GDPR Compliance
Designed with privacy
built in from the start.
CheckSync is designed with GDPR-conscious handling of personal and biometric data at every layer, consent-aware workflows, role-based access, erasure tooling, and separate audit records with independent retention controls.
CheckSync supports operational sites where data handling must be accountable and defensible. It does not replace legal advice or your organisation's own compliance obligations, it is designed to support them.
How we approach it
Privacy-conscious by design,
not by afterthought.
From the moment a visitor arrives at a terminal to the moment their record is erased, CheckSync is built to keep data handling purposeful, auditable and controlled.
Consent-aware workflows
Check-in flows can present consent acknowledgements before processing proceeds. Consent flags are recorded with the attendance event and included in the audit log.
Biometric embeddings, not photographs
Agency worker face verification stores mathematical embeddings derived from facial geometry — not face photographs. No image is retained after the embedding is created.
Erasure tooling
Authorised users can initiate data erasure for individual records where configured. Erasure actions are themselves logged to maintain a complete audit trail of data lifecycle events.
Role-based access to personal data
Access to personal records is gated by role. Receptionists, site managers and finance users each see only the data relevant to their function. No single role has unrestricted access across the system.
Separate biometric audit log
Biometric verification events are recorded in a separate audit log with independent retention controls — distinct from standard attendance records, supporting proportionate data handling under Article 9.
Configurable retention periods
Data retention is configurable per deployment to match your organisation's policy. Records are not retained indefinitely by default — retention is a documented configuration decision, not a system default.
Article 9 — Special category data
Biometric data handled with care.
Biometric data is special category data under GDPR Article 9. CheckSync acknowledges this and is designed accordingly — biometric embeddings are used only for identity verification during sign-in and sign-out, processed under the lawful basis determined by the customer as controller, and retained only for the period required by that basis.
No face photograph is stored at any point. The mathematical embedding derived from facial geometry cannot be reverse-rendered into an image. Enrollment requires explicit consent from the worker before any biometric data is created.
Controller and processor roles
Clear responsibilities from day one.
In a CheckSync deployment, the customer organisation acts as the data controller — determining the purposes and means of processing. Ultrafast Digital acts as the data processor, processing data only on documented instructions.
This relationship is formalised in a Data Processing Addendum signed with each customer before go-live. The DPA covers sub-processor disclosure, breach notification, data subject assistance and audit rights.
Data categories
What CheckSync can process
in a production deployment.
Data processed depends entirely on how each customer configures their deployment. Not all data types are used by every site.
Identity
- Full name
- Company or agency name
- Role or job title
Contact
- Email address (optional)
- Phone number (optional)
Visit metadata
- Check-in and check-out timestamps
- Site and terminal
- Host or contact person
- Purpose of visit
Biometric (where configured)
- Mathematical face embedding (not a photograph)
- Verification result and timestamp
- Enrollment consent record
Consent and acknowledgements
- Consent flag per check-in event
- NDA or policy acknowledgement where configured
Audit and administrative
- Sign-in and sign-out event log
- Erasure event log
- Role-based access history
What CheckSync does not do
Honest about what compliance requires.
CheckSync is a tool that supports GDPR-conscious operational records. It is not a compliance guarantee, a legal service, or a substitute for your organisation's own data protection obligations.
CheckSync does not determine your lawful basis for processing — that is the controller's responsibility.
CheckSync does not replace a Data Protection Impact Assessment (DPIA) where one is required.
CheckSync does not provide legal advice or guarantee regulatory compliance.
CheckSync does not hold ISO 27001, SOC 2 or any formal certification — controls are informed by these frameworks.
Questions about GDPR obligations specific to your organisation should be directed to a qualified data protection professional.
Get started
Data protection questions
before your pilot?
Talk directly to the team behind CheckSync. We can walk through how data is handled, what your DPA will cover, and how the platform fits your site's requirements.