Prometric Privacy Policy

Last update: January 2025

General information

Prometric LLC is a Delaware, USA, limited liability company with its principal place of business located at 1501 South Clinton Street, Baltimore, Maryland 21224 USA (hereafter, “Company”, “us” or “we”). Prometric may act as the data controller or as data processor depending its relationship to the data subject.

This Privacy Policy (“Policy”) has been drafted and implemented in accordance with the principles set forth herein, to describe our practices regarding the collection and processing of Personal Data about test candidates, clients, contractors and partners. Prometric pays particular attention to the respect of privacy and Personal Data and is committed to complying with this Policy and in accordance with Applicable Law.

In particular, the Company is committed to complying with all data protection laws where the company operates, including:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”);
  • The California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPPA”);
  • The Personal Information Protection Law of the People's Republic of China (“PIPL”);
  • Other relevant data protection regulations where the Company operates.

As part of its certification, the Company complies comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and to the rights of EU, UK, and Swiss data subjects. As such, Prometric is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC).

“Applicable Law” refers to the relevant country data protection law or applicable regulation relating to data protection.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


1. What types of Personal Data do we collect?

Prometric collects the following Personal Data depending on your relationship to the Company and Applicable Law:

  • Contact details including name, address, telephone number, country-specific identification number, email address, login and password information
  • Date of birth
  • Gender
  • Candidate test scheduling details
  • Test assessment details, including test candidate ID number, examinations taken and when, scores related to those exams, how many times an exam or any particular section of exams have been taken
  • Social Security numbers where required by test sponsor for candidates (US)
  • Payment and financial institution information
  • Residence and country of citizenship
  • Photograph
  • Signature
  • Video recordings
  • Audio recordings (as permissible by law and only in specific jurisdictions)
  • Information from identification, verification, or eligibility documents
  • Transaction and Relationship Information including elements that reveal candidate test patterns, test locations, test results, and information about how Prometric websites and applications are used.

In addition, Prometric may process special categories of Personal Data, as permitted by Applicable Law, that may include:

  • Biometrics (fingerprint images and templates, facial images and templates)
  • Health information or medical data related to test candidates’ requests for testing accommodations
  • Race or ethnicity, as permitted by Applicable Law

The Company will not use special categories of Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the data subject unless Prometric has received your affirmative and explicit consent (opt-in).


2. How do we collect your Personal Data?

In most cases Prometric collects such Personal Data directly from the individual data subject.

However, in other cases we may receive information from test sponsors or from third party data suppliers to help us better understand our customers. When a candidate visits Prometric’s website, registers or takes an exam, uses our applications, or contacts us we also collect transaction information for customer service purposes.

All Personal Data collected by Prometric via our mobile applications is protected and processed according to the terms of this Policy. We also offer automatic ("push") notifications only to those who opt-in to receive such notifications from us. No individual is required to provide location information to Prometric or to enable push notifications to use any of our mobile aware applications.

Collection of Biometric Data

Biometric Enabled Check-In System and Prometric’s remote proctoring platform (known as ProProctor) are designed to improve the security and integrity of the testing process in a way that protects test candidate privacy while confirming test candidate identity. These technologies are used for identity verification purposes, to detect and prevent fraud and misrepresentation, to maintain the integrity of the testing process, and improve the security of test centers and remotely-proctored exams.

3. Why do we collect your Personal Data?

On behalf of our test sponsors, Prometric collects your Personal Data for the purposes of:

  • Scheduling test examinations
  • Verifying identity
  • Administering tests and payments
  • Managing customer service requests
  • Detecting and preventing fraud and misrepresentation by unauthorized candidates
  • Conducting data analytics to maintain the integrity of the testing process
  • Reporting test results to candidate and test sponsor
  • Conducting marketing activities, subject to Applicable Law

For suppliers and other third parties, Prometric collects your Personal Data for the following purposes:

  • Supplier management and administration
  • Invoice processing
  • Know-your-supplier due diligence and other legal requirements

If Personal Data covered by this Policy is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a third party in a manner not specified in this Policy, Prometric will provide you with an opportunity to choose whether to have your Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Personal Data should be sent to the Company as specified in the "How to Contact Us" section below.


4. What are the legal bases of processing your Personal Data?

Personal Data is generally collected and processed according to the following legal bases:

  • Your consent for the collection and processing of special categories of Personal Data.
  • Your consent if required by Applicable Law for cross-border data transfers.
  • The performance of a contract which include registering and scheduling for a test, administering that test, fraud prevention and processing of the results.
  • For legitimate business purposes such as invoice processing and financial account management, backup purposes to facilitate business continuity, test center management, business planning, contract management, improvement of testing services provided to our customers, proposing related services and products to existing test candidates, website administration, fulfillment, analytics, security and fraud prevention, corporate governance, disaster recovery planning, auditing, and reporting
  • Compliance with any legal or regulatory obligations.

5. Disclosure of Personal Data

Third parties who may process your Personal Data include other Company affiliates, authorized test centers, test sponsors and our service providers acting as processors for the Company, providing the following services: data hosting, test administration services, business productivity applications, customer service support and customer relationship management software.

Government agencies may access Personal Data as the results of lawful requests, including to meet national security or law enforcement requirements.

Biometric data may be disclosed to a third party only:

  • For an investigation related to alleged misconduct solely for the purposes of an investigation of cheating, unauthorized testing, or other test candidate misconduct.
  • In relation to lawful requests by regulatory, legal or government agencies with jurisdiction and/or authority to make such requests.

We execute contracts as required by Applicable Law with our third-parties to ensure that Personal Data is processed in compliance with this Policy and any other appropriate confidentiality and security measures.

If you are a EU, UK, or Swiss data subject, where we transfer your Personal Data to third party service providers as indicated above and who perform services for us or on our behalf, Prometric is responsible for the Processing of that data by them and shall remain liable if they process your Personal Data in a manner inconsistent with the DPF principles referred to below unless we prove that we are not responsible for the event giving rise to the damage.

6. How do we store your Personal Data?

Depending on the nature of your relationship with Prometric and per Applicable Law, we store your Personal Data at our secure Oracle cloud infrastructure with servers located in Ashburn, Virginia, United States.

Prometric follows a comprehensive Records Management Program and related retention schedule that it adheres to for the purposes of retention, storage and destruction of all records created in the course of its business including those containing Personal Data. We also deploy a Data Management strategy that segregates data based on regionally located data servers.

Subject to Applicable Law, our Company will keep your Personal Data for the duration of the processing, for the lesser period of:

  • five (5) years from the date of the last service, test or assessment; or
  • the expiration of the purpose for which the Personal Data was collected; or
  • the laws of the applicable jurisdiction where the Personal Data was collected.

Prometric will not keep Personal Data longer than necessary for the above-mentioned purposes. However, Prometric may retain Personal Data longer if necessary to comply with Applicable Law or if necessary to protect or exercise its rights.

Storing of Biometric Data

All biometric data collected in computer-based test centers is securely transferred to and securely stored within Prometric’s secure data center in the European Union and is retained according to Applicable Law in the jurisdiction where it was collected. Biometric data is stored and secured in Microsoft Azure for a period of thirty (30) days.

7. Transfers of Personal Data

In some cases, the use of third parties may involve the transfer of Personal Data to other countries. Our business processes often require the transfer of Personal Data between the Company and its affiliated entities internationally.

If Personal Data is processed within the EU/ EEA, and in the event Personal Data is disclosed to third parties or in a country not considered as providing a sufficient level of protection according to Applicable Law then the Company will ensure:

  • The implementation of standard contractual clauses as may be approved by the EU Commission;
  • The adoption of appropriate organizational, technical and legal safeguards to govern the said transfer and to ensure the necessary and adequate level of protection under Applicable Law.
  • If necessary, will evaluate the circumstances of the transfer and the legislation of the third country, and if required, complete a data transfer impact assessment to determine if supplemental measures are required to be implemented.

For Personal Data not processed within the EU/EEA, and in the event Personal Data are disclosed to third parties located outside the data subject’s jurisdiction, the Company will ensure that necessary safeguards are in place to protect Personal Data by implementing appropriate legal mechanisms including, as relevant, standard contractual clauses and / or obtaining appropriate consent from data subjects. Those mechanisms may differ depending on the country and relevant Applicable Law.

In regards to cross-border data transfers to the United States, Prometric complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce.

The Company has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the EU and the UK in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. The Company has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

8. What are your rights?

Depending on the jurisdiction and Applicable Law, you may have the following rights related to your Personal Data:

  • Right to access
  • Right of rectification
  • Right to erasure
  • Right to restrict processing
  • Right to object to processing
  • Right to data portability
  • Right to decide how your Personal Data is used posthumously

The exercise of such rights is subject to limitations provided by Applicable Law and relevant guidance from Supervisory Authorities.

To exercise your rights, the data subject may contact the Company as described in the section “How to contact us.” We may ask proof of identity in order to respond to the request. If we can’t satisfy your request (refusal or limitation) then we will justify our decision in writing.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Prometric commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data.

EU, UK, and Swiss Data Subjects with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact the Company as described in section “How to contact us and complaint handling.”

California Privacy Rights

California Civil Code Section 1798 allows California residents to ask companies with whom they have an established business relationship to provide certain information about the companies’ sharing of Personal Data with third parties for direct marketing purposes. Prometric does not share any California consumer Personal Data with third parties for marketing purposes without consent. If you are a test candidate, Prometric will provide your Personal Data to your test sponsor, who may use the information in accordance with its own privacy policies.

9. How do we protect your Personal Data?

Prometric implements a variety of security measures, such as technical, physical and administrative safeguards in order to protect all Personal Data from security incidents or unauthorized disclosure, and more generally from a Personal Data Breach. These security measures are recognized as appropriate security standards in the industry and include, inter alia, access controls, password, encryption, strict time limits for erasure, logging mechanisms and regular security assessments.

In the event of a Personal Data Breach potentially impacting your personal data, Prometric follows its Incident Response Plan and will promptly take appropriate action to mitigate the risks to data subjects. Such measures may include notifying the appropriate Supervisory Authority and the impacted data subjects, while providing the relevant details of the incident and mitigation measures as may be mandated under Applicable Law (i.e. GDPR or PIPL).

Prometric's Information Security Program is reviewed several times annually by multiple third-party organizations to ensure it meets or exceeds the highest benchmarks available for security and data privacy and protection. In addition, employees and contractors are obligated to promptly report any known or suspected instance of misuse, loss or unauthorized access.

10. Processing of Personal Data under the People’s Republic of China Personal Information Protection Law (‘PIPL’)

This section applies when Personal Data is located within the borders of the People’s Republic of China (PRC) or when Personal Data is processed by one of our companies located in the PRC.

In accordance with Article 13 of the PIPL, Personal Data may be collected for the following purposes:

  • Based on an individuals’ consent;
  • For the performance of contracts, for legitimate business interests;
  • To fulfill statutory duties and responsibilities or statutory obligations;
  • To process publicly available data;
  • To meet legal requirements.

Following the requirements set out under Article 23 of PIPL and the contents mentioned under Section 4, the transfer and sharing of your Personal Data to a third party will not be made without (1) your specific consent if applicable, or (2) to fulfill the statutory duties under Applicable Law.

Based on the purposes prescribed in this Policy, Personal Data may be transferred to a country or region outside your residence for Processing. At such time, the Company will protect the security of the Personal Data in accordance with Applicable Law, including but not limited to implementing access controls, passwords, encryption standards, strict time limits for retention periods, logging mechanisms and regular security assessments.

The Company will fully inform you of the cross-border data transfer in accordance with Article 39 of PIPL prior to transferring your Personal Data outside the PRC and will obtain your consent, informing you of the following: the name of the outbound receiver, the contact information, the purpose of the Processing, the method of Processing, the type of Personal Data, and remind you of the methods and procedures by which you can exercise your rights under the PIPL. We will request your explicit and separate consent to do this.

As may be required, the Company will carry out a cross-border data transfer risk assessment in accordance with Applicable Law if Personal Data is transferred outside of the PRC.

Under PIPL, Sensitive Personal Data is defined as Personal Data that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the Personal Data of minors under the age of 14.

In line with the PIPL and as detailed in Section 2, the processing of Sensitive Personal Data is subject to the separate consent of the individual and is conducted for a specific business-related purpose.

Prometric will not collect Personal Data from minors under the age of 14 without the separate consent of the parent or other guardian. We will only use or disclose Personal Data about a child to the extent permitted by law, pursuant to applicable laws and regulations, to seek parental consent or to protect a child.

In the event of a Personal Data Breach, Prometric shall bear civil liabilities to the data subject if it infringes the rights of the data subject’s personal data, without prejudice to the administrative, criminal or other legal liabilities that shall be assumed by the Data Controller under the PIPL.

11. Changes to Privacy Policy

The Company may need to update its Policy in order to comply with new or different privacy practices. An updated version of this policy will be made available via an appropriate channel and will apply to data collected subsequent to its effective date.

12. How to Contact Us and Complaint Handling

For any inquiries, comments or concerns about this Policy, or in order to exercise the privacy rights permitted to Applicable Law related to Personal Data, please contact our Data Protection Officer at the following address: privacy@prometric.com

You can also submit a request related to your personal data by clicking on the following link and complete all of the required fields in the form: Personal Data Requests

You may also reach us via postal mail at:

         Prometric Privacy Program Manager

         Prometric LLC, 1501 South Clinton Street

         Baltimore, Maryland 21224 USA

Data subjects have the right to file a complaint directly with the competent Supervisory Authority in their relevant jurisdiction or may take legal action per Applicable Law.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Prometric commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.