TransUnion Bureau Privacy Notice

Version: 1.12
Date adopted: 20 June 2024

This privacy notice explains how we use and share personal data in connection with our credit risk and affordability assessments, anti-fraud and anti-money laundering checks, verification, debt tracing services and some of our related services. It also describes your data protection rights, including a right to object to some of the processing which TransUnion carries out. More information about your rights, and how to exercise them, is set out in section 9 below.

In Brief

  1. At TransUnion, we provide data and data-related services to clients such as banks, credit providers, insurance companies, gambling companies, utility companies, retail companies and others for the purposes set out above (and in more detail at section 2 below).
  2. Some of our services involve processing data that is highly confidential such as your bank account, credit card or salary details. More information about the data we use can be found in section 3.
  3. In providing our services to clients, we may use third party service providers to assist us (a summary of the key providers can be found in the table at section 6).
  4. Some of these services involve checking your device information (from your mobile telephone, tablet or laptop for example), which we use to confirm your identity and/or to protect you from becoming a victim of fraud.
  5. We may need to send your details to other countries as part of our services, occasionally outside of the European Union – details are provided at section 7.

You have the right to object to our use of your personal data. Please see section 9 to find out more.

1. Who are we and how can you contact us?

2. What do we use personal data for?

3. What kinds of personal data do we use, and where do we get it from?

4. How long is the personal data kept for?

5. What is our legal basis for handling personal data?

6. Who do we share the personal data with?

7. Where is the personal data stored and sent?

8. Is the personal data used to make decisions about you or to profile you?

9. What are your rights?

10. Who can you complain to if you are unhappy about the use of your personal data?




About us


We are TransUnion International UK Limited, which is a company registered in England and Wales with company number 03961870. Our trading address and registered office is at One Park Lane, Leeds, West Yorkshire LS3 1EP.

We are part of TransUnion Information Group (TU UK), which has its headquarters at the above address. Some of the members of TU UK are listed in section 6 below. TU UK forms part of a larger group of companies but this privacy notice only covers the activities of TU UK.

We are a controller of the personal data covered by this privacy notice. This means that we are responsible for ensuring that the personal data is used fairly and lawfully.


Joint controllers


We sometimes act jointly with one or more of the other TU UK companies when making decisions about your personal data. In particular, we make joint decisions when we and another TU UK company are sharing personal data with each other.

Our members of staff work across TU UK group companies so, where our group companies make decisions jointly, those members of staff will ensure that each company involved complies with data protection rules. You can contact our Consumer Services Team if you want to enquire about any of our group companies or exercise any of your rights in respect of your personal data.


Contact details


You can contact us about issues relating to personal data, including the contents of this notice, through our Consumer Enquiries page.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.




This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we might use for these purposes can be found in section 3 below.


Providing services to the organisation you may be dealing with


We use your personal data to provide services to the organisation you may be dealing with. These services might include, for example, credit risk assessment, affordability assessment for credit and non-credit purposes, customer management, vulnerability management, anti-fraud and anti-money laundering checks, verification services, and tracing for debt collection purposes. We may also use your personal data to provide such services in relation to you in a specific role: for example, where you are acting as guarantor in relation to a personal loan to another individual, or as a director or business owner where the relevant business is applying for a commercial loan.

Examples: credit risk assessment, customer management, identity verification, anti-fraud, debt tracing

If you have applied for credit from one of our clients, they will send your data to us so that we can find you in our databases and return information about your credit history. They will use that information in order to assess your creditworthiness and decide whether you will be able to repay them.

If you have been given credit by one of our clients, we may be asked to monitor your credit files and send our client an alert if, for example, you receive a court judgment or become insolvent, or where there is a significant deterioration in your repayment behaviour.

If you are registered as having a vulnerability, we may be asked to provide this information to our clients to support credit risk assessments, customer management and overall customer experience purposes, so that they are aware of the presence of a vulnerability and can take appropriate steps in customer management.

If you need to prove your identity to an organisation, they may check the details you provide against the information on our databases or carry out ID document verification and facial biometrics in order to help confirm that you are who you say you are.

If you fill in a form on one of our clients’ websites as part of an onboarding process, we may collect behavioural information about your interactions with such form to alert our clients to potentially fraudulent activity.

When you have dealings with an organisation, for example a bank, they may submit your telephone number, email address, internet protocol (IP) address, bank account and card numbers to us so we can alert them to the possibility of a stolen identity or where there have been past fraud indicators associated with those details.

If you owe money to one of our clients and have moved without telling them, they may use our services in order to find your new address and other contact details so that they can contact you to arrange repayment.

When you apply for credit (or if you have existing credit), affordability checks using your data can help our clients understand whether you are likely to be able to afford the repayments. Affordability checks can also help our clients assess your eligibility for non-credit products. These checks help our clients identify individuals who may be financially over-committed and can help prevent over-indebtedness.

Examples: affordability assessment

Utility companies may perform affordability checks (either at an individual or a household level) to help them understand whether individuals or households applying for financial assistance with bills and/or other payments meet the eligibility criteria to receive it. This helps to ensure that financial assistance is most appropriately directed at financially vulnerable individuals and households.

Gaming organisations may use affordability checks to help identify individuals at risk of gambling-related harm. Our retail clients may use affordability checks to assess the risk that you might not be able to afford non-credit commitments or potential costs related to a product or service. This may help them decide whether they want to offer a particular product or service to you.

Other examples of affordability checks include: an automobile subscription service that may want to assess the likelihood of whether you could afford additional liabilities; or an online marketplace that may want to identify individuals or businesses at risk of not being able to afford to fulfil orders.

We may also process your personal data after services have been provided to our clients if, for example, we need to investigate any issues around the data that has been sent to us, stored by us or if we need to restore our systems in the event of a data loss incident.

More information about how we (and other credit reference agencies) use personal data in these kinds of service can be found in the Credit Reference Agency Information Notice.


Providing services to our other clients


We use personal data to provide services to organisations other than the one you are directly dealing with.

Example: fraud alerts

If we receive a large number of identity verification checks against a particular person in a short space of time, this may be an indicator that someone is attempting to commit identity theft or another form of fraud. When this happens, we use that indicator to provide real time fraud alerts to clients who have subscribed to that service.

If you have provided your details to an organisation in order to confirm your identity, we may retain those details and link them to other details we hold about you so that if a fraudster attempts to use some of your details to apply for credit with a different organisation, we can raise a potential fraud alert with that organisation.

We may also provide personal data to public sector bodies (for example police, local and central government) to assist them in carrying out their public duties including: the investigation, prevention and detection of crime and the apprehension and prosecution of offenders; missing persons investigations; the assessment and collection of taxes and other statutory payments including the detection of fraudulent benefit claims; the protection of the public purse; national security and the defence of the realm. Data may include the full electoral register, but only where those public sector bodies are entitled to access that data themselves (for specific, limited purposes) under the relevant legislation.

More information about how we (and other credit reference agencies) use personal data in these kinds of service can be found in the Credit Reference Agency Information Notice.


Profiling, statistical analysis and anonymisation


We use, and allow our clients to use, information to carry out profiling of consumers through statistical analysis. This includes the creation, validation and use of scorecards, models, and attributes in connection with the assessment of risks relating to credit, fraud, affordability and debt collection. It is also used in verifying identities, to monitor and predict market trends and to enable clients to refine lending and fraud strategies, and loss forecasting.

This helps us to determine the likelihood that a consumer with certain characteristics will act in a way that will produce certain outcomes; for example, to repay credit, to be able to afford credit, to claim on an insurance policy, to commit fraud, to respond to certain collection strategies or to become insolvent.

Example: fraud models

When you are looking to set up a new account or use new services (for example, signing up to a new credit card, setting up a new online retail account, or renting a new property), our clients may seek to verify your identity to ensure they are dealing with you and not a fraudster. Our modelled data involves mapping your personal information (such as email address, mobile number and bank details) to produce a score that can help predict the likelihood that your information is being used fraudulently and/or that you have been a victim of fraud.

We may also convert your personal data into statistical or aggregated form so that you are not identified or identifiable (thereby creating anonymised data). Anonymised data is not personal data and we may use such data to carry out research and analysis, including to produce statistical research and reports or for any other purposes.

Product or systems development and testing

We sometimes use personal data for demonstrating, developing, improving, monitoring, maintaining and testing our products and systems. This includes making sure that our security measures are working properly. Where possible, we will anonymise, pseudonymise or aggregate the data before doing this.

Consumer queries; legal and regulatory purposes

We may use your personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from you or a regulator about how we have used your personal data.

Examples: legal and regulatory purposes

If you object to us processing your personal data, we will need to use your personal data to assess your request.

If you make a complaint about us to our regulators, they will normally ask us to investigate your case. This will involve accessing your personal data in the course of that investigation.

Similarly, if you start court proceedings against us, we will normally need to review how we have used your personal data in order to defend ourselves against your claim.




When a client uses our services, they will typically send us information such as:

  • Identifiers (including your name, date of birth, and current and previous addresses). This helps us to match your information to the other information we hold in our databases.
  • Other information specific to you, for example your telephone number, email address, internet protocol (IP) address, bank account or credit card number.
  • Information collected from your device(s), such as your device details, location details or details regarding transactions you undertake.
  • Information collected from you with your consent, such as copies of government-issued ID documents and selfie images. We may derive biometric representations of your facial images from such documents for the purpose of identity verification and authentication.
  • The purpose for which they are requesting information about you.
  • Other relevant details such as the nature of your credit application.

When we receive that information, we match it against the other information that we hold (or obtain from third parties) in order to find and return additional information about you. Depending on the service we are providing, this can include information such as your credit history, credit score, any court judgments or insolvency-related events, property ownership data, fraud indicators, financial transaction information provided via open banking, and additional contact details or address history. It can also include similar kinds of information about people who are financially associated with you.

Some of the information we hold about you may include name and address information from the electoral register (or the electoral roll). There are two versions of this. One is known as the open register (or the edited electoral roll) and can be used for a variety of purposes including marketing, tracing (including online directories used to find friends and family), asset reunification and identity verification. The other is the full register which we can only use for limited purposes, including crime prevention. We use and share this data in accordance with The Representation of the People (England and Wales) regulations 2001 (as amended) and equivalent legislation in Scotland, Northern Ireland and the Isle of Man.

More information about the kinds of personal data we hold, and where we get it from, can be found in the Credit Reference Agency Information Notice.




When we receive personal data from a client in order to provide services to them, we will keep a copy of that data for up to fifteen months in order to investigate any data supply or data load issues, restore our systems in the event of a data loss incident, and in order to investigate and respond to any complaints, claims and enquiries that we may receive from consumers, clients or regulators.

We may keep data that has been provided to us for identify verification purposes for up to six years and three months in order to help stop fraudsters – see examples under “Fraud Alerts” in section 2 above.

Information about how long we keep data in our capacity as a credit reference agency is available in the Credit Reference Agency Information Notice.




This section explains the basis on which we process your personal data.


Legitimate interests


The UK’s data protection law allows the use of your personal data where necessary for legitimate purposes provided that this is not outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.

The legitimate interests we are typically pursuing when providing services to our clients are:

Promoting responsible lending and helping to prevent over-indebtedness.Responsible lending means that lenders only sell products that are affordable and suitable for the borrowers’ circumstances. We help ensure this by sharing personal data about potential borrowers, their financial associates where applicable, and their financial history. We also help to protect consumers by preventing over-indebtedness in other areas, such as online gambling. A comprehensive range of measures exists in the UK to underpin the balance so that the legitimate interests are not outweighed by the interests, fundamental rights and freedoms of individuals. Further explanation about this balance is set out below.
Helping prevent and detect crime and fraud; anti-money laundering; and identity verificationWe provide identity, anti-fraud and anti-money laundering services to help clients meet legal and regulatory obligations, and to the benefit of individuals to support identity verification and support of the detection and prevention of fraud and money-laundering.
Supporting tracing and collectionsWe provide services that support tracing and collections where there is a legitimate interest in the client conducting activity to find its customer and to recover the debt, or to reunite, or confirm an asset is connected with, the right person. We also assist debt collection agencies in predicting, analysing and evaluating the costs of debt recovery to enable them to determine the value of a debt book.
Complying with and supporting compliance with legal and regulatory requirementsWe have to comply with various legal and regulatory requirements, and our services also help other organisations comply with their own legal and regulatory obligations. For example, many kinds of financial services are regulated by the Financial Conduct Authority or the Prudential Regulation Authority, who impose obligations to check that financial products are suitable for the people they are being sold to. We provide data to help with those checks. We also use the data to assist our gambling clients to comply with obligations imposed on them by relevant legislation and the Licence Conditions and Codes of Practice (LCCP) published by the Gambling Commission.

Our use of personal data is subject to an extensive framework of safeguards that help make sure that your rights are protected. These include the information you are given about how your personal data will be used and how you can exercise your rights to obtain your personal data, have it corrected or restricted, object to it being processed, and complain if you are dissatisfied. These safeguards help sustain a fair and appropriate balance so that our activities do not compromise your interests, fundamental rights and freedoms.


Necessity for compliance with a legal obligation


We sometimes need to use your personal data in order to comply with a legal obligation that we are under. For example, if you submit a request to us for a copy of your personal data, either directly or through a third party that you have authorised to act on your behalf, we will normally be legally required to provide that personal data. See section 9 below for details of what requests you can make and how to make them.




Our clients and resale partners


We share personal data with our clients for the purposes described in section 2 above. Our clients will each have their own privacy notices which will provide more information about how they (specifically) use the data we supply.

Our clients typically operate in the following sectors:

  • financial services (including banks, loans, credit cards, mortgages, pensions, debt collection agencies and investments and savings providers)
  • insurance
  • gaming / gambling
  • retail (including car sales / leasing and online retailers)
  • telecoms and utilities
  • local and central government
  • police and other law enforcement bodies
  • marketing agencies acting for other organisations

In some cases, our clients may appoint an intermediary to act on their behalf; these intermediaries will often receive the data too. We also appoint data resale partners who will distribute data to their clients in a similar manner to the ways we do.


Our group companies


We may share your personal data among the members of TU UK. If we do so, then use of the data by those companies will be governed by this privacy notice. A list of relevant TU UK companies is set out below, although the list may be updated from time to time.

Group companyMain trading address / registered office
TransUnion Information Group Limited (company no. 4968328)One Park Lane, Leeds, West Yorkshire LS3 1EP
TransUnion International UK Limited (company no. 3961870)
Callcredit Marketing Limited (company no. 2733070)


We may also share your personal data with other non-UK based companies within the wider TransUnion group. This includes:

  • TransUnion Baltics UAB, Karaliaus Mindaugo pr. 50, Kaunas LT – 4434, Lithuania
  • TransUnion Information Group Spain SLU, Avenida de la Industria 18 28760, Tres Cantos, Spain
  • iovation Inc, 555 W. Adams St, Chicago, Illinois 60661
  • TransUnion LLC, 555 West Adams Street, Chicago, Illinois 60661
  • TransUnion Global Technology Centre LLP, 9th Floor, Block 2,DLF IT/ITES Special Economic Zone Shivaji Gardens, Moonlight Stop, Manapakkam Saidapet Tamil Nadu 600089
  • TransUnion Global Capability Centre Africa (Pty) Ltd, G floor, 9 & 10 floor,11 Alice Lane, Sandton, 2196, Gauteng, Johannesburg, South Africa 2197 
  • TransUnion Global Capability Center Costa Rica Limitada, San Jose-Escazu San Rafael, Trejos Montealegre, De Escazu Village, Three Hundred Meters to the West, Banco General Building, Sixth Floor


Service providers


We may provide your information to third parties who help us use it for the purposes described in section 2. For example, our databases of personal data may be hosted by third parties on our behalf. More detail is provided below in respect of our key service providers.

Category of service provider

Role performed for TransUnion

Where processing takes place
Customer Identity and EngagementValidates telephone numbers and confirms possession of mobile devices, to assist with the detection and prevention of fraud or financial crime.The USA and the Netherlands and, in some cases, Serbia and Lithuania
Authentication and anti-fraudUses JavaScript and first and third party cookies to collect device-identifying technical data from users of our clients’ websites or mobile apps. This is in order to identify suspicious and/or high risk devices to assist with the detection and prevention of fraud or financial crime.The USA
Digital identity and anti-fraudValidates email and Internet Protocol (IP) addresses to assist with the detection and prevention of fraud or financial crime.European Union and, in some cases, the USA
Customer identity verificationUses a government-issued ID document alongside a ‘live’ photographic image to check for fraud indicators.European Union, the USA and in some cases Israel, the Philippines, Japan and India
Mobile and digital identity authenticationUses a mobile phone number to check for fraud indicators and cross checks personal data (name, address, date of birth) against data held by Mobile Network Operators (MNOs) to verify consumers’ identities and for the detection and prevention of fraud.European Union (United Kingdom, Germany, Jersey and Republic of Ireland)
Anti-money laundering checksFlags individuals who may be politically exposed persons (PEPs) or subject to financial sanctions.The European Union (Dow Jones)
Identity verification and fraud preventionHosting of a model that maps individuals’ personal information (name, address, phone number, email address, bank account and card details) to help detect and prevent fraud.European Union
Anti-fraudUses JavaScript to collect behavioural attributes when end users interact with an online form on our clients’ websites or mobile apps. This is to identify trusted or anomalous behaviour to assist with the detection and prevention of fraud.The USA

These service providers will not be allowed to use your information for their own purposes unless you have been notified of this purpose or given your consent.


You and your financial associates


You are entitled to obtain copies of the personal data that we hold about you. You can find out how to do this in section 9 below.

Similarly, your financial associates are also entitled to obtain copies of the personal data that we hold about them.


Other credit reference agency data sharing activities


For a broader description of how we share data in our capacity as a credit reference agency, please refer to the Credit Reference Agency Information Notice.


Business transfers


If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.


Regulators and law enforcement


Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required for the legal protection of our legitimate interests in compliance with applicable laws. For example, we may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.


Sharing of anonymised data with third parties


We may share anonymised information with other third parties, but only where the information cannot realistically be identified as relating to you.




Within Europe


We are based in the United Kingdom and will access and use your information from here. However, we also have operations elsewhere in Europe – currently Lithuania and Spain – and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.

We may also send personal data to some of our service providers or clients who have operations within the European Union.




We also send information elsewhere in the world. For example:

  • We make use of TransUnion group service companies (referred to as Global Capability Centres, or GCCs), located in India, South Africa, Costa Rica and the United States. See section 6 for more details.
  • When one of our other overseas group companies or branch offices based overseas needs to use the information in accordance with this notice. This may include an overseas group company providing services to their clients for the purposes set out in section 2 above.
  • Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.
  • Where our service providers have operations outside the European Union (see the table at section 6 above).

While the UK and countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information when required. For example, these safeguards might include:

  • Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
  • Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection. One example is the Data Privacy Framework that has been agreed between the UK, European and US authorities.
  • Encrypting the information (‘scrambling’ or converting it into code which makes it incomprehensible to anyone not authorised to view it) in order to add an additional layer of protection.

If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.






In almost all cases, we do not use your personal data to make automated decisions about you or to profile you.

We provide data and analytics that help our clients make decisions about lending and other matters (such as preventing fraud or protecting consumers), but our clients’ own data, knowledge, processes and practices will also generally play a significant role in their decisions – and those decisions will always be for them to make.

For example, when we sell our services to credit or loan providers, we do not decide whether or not you should be granted credit or a loan – this is for the lender to decide. Similarly, where we provide information to gambling companies, we do this to help them protect vulnerable consumers or those at risk of becoming overindebted. However, they will ultimately decide how to act upon that information, taking into account their legal and regulatory obligations.

Where our resale partners ask us for a copy of your credit information, we need to verify your identity in order to ensure that your credit information is not given out to fraudsters. This is an automated process and it could result in you being declined access to the services provided by that resale partner if we cannot verify your identity.


Scores and ratings


We use the data we hold to produce credit, risk, fraud, identity, affordability, screening, collection and insolvency scores and credit ratings.

Example: credit scores

If you apply to a bank for a loan, the bank will need to assess your creditworthiness. It will use the information you provide on your form, together with other information it already holds about you (such as how you have managed your previous accounts with that bank), and information obtained from third parties such as credit reference agencies.

We may use the credit reference data we hold to generate a credit score which provides an indication of your creditworthiness. The bank may use the credit score as part of its decision-making. Factors that may affect your credit score include:

  • How long you have lived at your address.
  • The number and type of credit agreements you have, and how you use those credit products.
  • Whether you have been late making payments.
  • Whether you have had any court judgments made against you.
  • Whether you have been bankrupt or have had an IVA or other form of debt-related arrangement.
  • The number of credit-related searches that organisations have made against your credit file, for example when you apply for a loan or credit card, or when a debt collection agency requests information about you.



You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please use our Consumer Enquiries page.

If you are looking for information about your rights in relation to the personal data we hold in our capacity as a credit reference agency, please refer to the Credit Reference Agency Information Notice.

  • Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it. (If you want to see your credit report online, please visit
  • Withdrawal of consent: When we rely on your consent to use your data, you have the right to withdraw that consent at any time. However, we do not rely on consent for the activities described in this privacy notice.
  • Objection to direct marketing: You have the right to object to us using your personal data for direct marketing purposes, including any profiling or similar activities which are performed as a precursor to direct marketing. The activities described in this privacy notice do not include the use of personal data for direct marketing purposes but you have the right to object to us doing so in the future.
  • Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
  • Objection to processing based on legitimate interests: Where we rely on the legitimate interests legal basis for using your personal data (see section 5 above), you can object to that use of the data. We will then review and decide the extent to which we can continue to use the data in light of your particular circumstances.
  • Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it.
  • Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
  • Portability: In some circumstances you have the right to receive some limited kinds of information in a portable format. However, this typically does not apply to the data to which this privacy notice applies.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.




We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us through our Consumer Enquiries page.

You can also contact our Data Protection Officer at

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.