General Privacy Notice

Version: 1.9

Date adopted: 23 February 2024

This privacy notice provides a high-level overview about how we use and share personal data across TransUnion Information Group. More detailed information can be found at the TransUnion Privacy Centre or in other privacy information you may have been given.

In Brief

At TransUnion we provide data and services to our clients for a wide range of purposes. These include:

  • Credit referencing services, which involve gathering personal data from credit providers and other organisations, and sharing that data with lenders for credit risk assessment and other purposes. This includes information about credit repayments, court judgments and insolvencies.
  • Data marketing services, which involve sharing data from the open register for marketing purposes, as well as customer insight analysis for our clients.

We also perform evaluations to find out whether data would be of use to us or our clients, and we share data for that purpose too.

Like any business, TransUnion also processes personal data to support its routine business operations. This includes handling data relating to business and consumer contacts and members of staff.

You have the right to object and withdraw your consent to our use of your personal data. Please see section 9 to find out more.

This notice covers the following topics:

1. Who are we and how can you contact us?

2. What do we use personal data for?

3. What kinds of personal data do we use, and where do we get it from?

4. How long is the personal data kept for?

5. What is our legal basis for handling personal data?

6. Who do we share the personal data with?

7. Where is the personal data stored and sent?

8. Is the personal data used to make decisions about you or to profile you?

9. What are your rights in relation to the personal data we hold about you?

10. Who can you complain to if you are unhappy about the use of your personal data?




About us


We are TransUnion Information Group (TU UK), which is a group of companies with headquarters at One Park Lane, Leeds, West Yorkshire LS3 1EP. The members of TU UK are listed in section 4 below. TU UK forms part of a larger group of TransUnion companies but this privacy notice only covers the activities of TU UK.

Different companies in TU UK have different roles and responsibilities for different sets of personal data. Where a member of TU UK acts as a controller of personal data it is responsible for ensuring that the data is used fairly and lawfully.


Joint controllers


TU UK companies sometimes act jointly with other TU UK companies when making decisions about your personal data. In particular, joint decisions are made when two or more TU UK companies are sharing personal data with each other.

Our members of staff work across TU UK group companies so, where our group companies make decisions jointly, those members of staff will ensure that each company involved complies with data protection rules. You can contact our Consumer Services Team if you want to enquire about any of our group companies or exercise any of your rights in respect of your personal data.


Contact details


You can contact us about issues relating to personal data, including the contents of this notice, through our Consumer Enquiries page.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.




This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we use for these purposes can be found in section 3 below.


Products and services


Many of our products and services rely on personal data. For example:

  • Our credit referencing and affordability services involve gathering personal data from credit providers and other organisations, and sharing that data with lenders for credit risk assessment and other purposes. This includes information about credit repayments, court judgments and insolvencies. See the Credit Reference Agency Information Notice for more details.

Example: credit referencing

If you apply for a loan from a bank or other lender, they may ask us for data about you to help them make a decision about whether or not you are likely to repay the loan, and whether you can afford the repayments. To help them with that assessment, we can provide them with information about how well you have managed your previous financial commitments, how much income goes into your current account, and whether you have had any CCJs, bankruptcies or other adverse financial circumstances.

  • Our identity verification and fraud prevention services involve gathering personal data from numerous sources and using it to help our clients to confirm the identity of consumers that they are dealing with. This helps them to prevent identity theft and other kinds of fraud. Other services we provide help to reduce the risk of money laundering.
  • Our open banking services allow consumers to authorise third parties to obtain access to transactions information from their current accounts. This helps to provide a faster, more efficient way for consumers to demonstrate their financial position to third parties if they choose to do so.
  • Our consumer reseller services enable consumers to view their credit reports and credit scores through websites operated by our resale partners.
  • Our data marketing services involve gathering personal data from data suppliers and sharing that data with organisations who use it for marketing and related purposes. This includes names and addresses from the open version of the electoral register. We also perform analysis on clients’ data to help them understand their customers. Please see our Marketing Services Privacy Notice and Marketing services and your data for more details.
  • Our consumer products (such as CreditView) involve gathering data from consumers, such as their names and contact details. We use that information to provide the users with our services. See the privacy notices on the relevant websites for more details.


Data evaluations


We use and share data for evaluation purposes. This includes assessing its suitability for a particular purpose and, for example, deciding whether or not it would be useful to us as part of a product or service. Sometimes it may be necessary to share data with a third party in order for them to be able to match it to data that they hold and return additional data to us.

When we evaluate data, we apply a range of safeguards to protect the interests of consumers. For example, we anonymise or pseudonymise the data where possible, we ensure it is protected with appropriate security measures, and we limit the quantities of data and the period for which it is used and retained.

Similarly, we sometimes provide data to our clients for them to evaluate it. This can help them understand whether our services would be of use to them. Data is only shared in this way for limited periods of time and is subject to strict restrictions on use.


Operating our business


We use personal data as part of our own internal operations. For example:

  • We hold names, job titles and contact details that we get from our business contacts (such as the representatives of our clients and suppliers), and we use this to manage our relationship with them and for marketing purposes. See our Business Contact Data Privacy Notice for more details.
  • We hold names, contact details and other information that we get from consumers who make contact with us, and we use that information to deal with their enquiries. See our Consumer Contact Data Privacy Notice for more details.
  • We hold information about our members of staff, and we use that information to manage our relationship with them. The information includes details such as employment and educational history, background checks and performance appraisals. Members of staff can find more information on the staff intranet.
  • We use CCTV cameras throughout the public areas of our business premises to help ensure the safety of our staff and visitors and the security of our information and assets.
  • We use personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from consumers or regulators about how we have used personal data.




We use a wide variety of personal data in our business, and we get it from many different sources. Some of the main types of data are described in section 2 above. For more details about the kinds of data used for each of the purposes described in section 2, please visit the privacy notice referred to above, or go to

Some of our most important types of data are:

Information typeDescriptionSource
Electoral register dataWe hold information from the electoral register (also known as the ‘Electoral Roll’). There are two versions of this. One is known as the open register (also known as the ‘Edited Electoral Roll’ or ‘EER’) and can be used for a variety of purposes including marketing. The other is the full register which we can only use for limited purposes.This data is supplied by local authorities across the UK and the Isle of Man.
Credit account performance dataWe receive personal data about how people are managing to repay their credit commitments.

The data includes the name of the lending organisation, the date the account was opened, the account number, the amount of debt outstanding (if any), any credit available (including overdraft limits) and the repayment history on the account, including late and missing payments.
This data is provided from banks, building societies and other financial services providers such as credit card companies, home credit suppliers, credit unions and hire purchase companies. It is also provided by utilities companies, mobile phone networks, retail and mail order companies and insurance companies.
Bank account turnover data and application salary dataThis data includes the name of the organisation providing current accounts, current account numbers, sort codes, the number of account holders, the transactions made on the current accounts (credits and in some cases debits), and a figure for all credits on each current account (less refunds and intra bank transfers).

Application salary data consists of the salary declared by a person when they are applying for credit. It also includes whether that figure is net or gross, and whether the salary has been verified (e.g. with copies of salary slips). This data also includes the date that an application was made.
This data is provided from organisations which offer people current accounts, such as banks and building societies.
Judgment dataWe obtain data about court judgments and decrees. This may include, for example, the name of the court, the nature of the judgment, how much money was owed, and whether the judgment has been satisfied.The government makes court judgments and other decrees and administrative orders publicly available through statutory public registers. These are maintained by Registry Trust Limited, which supplies the data on the registers to us.
Insolvency dataWe obtain data about insolvency-related events. This includes data about bankruptcies, administration orders, individual voluntary arrangements, debt relief orders, sequestrations, trust deeds and debt arrangement schemes. This data includes the start and end dates of the relevant insolvency or arrangement.This data is obtained from The Insolvency Service, the Accountant in Bankruptcy, The Stationary Office and Northern Ireland’s Department for the Economy – Insolvency Service, the London, Belfast and Edinburgh Gazettes and Registry Trust Limited.

Business insolvency data is obtained from the London, Belfast and Edinburgh Gazettes.



We keep personal data only for as long as is necessary for the purposes for which it is held. You will need to contact us (see section 1) or refer to the privacy notices at for our specific activities in order to find out exactly how long the data is kept for. The main points we think you might be interested in are:

  • Credit reference data (such as your credit history, judgments, bankruptcies, etc) generally stays on your credit file for a period of six years. After that it is not used to make any decisions about you, but it is still used for a further four years for statistical analysis purposes.
  • Electoral register data is kept for the period that you reside at the relevant address, and for a further 16 years after you have moved out.
  • Search footprints stay on your credit file for two years..




This section explains the legal basis on which we process your personal data.


Legitimate interests


The UK’s data protection law allows the use of personal data where necessary for legitimate purposes provided that this isn’t outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.

Most of our processing activities are based on the legitimate interests condition. This includes almost all our credit referencing and data marketing services. For more details about the legitimate interests we are pursuing, please refer to the relevant privacy notices (see links above).




We sometimes rely on consent to process personal data, but this is relatively rare. Again, please refer to the relevant privacy notices at for more details.

Performance of our contract with you


If you sign up for one of our online services, we agree to provide you with services as set out in the Terms & Conditions on the relevant website. We need to use some of your personal data to be able to provide you with those services. Please refer to the privacy notice on the relevant website for more details.

We also use this basis for processing some of our staff data.




Our group companies


We may share personal data among TU UK companies where appropriate. A list of TU UK companies is set out below, although the list may be updated from time to time.

Group companyMain trading address and registered office
TransUnion Information Group Limited
(company no. 4968328)
One Park Lane, Leeds, West Yorkshire LS3 1EP
TransUnion International UK Limited
(company no. 3961870)
Callcredit Marketing Limited
(company no. 2733070)


We may also share your personal data with other non-UK based companies within the wider TransUnion group. This includes:

  • TransUnion Baltics UAB, Karaliaus Mindaugo pr. 50, Kaunas LT – 4434, Lithuania
  • TransUnion Information Group Spain SLU, Avenida de la Industria 18 28760, Tres Cantos, Spain
  • iovation Inc, 555 W. Adams St, Chicago, Illinois 60661
  • TransUnion LLC, 555 West Adams Street, Chicago, Illinois 60661
  • TransUnion Global Technology Centre LLP, 9th Floor, Block 2,DLF IT/ITES Special Economic Zone Shivaji Gardens, Moonlight Stop, Manapakkam Saidapet Tamil Nadu 600089
  • TransUnion Global Capability Centre Africa (Pty) Ltd, G floor, 9 & 10 floor,11 Alice Lane, Sandton, 2196, Gauteng, Johannesburg, South Africa 2197 
  • TransUnion Global Capability Center Costa Rica Limitada, San Jose-Escazu San Rafael, Trejos Montealegre, De Escazu Village, Three Hundred Meters to the West, Banco General Building, Sixth Floor


Our clients and resale partners

We share personal data with our clients for the purposes described in section 2 above. Our clients will each have their own privacy notices which will provide more information about how they (specifically) use the data we supply.

Our clients typically operate in the following sectors:

  • financial services (including banks, loans, credit cards, mortgages, pensions, and investments and savings providers)
  • insurance
  • debt collection agencies
  • gaming / gambling
  • retail (including online retailers)
  • telecoms and utilities
  • professional services (such as legal and accountancy firms)
  • the public sector

In some cases our clients may appoint an intermediary to act on their behalf; these intermediaries will often receive the data too. We also appoint data resale partners who will distribute our data to third parties.


Service providers


We and our clients may provide your information to third parties who help us use it for the purposes described in section 2. For example:

  • Our databases of personal data may be hosted by third parties on our behalf.
  • Some of our products and services rely on us sending personal data to third parties who then analyse or enhance it and return the results to us.
  • We use third party email broadcasting services to send emails.
  • We use payment service providers in relation to any payments made by individuals.
  • We sometimes use market research companies to help us better understand our customers.
  • We use cloud-based technologies such as Microsoft Office 365 and Salesforce in the course of our ordinary business operations.
  • Our CCTV system is operated by a specialist sub-contractor, Cube Group Limited.

These service providers are generally not allowed to use information for their own purposes or on behalf of other organisations.


Business transfers


If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.




We may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.


Sharing of anonymised data with third parties


We may share anonymised information with other third parties, but only where the information cannot realistically be identified as relating to you.




Within the UK and the EU


We are based in the United Kingdom, and will access and your information from here. However, we also have operations elsewhere in Europe - currently Lithuania and Spain - and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.




We also send information elsewhere in the world. For example:

  • We make use of TransUnion group service companies (referred to as Global Capability Centres, or GCCs) located in India, South Africa, Costa Rica and the United States. See section 6 for more details.
  • When one of our other overseas group companies or branch offices based overseas needs to use the information.
  • Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.

While countries within the UK and European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information when required. For example, these safeguards might include:

  • Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
  • Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection. One example is the Data Privacy Framework that has been agreed between the UK, European and US authorities.

If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.




We perform the following automated decision-making and profiling activities using your personal data. When we refer to profiling, we mean using personal data to make predictions about you, or to categorise you into particular groups.


Individual-level profiling


We and our clients use personal data to predict or infer new information about you. In particular:

  • TransUnion International UK Limited uses the data that it gathers as a credit reference agency (such as credit and utility repayment history, judgments, insolvencies and the electoral register) to generate scores that can be used to help assess your creditworthiness.
  • Our data marketing services involve combining personal data with other information such as census statistics in order to make predictions about people’s lifestyles or preferences. When we do this, we are normally processing clients’ data on their behalf.

Examples: profiling for marketing purposes

A bank wants to send postal marketing to some of its customers who may be interested in their new premium credit card. We hold information about the typical residents of each postcode and the type of each property, and can add that information to the bank’s customer list. The bank can then identify which customers are most likely to be interested in the new card, which allows it to target its advertising towards those customers.

A high street retailer is deciding where to target its advertising. It provides us with its customer list. We add information about the postcodes and properties where those customers live, and analyse it to find out what kind of people shop at the retailer’s stores. We then look at where similar kinds of people live. This helps the retailer decide where to target its local advertising.

Aggregated profiling


We and our clients also use personal data to predict or infer information about the areas that people live in. This includes information such as the lifestyle, age or wealth of the typical residents of those areas. This information is used for the purposes described in section 2 above.




We generally do not use personal data or profiling to make automated decisions that have significant effects for you, but some of our clients may do so. For example, clients who receive credit scores from us may use those scores to help them decide whether to grant you credit.




You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please use our Consumer Enquiries page.

  • Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it. (If you want to see your credit report online, please visit
  • Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
  • Objection to direct marketing: You have the right to object to us using your personal data for direct marketing purposes. If you do this we will stop using it for those purposes.
  • Objection to legitimate interests: If you disagree with us relying on the legitimate interests grounds for using your personal data (see section 4 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
  • Withdrawal of consent: When we rely on your consent to use your data (see section 4 above), you have the right to withdraw that consent at any time.
  • Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it. For example, if you object to us using your data for direct marketing purposes we will need to keep a record of that objection so that we do not subsequently begin direct marketing activities in relation to you if we receive your data again.
  • Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
  • Portability: In some circumstances you have the right to receive some limited kinds of information in a portable format.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.




We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us through our Consumer Enquiries page.

You can also contact our Data Protection Officer at

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.