Marketing Services Privacy Notice

Version: 1.10
Updated: 3 October 2024

This privacy notice provides information about how we use and share personal data relating to consumers for our clients’ marketing purposes. It also describes your data protection rights, including a right to object to some of the processing which TransUnion carries out. More information about your rights, and how to exercise them, is set out in section 9 below. We also have a separate page with more detail about each of our marketing products and how data is used in them.

In Brief

At TransUnion we provide data and data services to clients such as retailers, banks, insurers and other companies. Our marketing-related services include providing names and addresses from the open register to our clients for postal direct marketing. This information may be used by our clients to send you advertising through the post.

You have the right to object to our use of your personal data. Please see section 9 to find out more.

This privacy notice covers the following topics:

  1. Who are we and how can you contact us?
  2. What do we use personal data for?
  3. What kinds of personal data do we use, and where do we get it from?
  4. How long is the personal data kept for?
  5. What is our legal basis for handling personal data?
  6. Who do we share the personal data with?
  7. Where is the personal data stored and sent?
  8. Is the personal data used to make decisions about you or to profile you?
  9. What are your rights?
  10. Who can you complain to if you are unhappy about the use of your personal data?

 

1. WHO ARE WE AND HOW CAN YOU CONTACT US?

 

About us

 

We are Callcredit Marketing Limited and TransUnion International UK Limited, which are companies registered in England and Wales with registered offices at One Park Lane, Leeds, West Yorkshire LS3 1EP.

We are part of TransUnion Information Group (TU UK), which has its headquarters at the above address. Some of the members of TU UK are listed in section 5 below. TU UK forms part of a larger group of companies but this privacy notice only covers the activities of TU UK.

Except where we state otherwise, we are a controller of the personal data covered by this privacy notice. This means that we are responsible for ensuring that the personal data is used fairly and lawfully.

 

Joint controllers

 

We sometimes act jointly with one or more of the other TU UK companies when making decisions about your personal data. In particular, we make joint decisions when we and another TU UK company are sharing personal data with each other. Section 3 explains when this applies in more detail.

Our members of staff work across TU UK group companies so, where our group companies make decisions jointly, those members of staff will ensure that each company involved complies with data protection rules. Please contact our Consumer Services Team if you want to understand more about the allocation of data protection obligations between our group companies or if you want to exercise your data protection rights.

 

Contact details

 

You can contact us about issues relating to personal data, including the contents of this notice, through our Consumer Enquiries page.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

 

2. WHAT DO WE USE PERSONAL DATA FOR?

 

This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we use for these purposes can be found in section 3 below. Please also refer to our Marketing services and your data page for more details about our marketing products and how they use data.

 

Direct marketing

 

Standalone open register

The open register (sometimes referred to as the edited electoral roll) is a version of the electoral register containing names and addresses of individuals who have not opted out of having their information used for marketing and other purposes.

We provide names and addresses from the open register to our clients in order for them to send marketing messages by post.

Example

An estate agent may wish to send postal marketing to local residents to inform them of their services. The estate agent can purchase names and addresses from TransUnion for the local area from the open register, and then send a mailing to those individuals.

More information about the open register (and how to opt out of it) is available on the UK Government website.

 

CAMEO

Our CAMEO UK datasets categorise and describe the likely characteristics of groups of households or postcodes and the people who live there. Grouping and categorising geographical areas and people in this way is sometimes called "segmentation".

CAMEO contains modelled data, which means it is inferred or estimated based on other information we hold such as the areas in which people live. For example, CAMEO data can be based on estimates of the average age, wealth and education level of the residents of an area, how rural or urban the area is, and what sort of properties are there.

CAMEO UK is built using publicly available data, such as UK census data supplied by the Office for National Statistics. We also use TransUnion's credit reference data (but not any financial data) to work out average ages and numbers of adults per household to help build the CAMEO product. Although CAMEO does not contain any financial data, we may use some financial data to test internally how accurate our descriptions of a particular postcode or household are.

Our CAMEO UK dataset is available at two levels:

  • Postcode level: Where CAMEO is held at postcode level, we do not consider it to be personal data because it only describes the likely characteristics of a population across entire postcodes. It does not identify individuals or distinguish between them.
  • Household level: Where CAMEO is held at household level, it can be personal data depending on how many people are in a particular household. Because we do not know at any point in time how many people are living in a household, we treat the entire CAMEO household level dataset as personal data as a precaution.

In either case, where CAMEO data is associated with a specific individual's name and address and used to make decisions affecting that individual, it is that person's personal data.

You have the same rights to opt out of the CAMEO household data being used for marketing purposes as you do with other personal data.

We supply CAMEO to our clients for a range of different purposes, including marketing. For example, clients might use it to help understand the likely characteristics of their customers, or to decide which areas to focus their marketing activity on, depending on the types of product they sell.

 

Product or systems development and testing

 

We sometimes use personal data while improving, developing, monitoring, maintaining and testing our products and systems. This includes making sure that our security measures are working properly. Where possible, we will anonymise, pseudonymise or aggregate the data before doing this.

 

Consumer queries; legal and regulatory purposes

 

If you contact us we will normally need to use your personal data to help us deal with your enquiry. We may also sometimes need to use your personal data for legal and regulatory purposes.

Examples: legal and regulatory purposes

If you object to us processing your personal data for direct marketing purposes we will add your name to our suppression list in order to remove you from future direct marketing activities.

If you make a complaint about us to our regulators, they will normally ask us to investigate your case. This will involve accessing your personal data in the course of that investigation.

Similarly, if you start court proceedings against us, we will normally need to review how we have used your personal data in order to defend ourselves against your claim.

Acting as processors on our clients’ behalf

 

Some clients provide us with their own data about individuals (which will typically have been collected under the client’s separate privacy notices), and ask us to enhance it with further information. When this happens, we can provide the client with information about the properties or areas in which the relevant individuals live.

Where we are not using any personal data we hold to provide this further information to clients, then we are acting as the client’s data processor; this means that the client remains responsible for ensuring that the personal data is used fairly and lawfully. You will need to refer to the privacy notices of the individual client for more detailed information about what data the client collects, what they use it for, and how to exercise your rights.

 

3. WHAT KINDS OF PERSONAL DATA DO WE USE AND WHERE DO WE GET IT FROM?

 

We obtain and use information from various different sources. These are summarised in the following table.

Type of information

DescriptionSource
Contact details 

We hold names, postal addresses and, in some cases, dates of birth. This information can be used for contacting people.

We do not hold or share email addresses or telephone numbers for the purposes described in this privacy notice.

Callcredit Marketing Limited and TransUnion International UK Limited act as joint controllers for their processing of this data.

We obtain postal addresses from the open version of the electoral register (the “open register”), which we get from local authorities across the UK and the Isle of Man.
Client input data

Our clients often provide us with information about their existing or potential customers for us to analyse or add more information on to. We do not use this data for our own purposes.

In some cases, the client acts as controller for the processing of this data, and Callcredit Marketing Limited or TransUnion International UK Limited acts as the client’s processor. In other cases (such as where TransUnion personal data is used to provide the service) Callcredit Marketing Limited and TransUnion International UK Limited act as joint controllers for their processing of the data.

This data is provided to us by our clients for specific jobs.
Modelled CAMEO UK data at household level

CAMEO UK provides various attributes and characteristics for each address, describing the household.

This is modelled data built using a variety of sources including publicly available data such as census data from the Office for National Statistics, and TransUnion's credit reference agency data (excluding financial information).

 

4. HOW LONG IS THE PERSONAL DATA KEPT FOR?

 

Type of informationRetention period
Contact details

Contact data obtained from the open version of the electoral register is retained while you remain on the open register plus an additional two months.

For details of how long TransUnion International UK Limited keeps electoral register data in its capacity as a credit reference agency, please refer to the Credit Reference Agency Information Notice.

Client input dataWe retain copies of client input data for up to 15 months.
Modelled CAMEO UK data at household levelCAMEO is maintained and updated on an ongoing basis and is periodically rebuilt and refreshed based on available data.

 

In some cases we may need to keep information indefinitely. For example, if you object to us using your data for marketing purposes (see section 9) we will need to keep some limited information about you such as your name, address and date of birth so that we can remove or suppress your record from any data that we may receive in the future.

 

5. WHAT IS OUR LEGAL BASIS FOR HANDLING PERSONAL DATA?

 

This section explains the legal basis on which we process your personal data.

 

Legitimate interests

 

The UK’s data protection law allows the use of your personal data where necessary for legitimate purposes provided that this isn’t outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.

The legitimate interests we are pursuing are:

 

InterestExplanation
Direct marketingOur clients have an interest in promoting their products and services to consumers, including their existing customers.
Monitoring and securing our systems and dataSome of the ways we use personal data are justified by the need to ensure that our systems are kept secure. For example, our security teams may need to monitor databases in order to check whether they have been accessed by third parties.
Complying with legal and regulatory requirementsWe have an interest in complying with legal and regulatory requirements to which we are subject, thereby avoiding sanctions and reputational damage.
Promoting responsible, efficient and informed marketing activities for the benefit of consumers and businessesSome of our activities, such as Over 18 Validation, help to ensure that clients' marketing strategies are responsible, informed and efficient. This helps them to avoid waste (driving costs down and increasing competition) and avoid sending inappropriate marketing communications.
Commercial interestsLike other commercial organisations, we seek to earn revenue through the services that we provide to our customers and clients.

 

6. WHO DO WE SHARE THE PERSONAL DATA WITH?

 

Our clients and resale partners

 

We share personal data with our clients for the purposes described in section 2 above. Our clients will each have their own privacy notices which will provide more information about how they (specifically) use the data we supply.

Our clients typically operate in the following sectors:

  • financial services (including banks, loans, credit cards, mortgages, pensions, and investments and savings providers)
  • insurance
  • gaming / gambling
  • retail (including online retailers)
  • telecoms and utilities
  • marketing agencies acting for other organisations

In some cases our clients may appoint an intermediary to act on their behalf; these intermediaries will often receive the data too.

We also appoint data resale partners who will distribute open register data to their clients in a similar manner to the ways we do. Our current resale partner for the standalone open register is Sagacity Data Limited. Please see their privacy notice and preference centre for more detail about their activities.

We do not provide data for use in relation to road traffic accident or personal injury claims, medical or clinical negligence claims, PPI compensation claims, pornography or political campaigning.

 

Our group companies

 

We may share your personal data among the members of TU UK. If we do so, then use of the data by those companies will be governed by this privacy notice. A list of relevant TU UK companies is set out below, although the list may be updated from time to time.

Group companyRoleMain trading address and registered office
TransUnion Information Group Limited
(company no. 4968328)
Group holding companyOne Park Lane, Leeds, West Yorkshire LS3 1EP
TransUnion International UK Limited
(company no. 3961870)
Collects open register data from local authorities and supplies it to clients (directly or through Callcredit Marketing Limited) for onward supply to clients for direct marketing purposes. Makes available limited types of credit reference data for certain purposes described in section 2 above, such as age validation.
Callcredit Marketing Limited
(company no. 2733070)
Trading company which provides clients with the services described in section 2 above.

We may also share your personal data with other non-UK based companies within the wider TransUnion group. This includes:

  • TransUnion LLC, 555 West Adams Street, Chicago, Illinois 60661
  • TransUnion Global Technology Centre LLP, 9th Floor, Block 2,DLF IT/ITES Special Economic Zone Shivaji Gardens, Moonlight Stop, Manapakkam Saidapet Tamil Nadu 600089
  • TransUnion Global Capability Centre Africa (Pty) Ltd, G floor, 9 & 10 floor,11 Alice Lane, Sandton, 2196, Gauteng, Johannesburg, South Africa 2197
  • TransUnion Global Capability Center Costa Rica Limitada, San Jose-Escazu San Rafael, Trejos Montealegre, De Escazu Village, Three Hundred Meters to the West, Banco General Building, Sixth Floor

Service providers

 

We and our clients may provide your information to third parties who help us use it for the purposes described in section 2. For example, we might decide to use a third party data hosting company, or a data processing company to perform some of the data processing on our behalf.

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations, unless you agree otherwise.

Business transfers

 

If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.

 

Regulators and law enforcement

 

Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required for the legal protection of our legitimate interests in compliance with applicable laws. For example, we may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.

 

Sharing of anonymised data with third parties

 

We may share anonymised information with other third parties, but only where the information cannot realistically be identified as relating to you.

 

 

7. WHERE IS THE PERSONAL DATA STORED AND SENT?

 

Within the UK and the EU

 

We are based in the United Kingdom and will access and use your information from here. However, we also have operations in the European Union, and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.

 

Elsewhere

 

We also send information elsewhere in the world. For example:

  • We make use of TransUnion group service companies (referred to as Global Capability Centres, or GCCs), located in India, South Africa, Costa Rica and the United States. See section 6 for more details.
  • When one of our overseas group companies or branch offices based overseas needs to use the information in accordance with this notice.
  • Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.

While the United Kingdom and countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

  • Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
  • Sending the information to an organisation which is a member of a scheme that has been approved by the authorities as providing a suitable level of protection. One example is the Data Privacy Framework that has been agreed between the UK, European and US authorities.

If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.

 

8. IS THE PERSONAL DATA USED TO MAKE AUTOMATED DECISIONS ABOUT YOU OR TO PROFILE YOU?

 

We do not use any personal data to make automated decisions that have significant effects on people.

We perform profiling when we create CAMEO data at household level. This is because it involves inferring or estimating information about the characteristics of the household, such as expected age, wealth or education level. Please see section 2 for more details.

We also perform profiling when acting as a client’s processor. For example, we may take a client’s marketing list and add information about your property or neighbourhood, which the client may use to help predict your likely preferences and lifestyle in order to aid their marketing decisions. This may result in you receiving more relevant marketing from our clients who already hold your contact details. If you do not want to receive this marketing, you should contact the sender of the marketing in order to object.

 

9. WHAT ARE YOUR RIGHTS?

 

You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please use our Consumer Enquiries page.

  • Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it.
  • Objection to direct marketing: You have the right to object to us using your personal data for direct marketing purposes, including any profiling or similar activities which are performed as a precursor to direct marketing. If you do this we will stop using it for those purposes.

In addition:

  • Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
  • Objection to legitimate interests: If you disagree with us relying on the legitimate interests grounds for using your personal data (see section 5 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
  • Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it. For example, if you object to us using your data for direct marketing purposes we will need to keep a record of that objection so that we do not subsequently begin direct marketing activities in relation to you if we receive your data again.
  • Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
  • Portability: In some circumstances you have the right to receive some limited kinds of information in a portable format. However, this does not apply to the data to which this privacy notice applies.
  • Withdrawal of consent: We do not rely on your consent in order to perform the activities described in this privacy notice, so this right does not apply.

Please note that these rights apply only where we are acting as a controller of your personal data. When we are processing your data on behalf of a particular client, you will normally need to contact the client in order to exercise your rights.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

 

10. WHO CAN YOU COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA?

 

We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us through our Consumer Enquiries page.

You can also contact our Data Protection Officer at ukdpo@transunion.com..

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at www.ico.org.uk, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.