Skip to main content

TransUnion Bureau Privacy Notice

Version: 1.8
Date adopted: 22nd April 2022

This privacy notice explains how we use and share personal data in connection with our credit risk and affordability assessments, anti-fraud and anti-money laundering checks, verification, debt tracing services and some of our related services. It also describes your data protection rights, including a right to object to some of the processing which TransUnion carries out. More information about your rights, and how to exercise them, is set out in section 9 below.

In Brief

  1. At TransUnion, we provide data and data-related services to clients such as banks, credit providers, insurance companies, gambling companies and others for the purposes set out above (and in more detail at section 2 below).
  2. Some of our services involve processing data that is highly confidential such as your bank account, credit card or salary details. More information about the data we use can be found in section 3.
  3. In providing our services to clients, we may use third party service providers to assist us (a summary of the key providers can be found in the table at section 6).
  4. Some of these services involve checking your device information (from your mobile telephone, tablet or laptop for example), which we use to confirm your identity and/or to protect you from becoming a victim of fraud.
  5. We may need to send your details to other countries as part of our services, occasionally outside of the European Union – details are provided at section 7.

You have the right to object to our use of your personal data. Please see section 9 to find out more.

1. Who are we and how can you contact us?

2. What do we use personal data for?

3. What kinds of personal data do we use, and where do we get it from?

4. How long is the personal data kept for?

5. What is our legal basis for handling personal data?

6. Who do we share the personal data with?

7. Where is the personal data stored and sent?

8. Is the personal data used to make decisions about you or to profile you?

9. What are your rights?

10. Who can you complain to if you are unhappy about the use of your personal data?

 

1. WHO ARE WE AND HOW CAN YOU CONTACT US?

 

About us

 

We are TransUnion International UK Limited, which is a company registered in England and Wales with company number 03961870. Our trading address and registered office is at One Park Lane, Leeds, West Yorkshire LS3 1EP.

We are part of TransUnion Information Group (TU UK), which has its headquarters at the above address. Some of the members of TU UK are listed in section 6 below. TU UK forms part of a larger group of companies but this privacy notice only covers the activities of TU UK.

We are a controller of the personal data covered by this privacy notice. This means that we are responsible for ensuring that the personal data is used fairly and lawfully.

 

Joint controllers

 

We sometimes act jointly with one or more of the other TU UK companies when making decisions about your personal data. In particular, we make joint decisions when we and another TU UK company are sharing personal data with each other.

Our members of staff work across TU UK group companies so, where our group companies make decisions jointly, those members of staff will ensure that each company involved complies with data protection rules. You can contact our Consumer Services Team if you want to enquire about any of our group companies or exercise any of your rights in respect of your personal data.

 

Contact details

 

You can contact us about issues relating to personal data, including the contents of this notice, by any of the following methods:

Post: Customer Services Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: [email protected]

Telephone: 0330 024 7574

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

 

2. WHAT DO WE USE PERSONAL DATA FOR?

 

This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we might use for these purposes can be found in section 3 below.

 

Providing services to the organisation you may be dealing with

 

We use your personal data to provide services to the organisation you may be dealing with. These services might include, for example, credit risk assessment, affordability assessment, customer management, anti-fraud and anti-money laundering checks, verification services, and tracing for debt collection purposes. We may also use your personal data to provide such services in relation to you in a specific role: for example, where you are acting as guarantor in relation to a personal loan to another individual, or as a director or business owner where the relevant business is applying for a commercial loan.

Examples: credit risk assessment, customer management, identity verification, anti-fraud, debt tracing

If you have applied for credit from one of our clients, they will send your data to us so that we can find you in our databases and return information about your credit history. They will use that information in order to assess your creditworthiness and decide whether you will be able to repay them.

If you have been given credit by one of our clients, we may be asked to monitor your credit files and send our client an alert if, for example, you receive a court judgment or become insolvent, or where there is a significant deterioration in your repayment behaviour.

If you need to prove your identity to an organisation, they may check the details you provide against the information on our databases in order to help confirm that you are who you say you are.

When you have dealings with an organisation, for example a bank, they may submit your telephone number, email address, internet protocol (IP) address, bank account and card numbers to us so we can alert them to the possibility of a stolen identity or where there have been past fraud indicators associated with those details.

If you owe money to one of our clients and have moved without telling them, they may use our services in order to find your new address and other contact details so that they can contact you to arrange repayment.

We may also process your personal data after services have been provided to our clients if, for example, we need to investigate any issues around the data that has been sent to us, stored by us or if we need to restore our systems in the event of a data loss incident.

More information about how we (and other credit reference agencies) use personal data in these kinds of service can be found in the Credit Reference Agency Information Notice.

 

Providing services to our other clients

 

We use personal data to provide services to organisations other than the one you are directly dealing with.

Example: fraud alerts

If we receive a large number of identity verification checks against a particular person in a short space of time, this may be an indicator that someone is attempting to commit identity theft or another form of fraud. When this happens, we use that indicator to provide real time fraud alerts to clients who have subscribed to that service.

If you have provided your details to an organisation in order to confirm your identity, we may retain those details and link them to other details we hold about you so that if a fraudster attempts to use some of your details to apply for credit with a different organisation, we can raise a potential fraud alert with that organisation.

More information about how we (and other credit reference agencies) use personal data in these kinds of service can be found in the Credit Reference Agency Information Notice.

 

Profiling, statistical analysis and anonymisation

 

We use, and allow our clients to use, information to carry out profiling of consumers through statistical analysis. This includes the creation, validation and use of scorecards, models, and attributes in connection with the assessment of risks relating to credit, fraud, affordability and debt collection. It is also used in verifying identities, to monitor and predict market trends and to enable clients to refine lending and fraud strategies, and loss forecasting.

This helps us to determine the likelihood that a consumer with certain characteristics will act in a way that will produce certain outcomes; for example, to repay credit, to be able to afford credit, to claim on an insurance policy, to commit fraud, to respond to certain collection strategies or to become insolvent.

We may also convert your personal data into statistical or aggregated form so that you are not identified or identifiable (thereby creating anonymised data). Anonymised data is not personal data and we may use such data to carry out research and analysis, including to produce statistical research and reports or for any other purposes.

 

Product or systems development and testing

 

We sometimes use personal data for demonstrating, developing, improving, monitoring, maintaining and testing our products and systems. This includes making sure that our security measures are working properly. Where possible, we will anonymise, pseudonymise or aggregate the data before doing this.

 

Consumer queries; legal and regulatory purposes

 

We may use your personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from you or a regulator about how we have used your personal data.

Examples: legal and regulatory purposes

If you object to us processing your personal data, we will need to use your personal data to assess your request.

If you make a complaint about us to our regulators, they will normally ask us to investigate your case. This will involve accessing your personal data in the course of that investigation.

Similarly, if you start court proceedings against us, we will normally need to review how we have used your personal data in order to defend ourselves against your claim.

 

3. WHAT KINDS OF PERSONAL DATA DO WE USE, AND WHERE DO WE GET IT FROM?

 

When a client uses our services, they will typically send us information such as:

  • Identifiers (including your name, date of birth, and current and previous addresses). This helps us to match your information to the other information we hold in our databases.
  • Other information specific to you, for example your telephone number, email address, internet protocol (IP) address, bank account or credit card number.
  • Information collected from you with your consent, such as your device details or location details.
  • The purpose for which they are requesting information about you.
  • Other relevant details such as the nature of your credit application.


When we receive that information, we match it against the other information that we hold in order to find and return additional information about you. Depending on the service we are providing, this can include information such as your credit history, credit score, any court judgments or insolvency-related events, fraud indicators, and additional contact details or address history. It can also include similar kinds of information about people who are financially associated with you.

More information about the kinds of personal data we hold, and where we get it from, can be found in the Credit Reference Agency Information Notice.

 

4. HOW LONG IS THE PERSONAL DATA KEPT FOR?

 

When we receive personal data from a client in order to provide services to them, we will keep a copy of that data for up to fifteen months in order to investigate any data supply or data load issues, restore our systems in the event of a data loss incident, and in order to investigate and respond to any complaints, claims and enquiries that we may receive from consumers, clients or regulators.

We may keep data that has been provided to us for identify verification purposes for up to six years and three months in order to help stop fraudsters – see examples under “Fraud Alerts” in section 2 above.

Information about how long we keep data in our capacity as a credit reference agency is available in the Credit Reference Agency Information Notice.

 

5. WHAT IS OUR LEGAL BASIS FOR HANDLING PERSONAL DATA?

 

This section explains the basis on which we process your personal data.

 

Legitimate interests

 

The UK’s data protection law allows the use of your personal data where necessary for legitimate purposes provided that this is not outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.

The legitimate interests we are typically pursuing when providing services to our clients are:

Interest Explanation
Promoting responsible lending and helping to prevent over-indebtedness. Responsible lending means that lenders only sell products that are affordable and suitable for the borrowers’ circumstances. We help ensure this by sharing personal data about potential borrowers, their financial associates where applicable, and their financial history. We also help to protect consumers by preventing over-indebtedness in other areas, such as online gambling. A comprehensive range of measures exists in the UK to underpin the balance so that the legitimate interests are not outweighed by the interests, fundamental rights and freedoms of individuals. Further explanation about this balance is set out below.
Helping prevent and detect crime and fraud; anti-money laundering; and identity verification We provide identity, anti-fraud and anti-money laundering services to help clients meet legal and regulatory obligations, and to the benefit of individuals to support identity verification and support of the detection and prevention of fraud and money-laundering.
Supporting tracing and collections We provide services that support tracing and collections where there is a legitimate interest in the client conducting activity to find its customer and to recover the debt, or to reunite, or confirm an asset is connected with, the right person. We also assist debt collection agencies in predicting, analysing and evaluating the costs of debt recovery to enable them to determine the value of a debt book.
Complying with and supporting compliance with legal and regulatory requirements We have to comply with various legal and regulatory requirements, and our services also help other organisations comply with their own legal and regulatory obligations. For example, many kinds of financial services are regulated by the Financial Conduct Authority or the Prudential Regulation Authority, who impose obligations to check that financial products are suitable for the people they are being sold to. We provide data to help with those checks. We also use the data to assist our gambling clients to comply with obligations imposed on them by relevant legislation and the Licence Conditions and Codes of Practice (LCCP) published by the Gambling Commission.


Our use of personal data is subject to an extensive framework of safeguards that help make sure that your rights are protected. These include the information you are given about how your personal data will be used and how you can exercise your rights to obtain your personal data, have it corrected or restricted, object to it being processed, and complain if you are dissatisfied. These safeguards help sustain a fair and appropriate balance so that our activities do not compromise your interests, fundamental rights and freedoms.

 

Necessity for compliance with a legal obligation

 

We sometimes need to use your personal data in order to comply with a legal obligation that we are under. For example, if you submit a request to us for a copy of your personal data, either directly or through a third party that you have authorised to act on your behalf, we will normally be legally required to provide that personal data. See section 9 below for details of what requests you can make and how to make them.

 

6. WHO DO WE SHARE THE PERSONAL DATA WITH?

 

Our clients and resale partners

 

We share personal data with our clients for the purposes described in section 2 above. Our clients will each have their own privacy notices which will provide more information about how they (specifically) use the data we supply.

Our clients typically operate in the following sectors:

  • financial services (including banks, loans, credit cards, mortgages, pensions, debt collection agencies and investments and savings providers)
  • insurance
  • gaming / gambling
  • retail (including car sales / leasing and online retailers)
  • telecoms and utilities
  • marketing agencies acting for other organisations


In some cases, our clients may appoint an intermediary to act on their behalf; these intermediaries will often receive the data too. We also appoint data resale partners who will distribute data to their clients in a similar manner to the ways we do.

 

Our group companies

 

We may share your personal data among the members of TU UK. If we do so, then use of the data by those companies will be governed by this privacy notice. A list of relevant TU UK companies is set out below, although the list may be updated from time to time.

Group company Main trading address and registered office
TransUnion Information Group Limited
(company no. 4968328)
One Park Lane, Leeds, West Yorkshire LS3 1EP
TransUnion International UK Limited (company no. 3961870)
Callcredit Marketing Limited
(company no. 2733070)

 

We may also share your personal data with other non-UK based companies within our Group: this includes TransUnion Baltics UAB (registered address Karaliaus Mindaugo pr. 50, Kaunas LT – 4434) in Lithuania and TransUnion LLC (registered in Delaware with its principal office at 555 West Adams Street, Chicago, Illinois 60661) in the United States of America (“USA”).

 

Service providers

 

We may provide your information to third parties who help us use it for the purposes described in section 2. For example, our databases of personal data may be hosted by third parties on our behalf. More detail is provided below in respect of our key service providers.

Category of service provider

Role performed for TransUnion

Where processing takes place
Customer Identity and Engagement Validates telephone numbers and confirms possession of mobile devices, to assist with the detection and prevention of fraud or financial crime. The USA and the Netherlands and, in some cases, Serbia and Lithuania
Authentication and anti-fraud Uses automated data-capturing software to collect device-identifying technical data from users of our clients’ websites. This is in order to identify suspicious and/or high risk devices to assist with the detection and prevention of fraud or financial crime.


The USA

Digital identity and anti-fraud Validates email and Internet Protocol (IP) addresses to assist with the detection and prevention of fraud or financial crime. European Union and, in some cases, the USA
Customer identity verification Uses photographic identity documentation alongside a ‘live’ photographic image to check for fraud indicators. European Union
Mobile and digital identity authentication Uses a mobile phone number to check for fraud indicators and cross checks personal data (name, address, date of birth) against data held by Mobile Network Operators (MNOs) to verify consumers’ identities and for the detection and prevention of fraud. European Union (United Kingdom, Germany, Jersey and Republic of Ireland)
Anti-money laundering checks Flags individuals who may be politically exposed persons (PEPs) or subject to financial sanctions.


The USA

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations unless you agree otherwise.

 

You and your financial associates

 

You are entitled to obtain copies of the personal data that we hold about you. You can find out how to do this in section 9 below.

Similarly, your financial associates are also entitled to obtain copies of the personal data that we hold about them.

 

Other credit reference agency data sharing activities

 

For a broader description of how we share data in our capacity as a credit reference agency, please refer to the Credit Reference Agency Information Notice.

 

Business transfers

 

If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.

 

Regulators and law enforcement

 

Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required for the legal protection of our legitimate interests in compliance with applicable laws. For example, we may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.

 

Sharing of anonymised data with third parties

 

We may share anonymised information with other third parties, but only where the information cannot realistically be identified as relating to you.

 

7. WHERE IS THE PERSONAL DATA STORED AND SENT?

 

Within Europe

 

We are based in the United Kingdom and will access and use your information from here. However, we also have operations elsewhere in Europe – currently Lithuania and Spain – and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.

We may also send personal data to some of our service providers or clients who have operations within the European Union.

 

Elsewhere

 

We also send information elsewhere in the world. For example:

  • When one of our overseas group companies or branch offices based overseas needs to use the information in accordance with this notice. This may include an overseas group company providing services to their clients for the purposes set out in section 2 above.
  • Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.
  • Where our service providers have operations outside the European Union (see the table at section 6 above).


While the UK and countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

  • Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
  • Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection.
  • Encrypting the information (‘scrambling’ or converting it into code which makes it incomprehensible to anyone not authorised to view it) in order to add an additional layer of protection.


If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.

 

8. IS THE PERSONAL DATA USED TO MAKE AUTOMATED DECISIONS ABOUT YOU OR TO PROFILE YOU?

 

Decisions

 

In almost all cases, we do not use your personal data to make automated decisions about you or to profile you.

We provide data and analytics that help our clients make decisions about lending and other matters (such as preventing fraud or protecting consumers), but our clients’ own data, knowledge, processes and practices will also generally play a significant role in their decisions – and those decisions will always be for them to make.

For example, when we sell our services to credit or loan providers, we do not decide whether or not you should be granted credit or a loan – this is for the lender to decide. Similarly, where we provide information to gambling companies, we do this to help them protect vulnerable consumers or those at risk of becoming overindebted. However, they will ultimately decide how to act upon that information, taking into account their legal and regulatory obligations.

Where our resale partners ask us for a copy of your credit information, we need to verify your identity in order to ensure that your credit information is not given out to fraudsters. This is an automated process and it could result in you being declined access to the services provided by that resale partner if we cannot verify your identity.

 

Scores and ratings

 

We use the data we hold to produce credit, risk, fraud, identity, affordability, screening, collection and insolvency scores and credit ratings.

Example: credit scores

If you apply to a bank for a loan, the bank will need to assess your creditworthiness. It will use the information you provide on your form, together with other information it already holds about you (such as how you have managed your previous accounts with that bank), and information obtained from third parties such as credit reference agencies.

We may use the credit reference data we hold to generate a credit score which provides an indication of your creditworthiness. The bank may use the credit score as part of its decision-making. Factors that may affect your credit score include:

  • How long you have lived at your address.
  • The number and type of credit agreements you have, and how you use those credit products.
  • Whether you have been late making payments.
  • Whether you have had any court judgments made against you.
  • Whether you have been bankrupt or have had an IVA or other form of debt-related arrangement.
  • The number of credit-related searches that organisations have made against your credit file, for example when you apply for a loan or credit card, or when a debt collection agency requests information about you.

9. WHAT ARE YOUR RIGHTS?

 

You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please email us at [email protected], telephone us on 0330 024 7574, or refer to the other contact details in section 1.

If you are looking for information about your rights in relation to the personal data we hold in our capacity as a credit reference agency, please refer to the Credit Reference Agency Information Notice.

  • Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it. (If you want to see your credit report online, please visit https://www.transunion.co.uk/consumer-solutions/your-credit-report.)
  • Withdrawal of consent: When we rely on your consent to use your data, you have the right to withdraw that consent at any time. However, we do not rely on consent for the activities described in this privacy notice.
  • Objection to direct marketing: You have the right to object to us using your personal data for direct marketing purposes, including any profiling or similar activities which are performed as a precursor to direct marketing. The activities described in this privacy notice do not include the use of personal data for direct marketing purposes but you have the right to object to us doing so in the future.
  • Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
  • Objection to processing based on legitimate interests: Where we rely on the legitimate interests legal basis for using your personal data (see section 5 above), you can object to that use of the data. We will then review and decide the extent to which we can continue to use the data in light of your particular circumstances.
  • Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it.
  • Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
  • Portability: In some circumstances you have the right to receive some limited kinds of information in a portable format. However, this typically does not apply to the data to which this privacy notice applies.


Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

 

10. WHO CAN YOU COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA?

 

We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us using these details:

Post: Customer Relations Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: [email protected]

Telephone: 0330 024 7574

You can also contact our Data Protection Officer at [email protected].

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at www.ico.org.uk, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

If you’re a consumer with questions or issues related to your personal credit report, drivers history report, disputes, fraud, identity theft, credit report freeze or credit monitoring services, please visit our Customer Support Center for assistance.

Contact Us

TransUnion would like to send you original insight, commentary and research on data, software and analytics, early notifications of exclusive events and information about our products and services. If you would like to receive that information, please let us know using the following options:

For Sales enquiries please call (+44) 0113 868 2600

Alternatively, for all other enquiries please call us on (+44) 0113 388 4300

Please read our privacy notice , which explains who we are, how we collect and use your personal information and how you can exercise your privacy rights.

We're sorry, your request failed. Please try again in a little while.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.