GDPR Compliance

Our commitment to European data protection law

CheckMet and the GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It gives individuals in the European Union (EU) and European Economic Area (EEA) more control over their personal data and seeks to unify data protection regulations across Europe.

At CheckMet, we recognize the importance of data protection and privacy, especially when handling biometric data. We have implemented a comprehensive GDPR compliance program to ensure that our facial recognition attendance management system meets the high standards required by this regulation.

This page outlines our approach to GDPR compliance and provides information about how we help our customers—who act as data controllers—meet their GDPR obligations when using our system.

GDPR Compliance

Our Role Under the GDPR

Understanding responsibility in the data processing relationship

Your Organization: The Data Controller

As our customer, your organization acts as the data controller under the GDPR. This means you determine the purposes and means of processing personal data of your employees and are primarily responsible for ensuring GDPR compliance in your use of our system.

As a data controller, you are responsible for:

  • Establishing a legal basis for processing biometric data
  • Obtaining valid consent from individuals (where consent is the legal basis)
  • Providing privacy notices to data subjects
  • Responding to data subject rights requests
  • Conducting data protection impact assessments
  • Implementing appropriate security measures

CheckMet: The Data Processor

CheckMet acts as a data processor under the GDPR. We process personal data on behalf of our customers according to their instructions and as necessary to provide our services.

As a data processor, we are responsible for:

  • Processing data only according to the controller's instructions
  • Implementing appropriate technical and organizational security measures
  • Assisting controllers in meeting GDPR obligations
  • Notifying controllers of data breaches without undue delay
  • Ensuring our sub-processors comply with GDPR requirements
  • Maintaining records of processing activities

Data Processing Agreement

We provide a comprehensive Data Processing Agreement (DPA) that outlines our responsibilities as a data processor and your rights as a data controller. This DPA includes:

  • Definitions of roles and responsibilities
  • Details of processing activities
  • Security measures implemented by CheckMet
  • Sub-processor management
  • Data subject rights assistance
  • Data breach notification procedures
  • International data transfers safeguards

Contact our privacy team to request a copy of our standard DPA.

Processing Biometric Data Under the GDPR

Special considerations for facial recognition templates

Biometric data, including facial recognition templates, is considered "special category data" under the GDPR (Article 9), which requires additional protections and a specific legal basis for processing.

Legal Basis for Processing

Under the GDPR, processing special category data requires both a legal basis under Article 6 and an exemption under Article 9. Typically, organizations processing facial recognition data for attendance rely on:

Explicit Consent (Art. 9(2)(a))

The most common legal basis, requiring clear, specific, and unambiguous consent from employees. CheckMet provides customizable consent workflows to help you collect and document valid explicit consent.

Employment Purposes (Art. 9(2)(b))

Processing necessary for obligations in the field of employment law, subject to appropriate safeguards and often requiring a basis in Member State law.

Legitimate Activities (Art. 9(2)(d))

For certain not-for-profit bodies with political, philosophical, religious, or trade union aims, subject to specific conditions.

Important: We recommend consulting with your legal team or data protection officer to determine the appropriate legal basis for your specific circumstances and jurisdiction.

Our Recommendations for GDPR-Compliant Biometric Processing

1

Conduct a Data Protection Impact Assessment (DPIA)

Before implementing facial recognition attendance, conduct a thorough DPIA to identify and mitigate privacy risks. We provide DPIA templates and guidance specific to our system.

2

Implement a Transparent Consent Process

Ensure your consent process is transparent, specific, and truly voluntary. Provide clear information about data processing and offer alternative attendance methods for those who do not consent.

3

Update Privacy Notices

Revise your employee privacy notices to include details about biometric data collection, processing purposes, retention periods, and data subject rights.

4

Document Your Compliance

Maintain detailed records of consent, processing activities, and security measures to demonstrate accountability as required by the GDPR.

5

Implement Data Minimization

Collect only the biometric data necessary for attendance verification and configure appropriate retention periods.

How CheckMet Helps You Comply with the GDPR

Features and tools to support your compliance efforts

Consent Management

Our platform includes configurable consent workflows that help you obtain and document valid explicit consent from employees. These workflows can be customized to align with your specific requirements and can be updated as needed.

Data Subject Rights Support

We provide tools and processes to help you fulfill data subject rights requests, including access, rectification, erasure, and data portability. Our system makes it simple to export an individual's data or delete their biometric templates upon request.

Data Security

We implement state-of-the-art security measures to protect biometric data, including encryption, access controls, and regular security testing. Our security practices align with GDPR requirements for processing special category data.

Data Retention Controls

Our system allows you to configure custom data retention policies to ensure biometric data is only kept as long as necessary for attendance tracking purposes, supporting the GDPR principle of storage limitation.

Documentation & Records

We help you maintain the necessary documentation to demonstrate GDPR compliance, including processing records, consent receipts, and audit logs of data access and changes.

Data Protection by Design

CheckMet is built with privacy by design principles. We minimize data collection, implement appropriate technical safeguards, and provide granular controls over data processing.

International Data Transfers

We provide appropriate safeguards for international data transfers, including Standard Contractual Clauses where necessary, to ensure GDPR-compliant transfers of personal data.

Breach Notification

We maintain robust incident detection and response procedures to identify and address potential data breaches. We will notify you without undue delay in the event of a personal data breach as required by the GDPR.

International Data Transfers

How we protect EU data when transferred internationally

The GDPR places restrictions on the transfer of personal data outside the European Economic Area (EEA) to third countries that do not provide an adequate level of data protection.

For customers in the EEA, CheckMet offers several options to ensure compliant international data transfers:

EU Data Residency

Our Enterprise plans offer EU data residency options, allowing all personal data to be processed and stored exclusively within the EEA on our EU-based servers.

Standard Contractual Clauses (SCCs)

For transfers outside the EEA, we implement the European Commission's approved Standard Contractual Clauses as part of our Data Processing Agreement to provide appropriate safeguards for data transfers.

Supplementary Measures

Following the Schrems II decision, we implement additional technical, contractual, and organizational measures beyond SCCs to ensure that data transferred outside the EEA receives protection essentially equivalent to that guaranteed within the EU.

International Data Transfers

GDPR Compliance FAQs

Common questions about using CheckMet in compliance with the GDPR

Is consent the only legal basis for using facial recognition attendance?

While explicit consent is the most common legal basis for processing biometric data under the GDPR, other legal bases may be applicable depending on your specific circumstances and the laws of your EU member state. Some organizations may rely on Article 9(2)(b) for employment purposes if supported by member state law or collective agreements. We recommend consulting with your legal team to determine the appropriate legal basis for your organization.

What if an employee withdraws consent to facial recognition?

If an employee withdraws consent, you must stop processing their biometric data for facial recognition. CheckMet supports alternative attendance tracking methods that can be activated for employees who do not consent to or have withdrawn consent for facial recognition. The system allows for easy transition between attendance methods without disruption to record-keeping.

Do we need to conduct a DPIA before implementing CheckMet?

Yes, a Data Protection Impact Assessment (DPIA) is generally required before implementing facial recognition technology, as it involves processing biometric data and systematic monitoring of individuals. The GDPR specifically requires DPIAs for new technologies involving special category data. We provide DPIA templates and guidance to help you complete this assessment efficiently.

How long does CheckMet retain biometric data?

CheckMet allows you to configure data retention periods based on your specific needs and compliance requirements. By default, biometric templates are retained only for the duration of employment plus a short grace period. When an employee leaves, their biometric data can be automatically purged from the system while retaining the attendance records if needed for legitimate purposes such as legal compliance.

How does CheckMet handle data subject access requests?

Our platform includes tools to help you respond to data subject access requests (DSARs) efficiently. You can generate reports that include all personal data associated with an individual, including attendance records and system access logs. For biometric templates, we provide confirmation of whether templates exist and information about their use, although the template itself is in an encrypted format that cannot be meaningfully interpreted by the data subject.

Does CheckMet use sub-processors?

Yes, we use a limited number of carefully selected sub-processors to provide our services. All sub-processors are bound by data processing agreements that include the Standard Contractual Clauses where applicable. We provide a current list of sub-processors in our Data Processing Agreement and notify customers of any changes to this list, allowing you to object to new sub-processors as provided in our DPA.

GDPR Resources

Helpful materials for your compliance journey

GDPR Compliance Whitepaper

A comprehensive guide to using CheckMet in a GDPR-compliant manner, including detailed recommendations for each phase of implementation.

Download Whitepaper

DPIA Template

A customizable Data Protection Impact Assessment template specifically designed for facial recognition attendance implementations.

Download Template

Consent Form Templates

Sample employee consent forms for biometric data processing, customizable to your organization's needs.

Download Templates

Employee Privacy Notice

Template privacy notice language explaining facial recognition attendance processing to employees.

Download Template

Need Help with GDPR Compliance?

Our privacy experts are available to answer your questions and provide guidance on compliant implementation.

Contact Our Privacy Team Request a Demo