Version: 1.13
Date adopted: 17 July 2024
This privacy notice explains how we use and share personal data in connection with our credit risk and affordability assessments, anti-fraud and anti-money laundering checks, verification, debt tracing services and some of our related services. It also describes your data protection rights, including a right to object to some of the processing which TransUnion carries out. More information about your rights, and how to exercise them, is set out in section 9 below.
You have the right to object to our use of your personal data. Please see section 9 to find out more.
1. Who are we and how can you contact us?
2. What do we use personal data for?
3. What kinds of personal data do we use, and where do we get it from?
4. How long is the personal data kept for?
5. What is our legal basis for handling personal data?
6. Who do we share the personal data with?
7. Where is the personal data stored and sent?
8. Is the personal data used to make decisions about you or to profile you?
10. Who can you complain to if you are unhappy about the use of your personal data?
We are TransUnion International UK Limited, which is a company registered in England and Wales with company number 03961870. Our trading address and registered office is at One Park Lane, Leeds, West Yorkshire LS3 1EP.
We are part of TransUnion Information Group (TU UK), which has its headquarters at the above address. Some of the members of TU UK are listed in section 6 below. TU UK forms part of a larger group of companies but this privacy notice only covers the activities of TU UK.
We are a controller of the personal data covered by this privacy notice. This means that we are responsible for ensuring that the personal data is used fairly and lawfully.
We sometimes act jointly with one or more of the other TU UK companies when making decisions about your personal data. In particular, we make joint decisions when we and another TU UK company are sharing personal data with each other.
Our members of staff work across TU UK group companies so, where our group companies make decisions jointly, those members of staff will ensure that each company involved complies with data protection rules. You can contact our Consumer Services Team if you want to enquire about any of our group companies or exercise any of your rights in respect of your personal data.
You can contact us about issues relating to personal data, including the contents of this notice, through our Consumer Enquiries page.
Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.
This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we might use for these purposes can be found in section 3 below.
We use your personal data to provide services to the organisation you may be dealing with. These services might include, for example, credit risk assessment, affordability assessment for credit and non-credit purposes, customer management, vulnerability management, anti-fraud and anti-money laundering checks, verification services, tenant vetting, staff vetting and tracing for debt collection purposes. We may also use your personal data to provide such services in relation to you in a specific role: for example, where you are acting as guarantor in relation to a personal loan to another individual, or as a director or business owner where the relevant business is applying for a commercial loan.
If you have applied for credit from one of our clients, they will send your data to us so that we can find you in our databases and return information about your credit history. They will use that information in order to assess your creditworthiness and decide whether you will be able to repay them.
If you have been given credit by one of our clients, we may be asked to monitor your credit files and send our client an alert if, for example, you receive a court judgment or become insolvent, or where there is a significant deterioration in your repayment behaviour.
If you are registered as having a vulnerability, we may be asked to provide this information to our clients to support credit risk assessments, customer management and overall customer experience purposes, so that they are aware of the presence of a vulnerability and can take appropriate steps in customer management.
If you need to prove your identity to an organisation, they may check the details you provide against the information on our databases or carry out ID document verification and facial biometrics in order to help confirm that you are who you say you are.
If you fill in a form on one of our clients’ websites as part of an onboarding process, we may collect behavioural information about your interactions with such form to alert our clients to potentially fraudulent activity.
When you have dealings with an organisation, for example a bank, they may submit your telephone number, email address, internet protocol (IP) address, bank account and card numbers to us so we can alert them to the possibility of a stolen identity or where there have been past fraud indicators associated with those details.
When you apply for a tenancy, the landlord or letting agent might check some aspects of your financial history (such as any CCJs or bankruptcies) to help them decide whether you would be a suitable tenant and are likely to pay the rent.
If you owe money to one of our clients and have moved without telling them, they may use our services in order to find your new address and other contact details so that they can contact you to arrange repayment.
When you apply for credit (or if you have existing credit), affordability checks using your data can help our clients understand whether you are likely to be able to afford the repayments. Affordability checks can also help our clients assess your eligibility for non-credit products. These checks help our clients identify individuals who may be financially over-committed and can help prevent over-indebtedness.
Examples: affordability assessment
Utility companies may perform affordability checks (either at an individual or a household level) to help them understand whether individuals or households applying for financial assistance with bills and/or other payments meet the eligibility criteria to receive it. This helps to ensure that financial assistance is most appropriately directed at financially vulnerable individuals and households.
Gaming organisations may use affordability checks to help identify individuals at risk of gambling-related harm. Our retail clients may use affordability checks to assess the risk that you might not be able to afford non-credit commitments or potential costs related to a product or service. This may help them decide whether they want to offer a particular product or service to you.
Other examples of affordability checks include: an automobile subscription service that may want to assess the likelihood of whether you could afford additional liabilities; or an online marketplace that may want to identify individuals or businesses at risk of not being able to afford to fulfil orders.
We may also process your personal data after services have been provided to our clients if, for example, we need to investigate any issues around the data that has been sent to us, stored by us or if we need to restore our systems in the event of a data loss incident.
More information about how we (and other credit reference agencies) use personal data in these kinds of service can be found in the Credit Reference Agency Information Notice.
We use personal data to provide services to organisations other than the one you are directly dealing with.
If we receive a large number of identity verification checks against a particular person in a short space of time, this may be an indicator that someone is attempting to commit identity theft or another form of fraud. When this happens, we use that indicator to provide real time fraud alerts to clients who have subscribed to that service.
If you have provided your details to an organisation in order to confirm your identity, we may retain those details and link them to other details we hold about you so that if a fraudster attempts to use some of your details to apply for credit with a different organisation, we can raise a potential fraud alert with that organisation.
We may also provide personal data to public sector bodies (for example police, local and central government) to assist them in carrying out their public duties including: the investigation, prevention and detection of crime and the apprehension and prosecution of offenders; missing persons investigations; the assessment and collection of taxes and other statutory payments including the detection of fraudulent benefit claims; the protection of the public purse; national security and the defence of the realm. Data may include the full electoral register, but only where those public sector bodies are entitled to access that data themselves (for specific, limited purposes) under the relevant legislation.
More information about how we (and other credit reference agencies) use personal data in these kinds of service can be found in the Credit Reference Agency Information Notice.
We use, and allow our clients to use, information to carry out profiling of consumers through statistical analysis. This includes the creation, validation and use of scorecards, models, and attributes in connection with the assessment of risks relating to credit, fraud, affordability and debt collection. It is also used in verifying identities, to monitor and predict market trends and to enable clients to refine lending and fraud strategies, and loss forecasting.
This helps us to determine the likelihood that a consumer with certain characteristics will act in a way that will produce certain outcomes; for example, to repay credit, to be able to afford credit, to claim on an insurance policy, to commit fraud, to respond to certain collection strategies or to become insolvent.
Example: fraud models
When you are looking to set up a new account or use new services (for example, signing up to a new credit card, setting up a new online retail account, or renting a new property), our clients may seek to verify your identity to ensure they are dealing with you and not a fraudster. Our modelled data involves mapping your personal information (such as email address, mobile number and bank details) to produce a score that can help predict the likelihood that your information is being used fraudulently and/or that you have been a victim of fraud.
We may also convert your personal data into statistical or aggregated form so that you are not identified or identifiable (thereby creating anonymised data). Anonymised data is not personal data and we may use such data to carry out research and analysis, including to produce statistical research and reports or for any other purposes.
Product or systems development and testing
We sometimes use personal data for demonstrating, developing, improving, monitoring, maintaining and testing our products and systems. This includes making sure that our security measures are working properly. Where possible, we will anonymise, pseudonymise or aggregate the data before doing this.
Consumer queries; legal and regulatory purposes
We may use your personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from you or a regulator about how we have used your personal data.
If you object to us processing your personal data, we will need to use your personal data to assess your request.
If you make a complaint about us to our regulators, they will normally ask us to investigate your case. This will involve accessing your personal data in the course of that investigation.
Similarly, if you start court proceedings against us, we will normally need to review how we have used your personal data in order to defend ourselves against your claim.
When a client uses our services, they will typically send us information such as:
When we receive that information, we match it against the other information that we hold (or obtain from third parties) in order to find and return additional information about you. Depending on the service we are providing, this can include information such as your credit history, credit score, any court judgments or insolvency-related events, property ownership data, fraud indicators, financial transaction information provided via open banking, and additional contact details or address history. It can also include similar kinds of information about people who are financially associated with you.
Some of the information we hold about you may include name and address information from the electoral register (or the electoral roll). There are two versions of this. One is known as the open register (or the edited electoral roll) and can be used for a variety of purposes including marketing, tracing (including online directories used to find friends and family), asset reunification and identity verification. The other is the full register which we can only use for limited purposes, including crime prevention. We use and share this data in accordance with The Representation of the People (England and Wales) regulations 2001 (as amended) and equivalent legislation in Scotland, Northern Ireland and the Isle of Man.
More information about the kinds of personal data we hold, and where we get it from, can be found in the Credit Reference Agency Information Notice.
When we receive personal data from a client in order to provide services to them, we will keep a copy of that data for up to fifteen months in order to investigate any data supply or data load issues, restore our systems in the event of a data loss incident, and in order to investigate and respond to any complaints, claims and enquiries that we may receive from consumers, clients or regulators.
We may keep data that has been provided to us for identify verification purposes for up to six years and three months in order to help stop fraudsters – see examples under “Fraud Alerts” in section 2 above.
Information about how long we keep data in our capacity as a credit reference agency is available in the Credit Reference Agency Information Notice.
This section explains the basis on which we process your personal data.
The UK’s data protection law allows the use of your personal data where necessary for legitimate purposes provided that this is not outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.
The legitimate interests we are typically pursuing when providing services to our clients are:
Interest | Explanation |
---|---|
Promoting responsible lending and helping to prevent over-indebtedness. | Responsible lending means that lenders only sell products that are affordable and suitable for the borrowers’ circumstances. We help ensure this by sharing personal data about potential borrowers, their financial associates where applicable, and their financial history. We also help to protect consumers by preventing over-indebtedness in other areas, such as online gambling. A comprehensive range of measures exists in the UK to underpin the balance so that the legitimate interests are not outweighed by the interests, fundamental rights and freedoms of individuals. Further explanation about this balance is set out below. |
Helping prevent and detect crime and fraud; anti-money laundering; and identity verification | We provide identity, anti-fraud and anti-money laundering services to help clients meet legal and regulatory obligations, and to the benefit of individuals to support identity verification and support of the detection and prevention of fraud and money-laundering. |
Supporting tracing and collections | We provide services that support tracing and collections where there is a legitimate interest in the client conducting activity to find its customer and to recover the debt, or to reunite, or confirm an asset is connected with, the right person. We also assist debt collection agencies in predicting, analysing and evaluating the costs of debt recovery to enable them to determine the value of a debt book. |
Complying with and supporting compliance with legal and regulatory requirements | We have to comply with various legal and regulatory requirements, and our services also help other organisations comply with their own legal and regulatory obligations. For example, many kinds of financial services are regulated by the Financial Conduct Authority or the Prudential Regulation Authority, who impose obligations to check that financial products are suitable for the people they are being sold to. We provide data to help with those checks. We also use the data to assist our gambling clients to comply with obligations imposed on them by relevant legislation and the Licence Conditions and Codes of Practice (LCCP) published by the Gambling Commission. |
Our use of personal data is subject to an extensive framework of safeguards that help make sure that your rights are protected. These include the information you are given about how your personal data will be used and how you can exercise your rights to obtain your personal data, have it corrected or restricted, object to it being processed, and complain if you are dissatisfied. These safeguards help sustain a fair and appropriate balance so that our activities do not compromise your interests, fundamental rights and freedoms.
We sometimes need to use your personal data in order to comply with a legal obligation that we are under. For example, if you submit a request to us for a copy of your personal data, either directly or through a third party that you have authorised to act on your behalf, we will normally be legally required to provide that personal data. See section 9 below for details of what requests you can make and how to make them.
We share personal data with our clients for the purposes described in section 2 above. Our clients will each have their own privacy notices which will provide more information about how they (specifically) use the data we supply.
Our clients typically operate in the following sectors:
In some cases, our clients may appoint an intermediary to act on their behalf; these intermediaries will often receive the data too. We also appoint data resale partners who will distribute data to their clients in a similar manner to the ways we do.
We may share your personal data among the members of TU UK. If we do so, then use of the data by those companies will be governed by this privacy notice. A list of relevant TU UK companies is set out below, although the list may be updated from time to time.
Group company | Main trading address / registered office |
---|---|
TransUnion Information Group Limited (company no. 4968328) | One Park Lane, Leeds, West Yorkshire LS3 1EP |
TransUnion International UK Limited (company no. 3961870) | |
Callcredit Marketing Limited (company no. 2733070) |
We may also share your personal data with other non-UK based companies within the wider TransUnion group. This includes:
We may provide your information to third parties who help us use it for the purposes described in section 2. For example, our databases of personal data may be hosted by third parties on our behalf. More detail is provided below in respect of our key service providers.
Category of service provider | Role performed for TransUnion | Where processing takes place |
---|---|---|
Customer Identity and Engagement | Validates telephone numbers and confirms possession of mobile devices, to assist with the detection and prevention of fraud or financial crime. | The USA and the Netherlands and, in some cases, Serbia and Lithuania |
Authentication and anti-fraud | Uses JavaScript and first and third party cookies to collect device-identifying technical data from users of our clients’ websites or mobile apps. This is in order to identify suspicious and/or high risk devices to assist with the detection and prevention of fraud or financial crime. | The USA |
Digital identity and anti-fraud | Validates email and Internet Protocol (IP) addresses to assist with the detection and prevention of fraud or financial crime. | European Union and, in some cases, the USA |
Customer identity verification | Uses a government-issued ID document alongside a ‘live’ photographic image to check for fraud indicators. | European Union, the USA and in some cases Israel, the Philippines, Japan and India |
Mobile and digital identity authentication | Uses a mobile phone number to check for fraud indicators and cross checks personal data (name, address, date of birth) against data held by Mobile Network Operators (MNOs) to verify consumers’ identities and for the detection and prevention of fraud. | European Union (United Kingdom, Germany, Jersey and Republic of Ireland) |
Anti-money laundering checks | Flags individuals who may be politically exposed persons (PEPs) or subject to financial sanctions. | The European Union (Dow Jones) |
Identity verification and fraud prevention | Hosting of a model that maps individuals’ personal information (name, address, phone number, email address, bank account and card details) to help detect and prevent fraud. | European Union |
Anti-fraud | Uses JavaScript to collect behavioural attributes when end users interact with an online form on our clients’ websites or mobile apps. This is to identify trusted or anomalous behaviour to assist with the detection and prevention of fraud. | The USA |
These service providers will not be allowed to use your information for their own purposes unless you have been notified of this purpose or given your consent.
You are entitled to obtain copies of the personal data that we hold about you. You can find out how to do this in section 9 below.
Similarly, your financial associates are also entitled to obtain copies of the personal data that we hold about them.
For a broader description of how we share data in our capacity as a credit reference agency, please refer to the Credit Reference Agency Information Notice.
If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.
Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required for the legal protection of our legitimate interests in compliance with applicable laws. For example, we may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.
We may share anonymised information with other third parties, but only where the information cannot realistically be identified as relating to you.
We are based in the United Kingdom and will access and use your information from here. However, we also have operations elsewhere in Europe and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.
We may also send personal data to some of our service providers or clients who have operations within the European Union.
We also send information elsewhere in the world. For example:
While the UK and countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information when required. For example, these safeguards might include:
If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.
In almost all cases, we do not use your personal data to make automated decisions about you or to profile you.
We provide data and analytics that help our clients make decisions about lending and other matters (such as preventing fraud or protecting consumers), but our clients’ own data, knowledge, processes and practices will also generally play a significant role in their decisions – and those decisions will always be for them to make.
For example, when we sell our services to credit or loan providers, we do not decide whether or not you should be granted credit or a loan – this is for the lender to decide. Similarly, where we provide information to gambling companies, we do this to help them protect vulnerable consumers or those at risk of becoming overindebted. However, they will ultimately decide how to act upon that information, taking into account their legal and regulatory obligations.
Where our resale partners ask us for a copy of your credit information, we need to verify your identity in order to ensure that your credit information is not given out to fraudsters. This is an automated process and it could result in you being declined access to the services provided by that resale partner if we cannot verify your identity.
We use the data we hold to produce credit, risk, fraud, identity, affordability, screening, collection and insolvency scores and credit ratings.
If you apply to a bank for a loan, the bank will need to assess your creditworthiness. It will use the information you provide on your form, together with other information it already holds about you (such as how you have managed your previous accounts with that bank), and information obtained from third parties such as credit reference agencies.
We may use the credit reference data we hold to generate a credit score which provides an indication of your creditworthiness. The bank may use the credit score as part of its decision-making. Factors that may affect your credit score include:
You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please use our Consumer Enquiries page.
If you are looking for information about your rights in relation to the personal data we hold in our capacity as a credit reference agency, please refer to the Credit Reference Agency Information Notice.
Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.
We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us through our Consumer Enquiries page.
You can also contact our Data Protection Officer at ukdpo@transunion.com.
Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at www.ico.org.uk, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.