Talk to an Expert

ZKTeco Data Privacy Framework Policy

Last Modified: July 2025

This Data Privacy Framework Policy (“Policy“) (formerly Privacy Shield) describes how ZKTeco (“ZKTeco,” “we,” “us” or “our”) collects, uses, and discloses certain personally identifiable information that we receive in the United States from the European Union (“EU Personal Data“), the United Kingdom (“UK Personal Data“), and Switzerland (“Swiss Personal Data” and combined with EU Personal Data and UK Personal Data, the “Personal Data”).  This Policy applies to all of our United States legal entities, subsidiaries and/or affiliates that exist now or in the future.

1. Commitment to Compliance.

a. ZKTeco complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. ZKTeco has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (the “EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. ZKTeco has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (the “Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

b. ZKTeco commits to cooperate and comply respectively with the advice of the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

c. If there is any conflict between the terms in this Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively, the “Principals”), the Principles shall govern.

d. ZKTeco recognizes that the EU, UK, and Switzerland have established strict protections regarding the handling of Personal Data, including requirements to provide adequate protection for Personal Data transferred outside of their respective jurisdictions. To provide adequate protection for all Personal Data regarding consumers, clients, suppliers, business partners, job applicants and employees received in the US, ZKTeco has elected to self-certify to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF administered by the US Department of Commerce. ZKTeco adheres to the EU-US Data Privacy Framework Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.

e. The Federal Trade Commission has jurisdiction over ZKTeco’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

f. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, ZKTeco commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

2. Personal Data Collection and Use

We may receive the following categories of Personal Data in the U.S.: (i) employment and HR information; (ii) commercial information; (iii) demographic information; and (iv) consumer-specific information (including biometric information).

a. Within these categories, we may collect information such as an individual’s name, location, name of employer, professional role, job qualifications (such as educational degrees earned), phone number, email address, user ID, biometric template, and badge ID.

b. We process Personal Data for the following purposes: (i) to provide our services, including with respect to billing, identification, and authentication; (ii) to contact and communicate with our clients regarding our services, and (iii) for employment-related purposes including to process employment-related data in the U.S. and evaluate job candidates. We process Personal Data based on: (i) consent, (ii) contractual necessity, (iii) legal obligations, (iv) legitimate interests, or (v) vital interests. Data subjects whose personally identifiable information we process include clients (and their respective employees or other users) and other legal persons, suppliers, business partners, job applicants, independent contractors, and employees.

c. We will only process Personal Data in ways that are compatible with the purpose of collection, or for purposes, the individual later authorizes. Before we use your Personal Data for a purpose that is materially different than the purpose we collected it for, or that you later authorized, we will provide you with the opportunity to opt out. We maintain reasonable procedures to help ensure that Personal Data is reliable for its intended use, accurate, complete, and current.

d. We may collect the following categories of sensitive Personal Data including but not limited to: criminal history, and biometric template information as may be required by our customers, for identification of their employees, within the employment context. When we collect sensitive Personal Data, we will obtain your opt-in consent where the EU-U.S. DPF requires, including if we disclose your sensitive Personal Data to third parties, or before we use your sensitive Personal Data for a different purpose than we collected it for or than you later authorized. Certain exceptions to our obligation to obtain affirmative opt-in consent to process sensitive personal data are where the processing is: (i) in the vital interests of the individual or another person; (ii) necessary for the establishment of legal claims or defenses; (iii) required to provide medical care or diagnosis; (iv) carried out in the course of legitimate activities by certain foundations, associations, or other non-profit bodies; (v) necessary to carry out employment law-related obligations; (vi) related to data made public by the individual. Biometric data will be stored using encryption at rest and in

transit. We will implement retention limits for biometric templates and provide clear notice before collection. In states with biometric privacy laws (Illinois, Texas, Washington, etc.), we will obtain written consent and comply with all applicable requirements.

e. ZKTeco commits to cooperate with the EU/EEA data protection authorities, the UK Information Commissioner’s Office and the Gibraltar Regulatory Authority, and the Swiss Data Protection and Information Commissioner and comply with the requirements of such authorities with regard to Personal Data transferred from the EU, the UK, and Switzerland.

3. Data Transfers to Third Parties.

We may transfer Personal Data to our third-party agents or service providers who perform functions on our behalf. ZKTeco will select third party agents or service providers who comply with the DPF Program and are limiting their use of the data to the specified services provided on our behalf, in order to provide the same level of protection that the DPF Program requires. We take reasonable and appropriate steps to ensure that third-party agents and service providers process Personal Data in accordance with our DPF Program obligations and to stop and remediate any unauthorized processing. In addition to DPF certification, we may use Standard Contractual Clauses approved by the European Commission for data transfers. Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of Personal Data that we transfer to them.

4. Disclosures for National Security or Law Enforcement.

Under certain circumstances, we may be required to disclose your Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements, or as otherwise required by law. ZKTeco is not liable for the use or re-disclosure of Personal Data by such recipients.

5. Security

We maintain reasonable and appropriate security measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the DPF Program.

6. Access Rights

You may have the right to access the Personal Data that we hold about you and to request that we correct, amend, or delete it if it is inaccurate or processed in violation of the DPF Program. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances, or where it would violate the rights of someone other than the individual requesting access or where the data is controlled by your employer who acts as the Data Controller. We do not knowingly collect Personal Data from individuals under 16 years of age. If you would like to request access to, correction, amendment, or deletion of your Personal Data, you can contact ZKTeco at: [email protected].

7. U.S. State Privacy Rights

Residents of California, Virginia, Colorado, Connecticut, and Utah may have additional rights under state privacy laws, including: right to know categories of personal information collected; right to deletion; right to opt-out of sale/sharing; right to non-discrimination; right to correct inaccurate information.

8. Questions or Complaints.

a. The Federal Trade Commission has jurisdiction over ZKTeco’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In compliance with the DPF Principles, ZKTeco commits to resolve DPF Principles-related complaints about our collection or use of your Personal Data. Data Subjects with inquiries or complaints regarding our handling of Personal Data received in reliance on the DPF should first contact ZKTeco by e-mailing [email protected]

b. In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, ZKTeco commits to resolve complaints about our collection or use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our Policy should first contact ZKTeco at: [email protected].

c. In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, ZKTeco commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit  https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint.  The services of JAMS are provided at no cost to you.

d. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your Personal Data within 45 days of receiving your complaint.

9. Binding Arbitration.

You may have the option to select binding arbitration for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your complaint directly with us and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the U.S. Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see U.S. Department of Commerce’s EU-U.S. DPF: Annex I of the DPF Principles.

10. Contact Us

Please address any questions or concerns regarding this ZKTeco Data Privacy Framework Policy or ZKTeco’s practices concerning Personal Information by:
Emailing our privacy contact at [email protected]

If email is not available, then please contact in writing to:

Headquarters
4515 George Rd Suite 370 Tampa, FL 33634

New Jersey Office
200 Centennial Avenue Suite 211 Piscataway, NJ 08854

This ZKTeco Data Privacy Framework Policy was last revised on July 2025

11. Changes to This Policy

We reserve the right to amend this Policy from time to time to be consistent with the DPF Program’s requirements.