and the UK;
- Participating in the EU-US Data Privacy Framework, the UK Extension of the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework; and
- Getting your consent to the transfer where permitted or required by applicable law.
Click here to learn more about our commitment to the Data Privacy Framework Principles.
6. Automated Decisionmaking
6.1 Biometric-Based Identity Verification
For certain Services in the UK, we use a vendor to process your biometric information. The reason is that the UK Disclosure and Barring Service (DBS) requires us to verify your identity before performing a DBS check on you.
To verify your identity, the vendor we use processes your biometric information, such as measurements of your facial geometry. To that end, the vendor asks you to upload a selfie and a picture of your governmental identification. Then, it will extract facial measurements from those uploaded photographs. From there, it will use automated decision making to compare the facial measurements of your selfie with those of your photograph on your governmental identification. This will help it determine whether those measurements sufficiently match.
At all stages of this vendor’s process, Checkr does not receive any of your biometric information from this vendor. Checkr engages in this processing activity only on the Customer’s behalf as a processor.
6.2 Other Automated Decision Making
Other than the biometric-based identity verification mentioned earlier, we do not use any automated decisionmaking technologies or algorithms that affect your legal rights in processing your personal information for our Services. That said, if you are a Candidate, our Customers might use such technologies to make a decision about you. These processes would be separate from any in which we are involved. Therefore, we recommend that you contact them if you have questions about their use of automated decision making.
7. Questions and Complaints
If you have a question or complaint about Checkr’s privacy practices, you can contact us at dpo@checkr.com.
You may also contact the following data protection authorities if you have a complaint about Checkr’s privacy practices:
- UK Information Commissioner’s Office
- Swiss Federal Data Protection and Information Commissioner
- If you live in the EEA, the data protection authority in your home country.
Click here for a list of EEA data protection authorities and their contact details. Before complaining to a data protection authority, we would be grateful if you contacted us first so we can try to resolve your complaint for you.