Privacy Policy
Last Updated: (v4) 26 Feb 2025
PART A – GENERAL GLOBAL PRIVACY FRAMEWORK
Last Updated: v4 26 Feb 2025
1) Introduction
1.2) About Accel Screening (Hong Kong) Limited (CheckMinistry)
Accel Screening (Hong Kong) Limited, trading as CheckMinistry (“CheckMinistry”, “we”, “us”, or “our”), is an international background screening and verification company headquartered in Hong Kong.
We provide employment background screening, identity verification, regulatory due diligence, and related compliance services to organisations globally through secure, access-restricted systems.
We are committed to protecting personal data and ensuring that all processing activities are conducted lawfully, fairly, and transparently in accordance with applicable data protection laws, including:
- The EU General Data Protection Regulation (GDPR)
- The UK GDPR and Data Protection Act 2018
- The Hong Kong Personal Data (Privacy) Ordinance (PDPO)
- Other applicable data protection and privacy laws in jurisdictions where we operate
1.3) Purpose of This Privacy Policy
This Privacy Policy describes how CheckMinistry processes personal data in connection with our background screening services, website and portal operations, recruitment activities, and business relationships.
It explains:
- What personal data do we collect
- Why and how we process it
- With whom it may be shared
- How long do we retain it
- How we protect it and
- Your rights under applicable data protection laws
1.4) Scope and Applicability
This Privacy Policy applies to personal data processed by CheckMinistry in connection with background screening and verification services, regulatory due diligence, website and portal operations, client and vendor management, recruitment and HR administration, and legal or compliance obligations.
This Policy applies to:
- Candidates / Screening Subjects
- Employer Clients
- Website Users
- Job Applicants
- Employees
- Vendors and Business Partners
Where we process personal data on behalf of an employer-client, the employer-client remains responsible for providing appropriate notices and establishing a lawful basis for processing under applicable law.
1.5) Controller vs Processor Roles
Depending on the circumstances, CheckMinistry may act as either a Data Processor or a Data Controller.
Data Processor
We act as a Data Processor when providing background screening services on behalf of employer-clients who determine the purposes and means of processing. In these cases, we process personal data only under documented instructions, implement appropriate safeguards, enter into required data processing agreements, and do not use the data for our own purposes.
Data Controller
We act as a Data Controller where we independently determine the purposes and means of processing, including for website administration, marketing communications, regulatory compliance, internal governance, recruitment, and vendor due diligence. In certain situations, we may act as a joint controller where required by law.
1.6) Definitions
For this Privacy Policy:
Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable person can be identified directly or indirectly by reference to an identifier such as a name, identification number, location data, online identifier, or other factors specific to their identity.
Sensitive/Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health information, or data concerning a person’s sex life or sexual orientation. Such data is processed only where permitted by law and subject to additional safeguards.
Criminal Conviction Data: Personal data relating to criminal convictions, alleged offences, court proceedings, or related security measures. This data is processed only where legally permitted and in accordance with applicable safeguards.
Processing: Any operation or set of operations performed on personal data, whether by automated means or not, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.
Data Subject: An identified or identifiable natural person whose personal data is processed.
Controller: A natural or legal person that determines the purposes and means of processing personal data.
Processor: A natural or legal person that processes personal data on behalf of a controller.
Profiling: Any form of automated processing used to evaluate personal aspects relating to an individual, including analysis or prediction of performance, reliability, risk indicators, or professional background.
Automated Decision-Making: Decision-making based solely on automated processing that produces legal effects or similarly significant impacts on an individual. CheckMinistry does not make employment decisions; screening reports are provided to employer-clients, who remain responsible for their own decision-making processes.
International Transfer: The transfer of personal data to a country outside the jurisdiction in which it was originally collected. Such transfers are conducted only in accordance with applicable legal safeguards.
2) Categories, Sources, and Purposes of Personal Data Processing
Category of Personal Data | Purpose of Processing | Source / Course of Collection |
Names (including former names/aliases) | Identity verification, background screening, fraud prevention | Provided by you, employer-client, public records, authorised third parties |
Contact Information (phone, email, address history) | Screening communication, verification processes, and service delivery | Provided by you, employer-client, credit bureaus (where permitted), public records |
Date & Place of Birth | Identity matching, jurisdiction-specific checks | Provided by you or the employer-client |
Identification Documents & Biometric Data | Document authentication, identity verification, and fraud prevention | Provided directly by you via a secure portal or through authorised identity verification providers |
Employment History | Employment verification, role confirmation, and regulatory due diligence | Provided by you, employer-client, former employers, references, authorised verification partners |
Education History | Qualification and certification verification | Provided by you, employer-client, educational institutions, and authorised verification partners |
Government-Issued Identification Numbers | Criminal, credit, and regulatory checks (where legally required) | Provided by you or employer-client; verified via authorised government or public sources |
Criminal History & Police Records (where legally permitted) | Criminal background screening, regulatory compliance | Courts, law enforcement agencies, government databases, authorised screening providers |
Credit / Bankruptcy History (jurisdiction dependent) | Financial integrity checks for role-relevant positions | Credit bureaus, insolvency registries, courts, government agencies |
Professional Licenses & Credentials | Regulatory compliance, license verification, and disciplinary checks | Licensing authorities, professional bodies, employer-client, and public records |
Directorship & Corporate Governance History | Corporate affiliation checks, regulatory due diligence | Corporate registries, regulatory authorities, public filings |
Reference Information | Character and professional reference verification | Referees authorised or provided by you |
Driving License & Driving Records (role-specific) | License validation and driving history verification | Provided by you, employer-client, motor vehicle authorities |
Eligibility to Work Information | Verification of legal right to work | Provided by you, employer-client, immigration/government authorities |
Sanctions, Watchlist & PEP Data | Regulatory due diligence, AML-related screening | Sanctions databases, regulatory bodies, and compliance intelligence providers |
Technical & Device Information | Website security, fraud detection, system integrity, analytics | Automatically collected via website/portal (IP address, device, browser, logs) |
Marketing & Communication Data | Business communication, event management, service updates (where permitted) | Provided directly by you via forms, subscriptions, and communications |
Internal Audit & Governance Records | Compliance reviews, dispute management, quality assurance | Generated internally during service provision |
Additional Sources of Personal Information | Details |
Overarching Purposes of Processing | Employment Background Screening; Identity Verification; Regulatory Due Diligence (Sanctions, AML, PEP); Compliance with Legal Obligations; Fraud Detection & Risk Mitigation; Client Reporting; Website & Portal Operations; Marketing Communications (where permitted); Internal Governance & Audit; Security Monitoring. |
Sensitive / Special Category Data | Certain data (e.g., criminal records, biometric data, credit information, sanctions data, government identifiers) may constitute sensitive or special category data in some jurisdictions. |
Conditions for Processing Sensitive Data | Processed only where legally permitted; necessary for the requested screening scope; subject to appropriate technical and organisational safeguards; and based on explicit consent or other lawful basis where required. |
Indirect Collection (Article 14 Transparency) | Personal data may be obtained from employer-clients, former employers, educational institutions, government authorities and courts, regulatory and licensing bodies, credit bureaus (where permitted), publicly accessible records, and authorised verification partners. |
Transparency Commitment | Where required by law, we provide information regarding the categories of data collected, source, purpose, legal basis, recipients, retention periods, and individual rights. |
3) Legal Bases for Processing (Global Overview)
CheckMinistry processes personal data only where a valid legal basis exists under applicable data protection laws.
Depending on the jurisdiction and the context of processing, we rely on one or more of the following legal grounds.
3.1) Performance of a Contract
We process personal data where it is necessary to perform a contract or to take steps before entering into a contract.
This may include:
- Conducting background screening services requested by an employer-client
- Administering service agreements with clients
- Managing user accounts on our secure portal
- Processing employment applications submitted to the CheckMinistry
Where we act as a Data Processor, processing is carried out under contractual instructions from the employer-client.
3.2)Legal Obligation
We may process personal data where necessary to comply with applicable legal or regulatory obligations.
This may include:
- Responding to lawful requests from courts or public authorities
- Maintaining records required by law
- Complying with employment, corporate, or tax regulations
- Meeting regulatory reporting requirements
- Retaining data to comply with statutory retention periods
Processing under this legal basis is limited to what is necessary to fulfil the relevant legal requirement.
3.3) Legitimate Interests
We may process personal data where it is necessary for our legitimate interests or the legitimate interests of our employer-clients, provided such interests are not overridden by the rights and freedoms of the individual.
Legitimate interests may include:
- Conducting employment background screening
- Preventing fraud and misrepresentation
- Ensuring the integrity of hiring processes
- Protecting business operations and systems
- Improving service quality and efficiency
- Managing client relationships
Where required by law (such as under GDPR), we conduct a balancing assessment to ensure that legitimate interests do not override individual rights.
3.4) Consent
We rely on consent where required under applicable law, including where:
- Sensitive or special category data requires explicit consent
- Criminal record checks require authorisation under local law
- Cross-border data transfers require consent
- Marketing communications require opt-in consent
Where consent is relied upon:
- Consent must be freely given, specific, informed, and unambiguous
- Individuals may withdraw consent at any time
- Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal
In many background screening engagements, employer-clients are responsible for obtaining appropriate consent from the individual before initiating screening.
3.5) Public Interest
In certain circumstances, we may process personal data where necessary for reasons of substantial public interest or regulatory compliance, where permitted under applicable law.
This may include:
- Regulatory screening requirements
- Compliance with anti-corruption or anti-fraud frameworks
- Screening required by financial services or regulated sectors
Such processing is conducted only where legally authorised and proportionate.
3.6) Special Category Data Legal Grounds
Special category (sensitive) personal data is processed only where permitted by applicable law and subject to additional safeguards.
Depending on the jurisdiction, we may rely on one or more of the following grounds:
- Explicit consent of the individual
- Processing necessary for employment and social protection law obligations
- Substantial public interest
- Establishment, exercise, or defence of legal claims
- Processing manifestly made public by the individual (where permitted)
Special category data is processed only where strictly necessary and with enhanced technical and organisational safeguards.
3.7) Criminal Conviction Data Safeguards
Personal data relating to criminal convictions, offences, or related security measures is processed only:
- Where authorised by applicable law
- Under appropriate safeguards
- In accordance with jurisdiction-specific requirements (e.g., Article 10 GDPR)
Such safeguards may include:
- Processing under official authority
- Processing where national law permits criminal background checks
- Obtaining explicit consent where required
- Restricting access to authorised personnel only
- Implementing enhanced security measures
Criminal record checks are conducted only where legally permitted and relevant to the position or engagement being screened.
4) Automated Decision-Making & Profiling
CheckMinistry may use technology tools and automated systems to support the efficiency, accuracy, and integrity of background screening services. However, we do not make employment or hiring decisions on behalf of employer-clients.
4.1) Use of Screening Technology Tools
We may use automated tools or systems to assist in:
- Data validation and consistency checks
- Identity verification processes
- Document authentication
- Sanctions and watchlist screening
- Risk flagging or discrepancy detection
- Workflow management and report generation
- Fraud detection and system security monitoring
These tools may involve limited forms of automated processing designed to identify inconsistencies or potential issues requiring further review.
Such processing is used to support, not replace, human assessment.
4.2) Human Review Safeguards
Where automated tools generate flags, alerts, or preliminary findings:
- Trained personnel review the information before any report is finalised
- Relevant verification steps are validated by authorised staff
- Contextual information is considered to ensure accuracy and fairness
- Reports are prepared based on verified data
We implement internal controls to reduce the risk of inaccuracies resulting from automated processing.
4.3) No Solely Automated Employment Decisions
CheckMinistry does not make employment, hiring, promotion, or termination decisions.
We provide factual screening reports to employer-clients based on verified information. Employer-clients remain solely responsible for:
- Interpreting screening results
- Making employment-related decisions
- Conducting any required pre-adverse or adverse action processes where applicable under local law
We do not engage in solely automated decision-making that produces legal effects or similarly significant impacts on individuals within the meaning of applicable data protection laws, unless expressly authorised by law.
4.4) Right to Human Intervention
Where applicable under data protection laws (including GDPR Article 22), individuals have the right:
- Not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects
- To request human intervention where automated processing has materially affected them
- To express their point of view
- To contest a decision
Requests relating to automated processing may be submitted using the contact details provided in this Privacy Policy.
Where CheckMinistry acts as a Data Processor, such requests may be directed to the employer-client, who acts as the Data Controller and is responsible for decision-making processes.
5) How We Share Personal Data
Personal data may be shared in the following circumstances:
Recipient / Scenario | Purpose of Disclosure | Key Safeguards & Conditions |
Employer-Clients | To provide background screening reports and verification findings, including employment/education verification, criminal checks (where permitted), financial checks (where permitted), regulatory and sanctions results, and factual discrepancies. | Disclosed only to the requesting employer-client. Employer-clients are responsible for lawful basis, notice, and employment decisions. Where we act as a Data Processor, disclosure occurs strictly under documented instructions. |
Verification Sources (e.g., former employers, institutions, regulators, courts, credit bureaus, sanctions databases) | To verify information necessary for screening services. | Only the minimum necessary data is disclosed. Appropriate consent, authorisation, or legal basis is relied upon before contact. |
Service Providers (e.g., IT, hosting, identity verification, sanctions screening, analytics, payment processors, professional advisors) | To support operational, technical, and compliance functions. | Subject to data processing agreements, confidentiality obligations, and security requirements. May process data only under our instructions and not for independent purposes. |
Affiliates / Corporate Group | For service delivery, administration, governance, compliance, and system support. | Shared under confidentiality obligations and appropriate security safeguards. |
Regulators & Public Authorities | To comply with legal obligations, court orders, subpoenas, regulatory requirements, or to protect rights and safety. | Disclosed only where legally required and proportionate to the request. |
Legal Claims & Disputes | To establish, exercise, or defend legal claims, enforce contractual rights, or investigate suspected violations. | Limited to what is necessary for the specific legal purpose. |
Business Transfers (e.g., merger, acquisition, restructuring, insolvency) | To facilitate corporate transactions. | Subject to confidentiality obligations and continued data protection compliance. Individuals will be notified where required by law. |
Important:
- We do not sell/share/rent personal data
- We do not disclose personal data for unrelated third-party marketing purposes
- All disclosures are made only where necessary, lawful, and proportionate to the purpose of collection
6) International Data Transfers
Due to the cross-border nature of background screening services, personal data may be transferred to, accessed from, or stored in jurisdictions outside the country in which it was originally collected.
CheckMinistry ensures that any international transfer of personal data is conducted in accordance with applicable data protection laws and appropriate safeguards.
6.1) Cross-Border Nature of Screening
Background screening frequently requires verification of employment, education, criminal records, financial history, or professional credentials in jurisdictions where the individual has previously resided, studied, or worked.
As a result, personal data may be transferred across borders:
- To contact verification sources in other countries
- To access public or regulatory databases abroad
- To provide screening reports to employer-clients located internationally
- To engage authorised service providers supporting global screening operations
International transfers are conducted only where necessary and proportionate to the screening scope.
6.2) Adequacy Decisions
Where personal data is transferred from jurisdictions that recognise certain countries as providing an adequate level of data protection (such as the European Commission’s adequacy decisions under GDPR), we may rely on such adequacy decisions as a lawful transfer mechanism.
Transfers to countries deemed adequate by relevant authorities may proceed without additional transfer safeguards.
6.3) Standard Contractual Clauses (SCCs)
Where required under the GDPR or similar legal frameworks, we rely on approved Standard Contractual Clauses (SCCs) to safeguard transfers of personal data to countries that do not benefit from an adequacy decision.
SCCs impose contractual obligations on recipients of personal data to:
- Protect the transferred data
- Implement appropriate technical and organisational measures
- Respect data subject rights
- Provide effective legal remedies where applicable
Where we act as a Data Processor, SCCs may be implemented between:
- Employer-clients (as Data Controllers); and
- CheckMinistry or other authorised sub-processors
6.4) UK International Data Transfer Agreement (IDTA)
For transfers of personal data subject to the UK GDPR, we may rely on:
- The UK International Data Transfer Agreement (IDTA), or
- The UK Addendum to the EU Standard Contractual Clauses
These mechanisms are used to ensure compliance with UK data protection requirements for international transfers.
6.5) Transfer Impact Assessments (TIAs)
Where required by applicable law, we conduct Transfer Impact Assessments (TIAs) to evaluate:
- The legal framework of the recipient country
- The risk of access by public authorities
- The effectiveness of contractual safeguards
- Any supplementary technical or organisational measures required
Where necessary, we implement additional safeguards such as:
- Encryption
- Access controls
- Data minimisation
- Contractual restrictions on onward transfers
6.6) Explicit Consent (where required)
In certain jurisdictions, explicit consent may be required before transferring personal data across international borders.
Where consent is relied upon:
- Individuals will be informed of the potential risks of international transfers
- Consent will be obtained before transfer, where legally required
- Individuals may withdraw consent in accordance with applicable law
Where CheckMinistry acts as a Data Processor, employer-clients are responsible for obtaining any required consent before initiating cross-border screening.
6.7) Data Localisation Requirements (where applicable)
Certain jurisdictions impose data localisation requirements or restrictions on cross-border transfers.
Where applicable:
- We assess whether personal data must be stored locally
- We comply with mandatory security assessments or filing requirements
- We implement jurisdiction-specific safeguards as required by law
If local law restricts the transfer of certain categories of data (such as sensitive or criminal data), we process such data in accordance with those restrictions.
7) Data Retention
CheckMinistry retains personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, regulatory, contractual, and operational requirements.
Retention periods vary depending on the nature of the service, jurisdiction, contractual obligations, and applicable laws.
7.1) Screening Data
Background screening data is generally retained for up to seven (7) years from the date of the screening order, unless a different period is agreed, a shorter period is required by law, or extended retention is necessary for legal or regulatory compliance.
Where we act as a Data Processor, retention follows employer-client instructions, subject to legal obligations.
7.2) Legal & Contractual Requirements
Personal data may be retained longer where required by law, regulatory investigations, court orders, tax or employment laws, anti-fraud obligations, or contractual agreements. Upon service termination, data may be returned or securely deleted, subject to mandatory retention requirements.
7.3) Secure Deletion & Backups
When no longer required, personal data is securely deleted, anonymised, or archived with restricted access. Backup copies are retained only for disaster recovery, with controlled access and defined lifecycle management.
8) Data Security
CheckMinistry implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Security measures are proportionate to the nature, volume, sensitivity, and risk associated with the data processed, and aligned with applicable legal requirements.
8.1) Technical & Organisational Safeguards
We maintain secure hosting environments, firewalls, network protections, endpoint controls, system monitoring, and secure configuration management. Access to personal data is restricted on a need-to-know basis through role-based controls, unique credentials, strong authentication measures (including multi-factor authentication where appropriate), and regular access reviews.
Encryption and secure transmission protocols (such as TLS) are used where appropriate, including encryption of sensitive data at rest and secure key management practices.
8.2) Vendor & Personnel Controls
Third-party service providers are subject to due diligence, contractual data protection obligations, and security requirements. They may process personal data only in accordance with documented instructions.
Employees receive periodic training on data protection, confidentiality, and incident reporting, and are bound by confidentiality obligations.
8.3) Secure Disposal & Backups
When retention obligations expire, personal data is securely deleted, overwritten, anonymised, or physically destroyed, as appropriate. Backup data is retained only for disaster recovery purposes and managed under controlled lifecycle procedures.
8.4) Data Breach Management
We maintain a structured incident response process to detect, investigate, and respond to data breaches. Where required by law, we notify the relevant supervisory authority without undue delay (and within 72 hours where applicable).
When acting as a Data Processor, we notify the relevant Data Controller without undue delay. Where a breach poses a high risk to individuals, affected persons will be informed as required by law.
All incidents are documented in an internal breach register to ensure accountability and compliance.
9) Governance & Accountability
CheckMinistry maintains an internal governance framework to ensure compliance with applicable data protection laws and to demonstrate accountability in the processing of personal data. We implement appropriate policies, procedures, and oversight mechanisms to ensure personal data is processed lawfully, fairly, and securely.
9.1) Records of Processing Activities (RoPA)
Where required by law (including GDPR Article 30), we maintain Records of Processing Activities documenting the categories of data processed, purposes, data subjects, recipients, international transfers, retention periods, and security measures. These records are periodically reviewed and updated.
9.2) Data Protection Impact Assessments (DPIAs)
Where processing is likely to result in high risk to individuals’ rights and freedoms, we conduct Data Protection Impact Assessments to assess necessity and proportionality, identify risks, and implement mitigation measures.
9.3) Legitimate Interest Assessments (LIAs)
Where processing is based on legitimate interests, we conduct and document Legitimate Interest Assessments to ensure appropriate balancing of interests and implementation of safeguards.
9.4) Internal Compliance Framework
We maintain internal policies covering data protection, information security, access controls, retention practices, incident response, and vendor risk management.
9.5) Audit & Review
Our privacy and data protection practices are periodically reviewed to assess compliance, evaluate safeguards, and address evolving regulatory requirements.
9.6) Management Accountability
Senior management oversees data protection compliance, allocates appropriate resources, and ensures effective governance and risk management structures are in place.
9.7) Data Protection Officer & EU/UK Representative (If Applicable)
Where required by applicable law, CheckMinistry appoints a Data Protection Officer (DPO) and/or designates an authorised EU and/or UK Representative. These roles act as contact points for supervisory authorities and individuals, and are responsible for supporting and monitoring compliance with applicable data protection laws. Where a DPO is not legally required, designated personnel within the organisation assume these responsibilities.
10) Data Subject Rights (Global Overview)
Depending on your location and the applicable data protection laws, you may have certain rights in relation to your personal data.
The availability and scope of these rights may vary by jurisdiction.
Where CheckMinistry acts as a Data Processor on behalf of an employer-client, we may be required to refer your request to the employer-client, who acts as the Data Controller and is responsible for responding to such requests.
Right | Description |
Right of Access | You may request confirmation of whether we process your personal data, obtain access to it, receive a copy, or obtain information about how it is processed. Requests may be subject to identity verification and legal limitations. |
Right to Rectification | You may request correction of inaccurate, incomplete, or outdated personal data. Where we act as a Data Processor, correction requests may need to be directed to the employer-client. |
Right to Erasure | In certain circumstances, you may request deletion of your personal data (e.g., where data is no longer necessary, consent is withdrawn, processing is unlawful, or erasure is legally required). This right is not absolute, and we may retain data for legal, regulatory, or legitimate business purposes. |
Right to Restriction | You may request restriction of processing where accuracy is contested, processing is unlawful, but deletion is opposed, data is required for legal claims, or an objection is pending verification. Restricted data will be stored but not otherwise processed except as permitted by law. |
Right to Object | Where processing is based on legitimate interests or public interest grounds, you may object based on your particular situation. We will cease processing unless compelling legitimate grounds apply. You may object at any time to direct marketing. |
Right to Data Portability | Where applicable, you may request to receive personal data you provided in a structured, commonly used, machine-readable format, and request transfer to another controller where technically feasible. This applies only where processing is based on consent or contract and carried out by automated means. |
Withdrawal of Consent | Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect prior lawful processing and may impact our ability to provide certain services. |
Right to Know Recipients | You may request information about categories of recipients, international transfers, and applicable safeguards. Where disclosure is restricted, category-level information may be provided. |
Right to Lodge a Complaint | You may contact us regarding concerns and/or lodge a complaint with a competent supervisory authority in your jurisdiction. Individuals in the EU or UK may contact their local data protection authority. We encourage contacting us first to resolve concerns. |
Exercising Your Rights
To exercise your rights, please contact us at:
Email: info@checkministry.com
We may:
- Request additional information to verify your identity
- Decline requests that are manifestly unfounded or excessive
- Respond within applicable legal timeframes (e.g., one month under GDPR, subject to extension where permitted)
11) Marketing & Communications
CheckMinistry may process personal data for marketing and business communications where permitted by law. Marketing communications are limited to service updates, newsletters, events, and industry insights relevant to professional audiences.
11.1) Lawful Marketing
We send marketing communications only where:
- Consent has been obtained (where required)
- Communications relate to an existing business relationship
- Processing is based on legitimate interests that do not override individual rights
11.2) Opt-Out Rights
Individuals may opt out at any time via the unsubscribe link, by contacting us directly, or by updating their preferences. Opting out does not affect essential service or legal communications.
11.3) Electronic Communications Compliance
Marketing activities are conducted in accordance with applicable data protection and electronic marketing laws, including GDPR, UK GDPR, PDPO, and relevant anti-spam regulations.
12) Cookies & Tracking Technologies
CheckMinistry uses cookies and similar tracking technologies to ensure website functionality, enhance user experience, improve performance, and support security and analytics.
We may use essential cookies (required for website operation), performance and analytics cookies, functional cookies, and, where applicable, marketing cookies.
Where required by law, we implement a consent management mechanism that allows users to accept, reject, or modify preferences for non-essential cookies at any time.
For detailed information about the cookies we use, their purposes, retention periods, and how to manage your preferences, please refer to our separate Cookie Policy, available on our website.
13) Children & Minors
CheckMinistry’s services are not directed to children. Our background screening and verification services are designed for employment, regulatory, and professional due diligence purposes and are intended for individuals of legal working age.
Our website and portal are not intended for individuals under the age of 16, or such higher minimum age as required under applicable law. We do not knowingly collect personal data from children for marketing or general website purposes.
In limited circumstances where local employment laws permit processing of a minor’s data, we will do so only where authorised by law and with required parental or legal guardian consent.
If we become aware that a child’s personal data has been collected without an appropriate legal basis or consent, we will take reasonable steps to delete it. If you believe this has occurred, please contact us using the details in this Privacy Policy.
14) Updates to This Policy
CheckMinistry may update this Privacy Policy from time to time to reflect changes in applicable laws, regulatory requirements, services, processing activities, security practices, or organisational structure.
The most current version will always be available on our website and will display the effective or “Last Updated” date.
Review Process
This Privacy Policy is reviewed periodically to ensure ongoing compliance with applicable data protection laws and alignment with our operational practices. Reviews may occur annually, upon introduction of new services, following regulatory changes, or after significant operational updates.
Notification of Material Changes
Where material changes significantly affect how personal data is processed, we will take appropriate steps to provide notice, which may include website announcements, updating the revision date, or notifying employer-clients directly where required.
We will not materially reduce the level of data protection provided under this Privacy Policy without appropriate notice and, where legally required, consent.
PART B – COUNTRY / REGION-SPECIFIC ADDENDA
1) European Union & United Kingdom (GDPR / UK GDPR)
This section applies to individuals located in the EU and UK where the GDPR or UK GDPR applies. In the event of conflict, this section prevails for EU/UK data subjects.
Lawful Bases (Article 6)
We process personal data only where a lawful basis applies, including:
- Contract (Art. 6(1)(b)): Performance of or steps prior to a contract
- Legal Obligation (Art. 6(1)(c)): Compliance with regulatory requirements
- Legitimate Interests (Art. 6(1)(f)): Including background screening and fraud prevention, balanced against individual rights
- Consent (Art. 6(1)(a)): Where required by law
Where we act as a Data Processor, the employer-client determines the lawful basis.
Special Category & Criminal Data (Articles 9 & 10)
Special category data is processed only where a condition under Article 9(2) applies (e.g., explicit consent, employment law obligations, substantial public interest, or legal claims) and subject to enhanced safeguards.
Criminal conviction data is processed only in accordance with Article 10 and applicable national laws, and only where legally permitted and role-relevant.
Indirect Collection (Article 14)
Where personal data is not obtained directly from the individual, we provide transparency regarding data categories, sources, purposes, legal basis, recipients, transfers, retention, and rights, subject to Article 14(5) exemptions where applicable.
Automated Decision-Making (Article 22)
We use automated tools to support screening processes, but do not make employment decisions. Human review is applied before report issuance. Employer-clients remain responsible for employment decisions.
International Transfers (Chapter V)
Where data is transferred outside the EU or UK, we rely on lawful mechanisms such as adequacy decisions, Standard Contractual Clauses (SCCs), the UK IDTA/Addendum, and supplementary safeguards where required, including Transfer Impact Assessments where appropriate.
Supervisory Authorities
Individuals may lodge a complaint with a competent supervisory authority, including the UK Information Commissioner’s Office (ICO) or the relevant EU supervisory authority. We encourage individuals to contact us first.
EU/UK Representative
Where required under Article 27 GDPR or UK GDPR, we designate an EU and/or UK Representative whose details will be made available where applicable.
2) Hong Kong (PDPO)
This section applies to personal data processed in Hong Kong under the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). Where we control the collection, holding, or use of personal data, CheckMinistry acts as a Data User.
Data User Obligations
We collect personal data only for lawful and directly related purposes, ensure it is adequate and not excessive, maintain accuracy, implement appropriate security measures, retain data only as long as necessary, and provide transparency and access/correction rights.
Our practices align with the six Data Protection Principles (DPP1–DPP6), covering lawful collection, accuracy and retention, proper use, security, openness, and access/correction rights.
Where we act on behalf of an employer-client, processing is carried out in accordance with contractual instructions and applicable law.
Direct Marketing
Personal data is not used for direct marketing without prescribed consent. Individuals are informed of intended use, and may opt out at any time, free of charge. We do not provide personal data to third parties for direct marketing without explicit consent.
Access & Correction
Individuals in Hong Kong may request access to and correction of their personal data. Requests must be made in writing, may require identity verification, and are processed within statutory timeframes (generally 40 days). A reasonable fee may apply.
Where we act as a processor, requests may be referred to the employer-client.
Cross-Border Transfers
Although Section 33 (cross-border restrictions) is not yet in force, we apply appropriate safeguards when transferring personal data outside Hong Kong, including confidentiality obligations, contractual protections, and proportionate security measures.
3) Mainland China (PIPL)
This section applies to individuals located in the People’s Republic of China (excluding Hong Kong SAR, Macau SAR, and Taiwan), where the Personal Information Protection Law (PIPL) applies. In the event of inconsistency, this section prevails for individuals in Mainland China.
Consent & Sensitive Personal Information
Where required under the PIPL, we obtain separate and explicit consent before processing Sensitive Personal Information, conducting cross-border transfers, disclosing data to third parties, publicly disclosing information, or processing beyond the original purpose.
Sensitive Personal Information may include biometric data, health and financial information, location data, criminal records, religious beliefs, and personal information of minors under 14. Such data is processed only where necessary for a specific purpose, subject to strict safeguards and separate consent where required.
Where we act on behalf of an employer-client, the employer-client is responsible for ensuring appropriate consent has been obtained.
Cross-Border Transfers & Localisation
Where personal information is transferred outside Mainland China, we comply with PIPL cross-border requirements, which may include security assessments, standard contracts, certification mechanisms, and separate consent. Where required by law, certain data may be stored within Mainland China. We monitor and comply with applicable localisation and transfer regulations.
Individual Rights
Individuals in Mainland China may have rights to know, access, copy, correct, delete, restrict processing, withdraw consent, request explanations, and request data transfer where legally applicable.
Requests may require identity verification. Where we act as a commissioned party (similar to a data processor), requests may be referred to the relevant employer-client.
4) Canada (PIPEDA)
This section applies to individuals located in Canada where the Personal Information Protection and Electronic Documents Act (PIPEDA) applies. In the event of inconsistency, this section prevails for Canadian residents.
Accountability
CheckMinistry is responsible for personal information under its control, including data transferred to third parties for processing. We implement privacy policies, designate responsible personnel, apply contractual safeguards, and maintain security measures proportionate to the sensitivity of the information.
Consent
PIPEDA generally requires knowledge and consent for the collection, use, and disclosure of personal information, subject to legal exceptions. Consent may be express or implied, depending on sensitivity; express consent is typically required for sensitive information (e.g., financial or criminal data). Consent may be withdrawn, subject to legal or contractual limitations. Where we act on behalf of an employer-client, the employer-client is responsible for obtaining appropriate consent.
Access & Correction
Individuals have the right to request access to and correction of their personal information. Requests must be submitted in writing and may require identity verification. We respond within statutory timeframes (generally 30 days), subject to permitted exceptions. Where we act as a service provider, requests may be referred to the employer-client.
Cross-Border Processing
Personal information may be processed outside Canada. We use contractual safeguards to ensure a comparable level of protection, although foreign authorities may access data under local laws.
Complaints
Individuals may file a complaint with the Office of the Privacy Commissioner of Canada (www.priv.gc.ca). We encourage individuals to contact us first to address any concerns.
5) United States
This section applies to personal information of individuals residing in U.S. states with applicable privacy legislation, including California, Virginia, Colorado, and Connecticut.
Where CheckMinistry processes personal information solely on behalf of an employer-client, we act as a “service provider” or “processor” under applicable state law, and requests may be directed to the employer-client acting as the “business” or “controller.”
5.1) California (CCPA / CPRA)
This section applies to California residents under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
Categories of Personal Information Collected
We may have collected identifiers, professional and employment information, education information, financial information (where permitted), sensitive personal information (including government identifiers and criminal data where permitted), internet/network activity, and inferences from screening results. We collect only what is necessary for the purposes described in this Policy.
Categories of Sources
Information is collected from employer-clients, individuals directly, verification sources, public records, government authorities, service providers, and website interactions.
Business Purposes
Personal information is processed for background screening, identity verification, regulatory due diligence, fraud prevention, client reporting, legal compliance, security monitoring, and website operations.
Sale or Sharing Disclosure
We do not sell/share/rent personal information or share it for cross-context behavioural advertising. Disclosures to service providers are made for business purposes under written agreements.
Your Rights
Subject to legal exceptions, California residents have the right to:
- Know the categories, sources, purposes, and specific pieces of personal information collected
- Request deletion
- Request correction of inaccurate information
- Opt out of sale or sharing (we do not sell/share/rent)
- Limit the use of sensitive personal information (used only for legitimate screening and compliance purposes)
We will not discriminate against you for exercising your California privacy rights.
5.2) Virginia (CDPA)
Under the Virginia Consumer Data Protection Act (CDPA), Virginia residents may have the right to:
- Confirm whether we process their personal data
- Access and obtain a copy of their personal data
- Correct inaccuracies
- Request deletion
- Opt out of targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects
Where applicable, individuals may appeal a decision regarding a privacy rights request.
5.3) Colorado (CPA)
Under the Colorado Privacy Act (CPA), Colorado residents may have the right to:
- Access personal data
- Correct inaccuracies
- Delete personal data
- Obtain a portable copy of personal data
- Opt out of targeted advertising, sales, or certain profiling
Requests are handled in accordance with applicable statutory timelines.
5.4) Connecticut (CTDPA)
Under the Connecticut Data Privacy Act (CTDPA), Connecticut residents may have rights to:
- Confirm processing of personal data
- Access personal data
- Correct inaccuracies
- Delete personal data
- Obtain portable copies
- Opt out of targeted advertising, sales, or profiling
5.5) Other Applicable U.S. State Laws
As additional U.S. states enact privacy legislation, individuals residing in those states may have similar rights, including:
- Access
- Correction
- Deletion
- Portability
- Opt-out of sale or targeted advertising
- Appeal rights
We will comply with applicable state privacy laws where they apply to our processing activities.
5.6) Exercising U.S. Privacy Rights
Requests may be submitted using the contact details provided in this Privacy Policy.
We may:
- Verify identity before responding
- Decline requests where permitted by law
- Respond within applicable statutory timeframes
Where CheckMinistry acts solely as a service provider to an employer-client, requests may be directed to the employer-client acting as the business or controller.
6) Other Jurisdictions (As Applicable)
CheckMinistry operates internationally and may process personal data subject to laws not specifically listed in this Privacy Policy. Where applicable, we process personal data in accordance with local data protection laws, contractual obligations, international data protection principles, and lawful instructions from Data Controllers.
6.1) Compliance with Local Laws
Where required, we will apply appropriate lawful bases, provide additional transparency, implement jurisdiction-specific safeguards, facilitate local data subject rights, comply with breach notification requirements, and implement lawful cross-border transfer mechanisms.
If local law imposes stricter requirements than this Policy, those requirements will prevail.
6.2) Country-Specific Supplements
We may issue jurisdiction-specific privacy supplements where required by local regulations. Such supplements form part of this Privacy Policy where applicable.
For jurisdiction-specific questions, please contact us.
7) Contact Information
For general or privacy-related inquiries, including data subject rights requests, please contact:
Email: info@checkministry.com
Website: www.checkministry.com
Telephone: +852 3105 5090
Subject Line (for privacy requests): Data Subject Request
Please describe your request clearly and provide sufficient information to verify your identity. We may request additional details and will respond in accordance with applicable law. Where we act as a Data Processor, requests may be referred to the relevant employer-client.
Registered Address:
Accel Screening (Hong Kong) Limited (CheckMinistry)
12/F, Man On Commercial Building, 12–13 Jubilee Street, Central, Hong Kong
