Is your business ready to take advantage of the future of finance? Learn how Open Banking has evolved and how your business can maximise the opportunities it presents.

Open Banking Privacy Notice

TRANSUNION OPEN BANKING SERVICE PRIVACY NOTICE

Version: 1.1
Date adopted: 12th April 2019

This document provides an overview about how we use and share personal data that we receive and use in connection with the account information services we provide to consumers and the TransUnion Open Banking Service that we provide to our business clients. It covers the following topics:

  1. WHO WE ARE AND HOW YOU CAN CONTACT US

  2. WHAT WE USE PERSONAL DATA FOR

  3. WHAT KINDS OF PERSONAL DATA WE USE, AND WHERE WE GET IT FROM

  4. WHAT OUR LEGAL GROUNDS FOR HANDLING PERSONAL DATA ARE

  5. WHO WE SHARE THE PERSONAL DATA WITH

  6. WHERE THE PERSONAL DATA IS STORED AND SENT

  7. HOW LONG THE PERSONAL DATA IS KEPT FOR

  8. WHETHER THE PERSONAL DATA IS USED TO MAKE AUTOMATED DECISIONS ABOUT YOU OR TO PROFILE YOU

  9. YOUR RIGHTS IN RESPECT OF THE PERSONAL DATA THAT WE HOLD ABOUT YOU

  10. WHO YOU CAN COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA

You have the right to object to our use of your personal data.  Please see section 9 to find out more.

This privacy notice should be read together with the Terms and Conditions for the Service we are providing to you.  A copy of the Terms and Conditions is available by contacting consumer@transunion.com. It contains the meanings of certain words we use here, such as “Account”, “Service”, “Referring Company” and “Your Bank”.

  1. WHO WE ARE AND HOW YOU CAN CONTACT US

We are TransUnion International UK Limited, which is a company registered in England and Wales with company number 03961870. Our trading address and registered office is at One Park Lane, Leeds, West Yorkshire LS3 1EP.  

TransUnion International UK Limited forms part of a larger group of companies known as the TransUnion Information Group, however this privacy notice only applies to the use of personal data obtained by TransUnion International UK Limited in connection with the delivery of this Service unless we say otherwise.

We are a controller of the personal data covered by this privacy notice.  This means that we are responsible for ensuring that your personal data is used fairly and lawfully.

You can contact us about issues relating to personal data, including the contents of this notice, by any of the following methods:

Post:

Consumer Services Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email:

consumer@transunion.co.uk

Telephone:

0330 024 7574

  1. WHAT WE USE PERSONAL DATA FOR

This section explains the purposes for which we use personal data about you.  More details about the types of personal data that we might use for these purposes can be found in section 3 below.

  • Providing the TransUnion Open Banking Service to the organisation that has directed you to us (also called the “Referring Company” in this notice)

We use your personal data to provide the TransUnion Open Banking Service (as described in section 4 below) to the Referring Company that you are dealing with.  In particular, we electronically provide the organisation with the information it requires to conduct an affordability assessment of your finances prior to offering you a service or a financial product.  This is to save you from having to provide paper copies of your Account information to the Referring Company.

As part of the TransUnion Open Banking Service we provide to the Referring Company, we also store copies of your personal data for reporting and audit purposes.

  • Product/systems improvement, development and testing

We may sometimes use your personal data while improving, developing or testing our products and systems.  This includes making sure that our data categorisation is accurate and that our security measures are working properly.  Where possible, we will anonymise or pseudonymise (partially anonymise) the data before doing this.

  • Legal and regulatory purposes

We may use your personal data for legal and regulatory purposes.  For example, this might include responding to complaints or enquiries from you or a regulator about how we have used your personal data.

  1. WHAT KINDS OF PERSONAL DATA WE USE, AND WHERE WE GET IT FROM

We obtain and use information from various different sources in the delivery of this Service.  These are summarised in the following table.

Type of information

Description

Source

A unique identifier and declared salary

A unique identifier (not your name) will be assigned to you by the Referring Company.  Information you have provided to the Referring Company about your current salary may also be provided to us.

We obtain this information from the Referring Company.  

Information about your Account, including account details, transactions and regular payments.

This includes the following information:

  • your account name, number, sort code and balance;

  • details of your incoming and outgoing transactions;

  • details of your direct debits, standing orders and payee agreements you have set up.

This information is obtained from Your Bank.

Your requests and enquiries

This is information you provide to us when you are visiting our website (such as clicking on buttons to confirm your consent) or as part of another request or enquiry (for instance, to obtain technical support).

We obtain this information directly from you.

 

  1. WHAT OUR LEGAL GROUNDS FOR HANDLING PERSONAL DATA ARE

This section explains the legal basis on which we process your personal data when delivering this Service to you and the TransUnion Open Banking Service to the Referring Company.

Please note that, while we require your explicit consent to provide this Service under financial regulations, we do not require your explicit consent to process your personal data in connection with the provision of this Service under data protection laws.  This is because our legal basis for processing your personal data is based on the following legal grounds (rather than your consent).

  • Performance of our contract with you

Where you give your explicit consent to use this Service, you enter into a contract with us for the provision of this Service, which is governed by these Terms and Conditions.

In order to provide you with this Service that you have consented to in accordance with the Terms and Conditions, we will need to obtain your personal data and share your personal data with the Referring Company.

  • Legitimate Interests

The UK's data protection laws allow us to use your personal data where necessary for legitimate purposes provided that this isn't outweighed by the impact it has on you.  The law calls this the "legitimate interests" basis for processing personal data.

The legitimate interests we are pursuing are:

Interest

Explanation

Delivery of the TransUnion Open Banking Service (which includes requesting Information about your nominated Account(s) from Your Bank, passing this Information to the Referring Company and undertaking analysis of your Information to help the Referring Company make its assessment about you)

As noted above, where you consent to this Service, we are bound by the terms of our contract with you to collect your personal data and share this with the Referring Company.

We also have a commercial interest in offering the TransUnion Open Banking Service to our clients that have a need for it for the growth of our business, and the use of personal data is essential to the delivery of this service and therefore to fulfil this commercial interest.

Improving, developing and testing our products and services

We have an interest in improving, developing and testing our products in order to help ensure that our services are processing data accurately and that we remain competitive.  This includes ensuring that our products can provide accurate results for our clients, and including more data in our processes helps improve the accuracy of results.

Providing support services

We are required to provide ancillary and support services to clients, which includes reporting on the services we have provided for audit purposes and assisting you with any technical queries you may have about the Service.

Performance Monitoring

We have an interest in monitoring the performance of our services, to help identify any technical errors or areas of improvement.

 

Our use of personal data is subject to an extensive framework of safeguards that help make sure that your rights are protected. These include the information you are given in this notice about how your personal data will be used and how you can exercise your rights to obtain your personal data, have it corrected or restricted, object to it being processed, and complain if you are dissatisfied. These safeguards help sustain a fair and appropriate balance so that our activities do not compromise your interests, fundamental rights and freedoms.

  • Compliance with legal and regulatory obligations

The UK's data protection laws allow us to use your personal data where necessary in order to comply with the legal and regulatory obligations that apply to us.  For example, in order to provide the Service, we have to comply with our obligations as a registered account information service provider under the Payment Services Regulations 2017.  This means that we use your personal data as required under these regulations.

  1. WHO WE SHARE THE PERSONAL DATA WITH

  • The Referring Company / Our client

The purpose of this Service is to enable the electronic sharing of your Account information between Your Bank and the Referring Company you are dealing with to obtain a service or financial product.  This organisation will be our client, as they will have appointed us to provide this Service for you and their other customers.

In the delivery of this Service, we facilitate the sharing of information between Your Bank and the Referring Company.

  • Our group companies

We may share your personal data with other companies in the TransUnion Information Group for the purposes of improving, developing and testing our existing product and services and new product development.  A list of the relevant TransUnion Information Group companies is set out below:

Group company

Main trading address

Registered office

TransUnion Information Group Limited**

(company no. 4968328)

**The legal name of this company will change to TransUnion Information Group Limited with effect from 30 April 2019

One Park Lane, Leeds, West Yorkshire LS3 1EP

One  Park Lane, Leeds, West Yorkshire LS3 1EP

DecisionMetrics Limited

(company no. 5202547)

Smart Analytics Limited

(company no. 4127933)

Kingfisher Court, Yew Street, Stockport, Cheshire SK4 2HG

TransUnion Baltics, UAB

(company no. 302689020)

4th Floor, Zalgirio Arena, Karaliaus, Mindaugo pr. 50, Kaunas LT- 44333, Lithuania

Vilniaus m. sav . Vilniaus m. J. Jasinskio g. 16B, LT-01112, Lithuania

 

  • Service Providers

We may provide your information to third parties who help us use it for the purposes described in section 2.  For example:

  • our products may be hosted by third party cloud platform providers on our behalf;

  • we may use third parties to support, maintain and test our products and services and to help us to answer consumer queries.

These service providers may also be our group companies, some of which are listed above.

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations.  

  • Business transfers

If we sell our business to a third party, or go through a corporate re-organisation, we will transfer personal data to the company that acquires the business.

If an acquirer intends to use your personal data in a way which is not set out in this notice, they will contact your shortly after the acquisition to inform you about how they are going to use your data.

  • Regulators

We may be compelled to share personal data with our regulators, including the Information Commissioner's Office and the Financial Conduct Authority.

  1. WHERE THE PERSONAL DATA IS STORED AND SENT

Within Europe

We are based in the United Kingdom, and will access and use personal data from here. One of our group companies is based in Lithuania, and so personal data may be accessed from there too. In these locations, the use of the information is protected by European data protection standards.

The Referring Company that you are dealing with, and that will be receiving your personal data, may have operations outside of Europe – please check its own privacy notice for further details.

Outside Europe

We may also send information elsewhere in the world. For example:

  • When one of our overseas group companies or branch offices based overseas needs to use the information.

  • Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.

While countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

  • Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.

  • Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection. One example is the “Privacy Shield” scheme that has been agreed between the European and US authorities.

You can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.

  1. HOW LONG THE PERSONAL DATA IS KEPT FOR

We keep your personal data only for as long as necessary for the purposes for which it is used, as set out in section 2 above.

We will keep a record of your personal data used in connection with this Service and the TransUnion Open Banking Service for a period of two years.

Where we use your personal data in connection with the improvement, development and testing of our products and services, we may keep your information for a period of two years.  If we have anonymised your data in connection with this purpose, we may keep and use anonymous data indefinitely.

Where we use your personal data to comply with our legal and regulatory requirements, we will typically retain a copy of your personal data for a further period of six years after we used it for that purpose.

  1. WHETHER THE PERSONAL DATA IS USED TO MAKE AUTOMATED DECISIONS ABOUT YOU OR TO PROFILE YOU

We do not use the personal data obtained from the delivery of this Service to make automated decisions about you.  

Our role is to obtain this information from Your Bank and deliver it to the Referring Company (our client). The information that we share with our client in the delivery of this Service may then be used by our client to conduct an affordability assessment, which will help them to make a decision about providing a service or financial product to you.  However, our clients will also hold other information about you which will help inform their decision.

We would recommend contacting the Referring Company that you are dealing with if you require further information about how they will use the personal data we provide to them in the delivery of the TransUnion Open Banking Service.

  1. YOUR RIGHTS IN RESPECT OF THE PERSONAL DATA THAT WE HOLD ABOUT YOU

You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please use the contact details set out in section 1.

  • Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it.  We may need to ask you to provide additional information to help us to confirm that the personal data we hold is yours.

  • Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.

  • Objection to legitimate interests: If you disagree with us relying on the legitimate interests grounds for using your personal data (see section 4 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.

  • Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it. For example, if you ask us to erase personal data which we are required to keep under the legal and regulatory obligations that apply to us, we will not be able to action your request.

  • Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.

  • Portability: In some circumstances you have the right to request that we send to you or a third party a copy the personal data you have provided to us in a portable format. However, in the delivery of this Service we are predominantly using personal data provided to us from other sources and not from you directly, which means the right will rarely apply.

  • Withdrawal of consent: While we rely on your consent to access this Service, we do not rely on your consent to process your personal data in the delivery of this Service, therefore your right to withdraw consent does not apply.

  1. WHO YOU CAN COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA

We try to ensure that we deliver the best levels of customer service, but if you are not happy about how we use your personal data you should contact us so that we can investigate your concerns.  Please contact us using the details in section 1.

You can also contact our Data Protection Officer at: dpo@transunion.co.uk

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the UK. You can do this online through the ICO’s website at www.ico.org.uk/concerns, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.