TransUnion Open Banking Service Privacy Notice

Version: 2.6

Date adopted: 14th September 2022

This document provides an overview about how we use and share personal data that we receive and use in connection with the account information services we provide to consumers and the TransUnion Open Banking service that we provide to our business clients.

In brief

We will use and share your personal data in connection with the account information service we provide to you and the TransUnion Open Banking service that we provide to our business clients. This includes:

  • Providing our business client with information about your Account (including account details, transactions and regular payments) as well as our analysis of this information.

  • Storing copies of your personal data for reporting and audit purposes.

  • Using your personal data while improving, developing or testing our products and systems.

  • Using your personal data for legal and regulatory purposes. 

  • If requested by our business client, providing them with fraud prevention services which may leave a non-score impacting footprint on your credit file.

You have the right to object to our use of your personal data. Please see section 9 to find out more.

This privacy notice covers the following topics:

1. Who we are and how you can contact us

2. What we use personal data for

3. What kinds of personal data we use, and where we get it from

4. Our legal grounds for handling personal data

5. Who we share the personal data with

6. Where the personal data stored and sent

7. How long is the personal data is kept for

8. Whether the personal data is used to make automated decisions about you or to profile you

9. Your rights in relation to the personal data that we hold about you

10. Who can you complain to if you are unhappy about the use of your personal data

11. The cookies used on the website

You have the right to object to our use of your personal data. Please see section 9 to find out more.

This privacy notice should be read together with the Terms of Service for the Service we are providing to you. A copy of the Terms of Service is available [here]. It contains the meanings of certain words we use here, such as “Account”, “Service”, “Referring Company” and “Bank”.

 

1 WHO WE ARE AND HOW YOU CAN CONTACT US

 

We are TransUnion International UK Limited, which is a company registered in England and Wales with company number 03961870. Our trading address and registered office is at One Park Lane, Leeds, West Yorkshire LS3 1EP.

TransUnion International UK Limited forms part of a larger group of companies known as the TransUnion Information Group, however this privacy notice only applies to the use of personal data obtained by TransUnion International UK Limited in connection with the delivery of this Service unless we say otherwise.

We are a controller of the personal data covered by this privacy notice. This means that we are responsible for ensuring that your personal data is used fairly and lawfully.

You can contact us about issues relating to personal data, including the contents of this notice, by any of the following methods:

Post: Consumer Services Team, TransUnion, Consumer Services Team, PO BOX 491, Leeds, LS3 1WZ

Email: consumer@transunion.co.uk

Telephone: 0330 024 7574

 

2. WHAT DO WE USE PERSONAL DATA FOR?

 

This section explains the purposes for which we use personal data about you. More details about the types of personal data that we might use for these purposes can be found in section 3 below.

  • Providing you with the Service

We use your personal data to provide you with the Service, as described in the Terms of Service, a copy of which is available [here]. In order to provide you with this Service, we will need to obtain your personal data and share your personal data with the Referring Company.

As part of providing you with the Service, we also store copies of your personal data for reporting and audit purposes.

  • Providing the TransUnion Open Banking service to the organisation that has directed you to us (also called the “Referring Company” in this notice)

We use your personal data to provide the TransUnion Open Banking service (as described in section 4 below) to the Referring Company that you are dealing with. In particular, we electronically provide the organisation with information about your Account (including account details, transactions and regular payments) as well as our analysis of this information. This is to save you from having to provide paper copies of your Account information to the Referring Company.

Each Referring Company will have its own intended use for the Account information we provide to them. We will explain the intended use on the website when we ask you for permission to access this data. We recommend contacting the Referring Company that you are dealing with if you require further information about how they will use the personal data we provide to them in the delivery of the TransUnion Open Banking service.

As part of the TransUnion Open Banking service we provide to the Referring Company, we also store copies of your personal data for reporting and audit purposes.

  • Prevention and detection of fraud and other crime

In order to detect or prevent fraud (for example, to confirm you have only provided information about an Account that belongs to you), we may use your personal data to identify suspicious or fraudulent behaviours, if we are requested to do so by the Referring Company.

We may retain and re-use this data but solely for the purposes of identity verification and the prevention of fraud, money laundering or other financial crime.

  • Product/systems improvement, development and testing

We may sometimes use your personal data while improving, developing or testing our products and systems. This includes making sure that our data categorisation is accurate and that our security measures are working properly. Where possible, we will anonymise or pseudonymise (partially anonymise) the data before doing this.

  • Legal and regulatory purposes

We may use your personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from you or a regulator about how we have used your personal data. 

  • Combining data

The information you give us may be combined with other information about you that is obtained from other sources, and the combined data may be used in accordance with this privacy notice. For example:

  • the information you give us may be compared with data available elsewhere to validate the information you have provided (for example in the context of anti-fraud measures).
  • the information you give us may be combined with other information that we collect about you to assist with the detection and prevention of fraud or financial crime.

 

3. THE KINDS OF PERSONAL DATA DO WE USE AND WHERE WE GET IT FROM

 

We obtain and use information from various different sources in the delivery of this Service. These are summarised in the following table.

Type of information

Description

Source

Identifiers

This includes your name, date of birth and current and previous addresses.

We obtain this information from the Referring Company.

A unique identifier and declared salary

A unique identifier will be assigned to you by the Referring Company.  Information you have provided to the Referring Company about your current salary may also be provided to us.

We obtain this information from the Referring Company.

Information about your Account, including account details, transactions and regular payments.

This includes the following information:

  • your account name, number, sort code and balance; and
  • details of your incoming and outgoing transactions.

This information is obtained from your Bank.

Your requests and enquiries

This is information you provide to us when you are visiting our website (such as clicking on buttons to confirm your consent) or as part of another request or enquiry (for instance, to obtain technical support).

We obtain this information directly from you.

 

4. OUR LEGAL GROUNDS FOR HANDLING PERSONAL DATA

 

This section explains the legal basis on which we process your personal data when delivering this Service to you and the TransUnion Open Banking Service to the Referring Company.

Please note that, while we require your explicit consent to provide this Service under financial regulations, we do not require your explicit consent to process your personal data in connection with the provision of this Service under data protection laws. This is because our legal basis for processing your personal data is based on the following legal grounds (rather than your consent).

  • Performance of our contract with you

Where you give your explicit consent to use this Service, you enter into a contract with us for the provision of this Service, which is governed by the Terms of Service. A copy of the Terms of Service is available [here].

In order to provide you with this Service that you have consented to in accordance with the Terms of Service, we will need to obtain your personal data and share your personal data with the Referring Company.

We may ask to access your information on a one-off basis or periodically over a 90 day period, depending upon the Referring Company’s request to us. You can opt to disconnect access to you Account(s) at any time. At the end of the 90 day period, we or the Referring Company may ask you to refresh this access for a further 90 days at a time. If you choose to refresh this access you may be asked to confirm this choice to your Bank(s) and this may involve you being redirected to your Bank's online banking login page where you may be prompted to enter your login details. We will not see, record or store any of the login details you enter. You will be responsible for ensuring that you provide the correct log in details to your Bank. If you repeatedly provide your Bank with incorrect login details, this may result in your access to your Account(s) being blocked and may mean we can no longer provide the Service as a result.

  • Legitimate Interests

The UK's data protection laws allow us to use your personal data where necessary for legitimate purposes provided that this isn't outweighed by the impact it has on you. The law calls this the "legitimate interests" basis for processing personal data.

The legitimate interests we are pursuing are:

InterestExplanation
Delivery of the TransUnion Open Banking Service (which includes requesting Information about your nominated Account(s) from Your Bank, passing this Information to the Referring Company and undertaking analysis of your Information to help the Referring Company make its assessment about you)

As noted above, where you consent to this Service, we are bound by the terms of our contract with you to collect your personal data and share this with the Referring Company.

We also have a commercial interest in offering the TransUnion Open Banking Service to our clients that have a need for it for the growth of our business, and the use of personal data is essential to the delivery of this service and therefore to fulfil this commercial interest.

Improving, developing and testing our products and servicesWe have an interest in improving, developing and testing our products in order to help ensure that our services are processing data accurately and that we remain competitive. This includes ensuring that our products can provide accurate results for our clients, and including more data in our processes helps improve the accuracy of results.
Helping prevent and detect crime and fraud; anti-money laundering; and identity verificationWe provide identity, anti-fraud and anti-money laundering services to help clients meet legal and regulatory obligations, and to the benefit of individuals to support identity verification and support of the detection and prevention of fraud and money-laundering.
Complying with and supporting compliance with legal and regulatory requirementsWe have to comply with various legal and regulatory requirements, and our services also help other organisations comply with their own legal and regulatory obligations. For example, many kinds of financial services are regulated by the Financial Conduct Authority or the Prudential Regulation Authority, who impose obligations to check that financial products are suitable for the people they are being sold to. We provide data to help with those checks.
Providing support servicesWe are required to provide ancillary and support services to clients, which includes reporting on the services we have provided for audit purposes and assisting you with any technical queries you may have about the Service.
Performance Monitoring

We have an interest in monitoring the perfomance of our services, to help identify any technical errors or areas of improvement.

 

Our use of personal data is subject to an extensive framework of safeguards that help make sure that your rights are protected. These include the information you are given in this notice about how your personal data will be used and how you can exercise your rights to obtain your personal data, have it corrected or restricted, object to it being processed, and complain if you are dissatisfied. These safeguards help sustain a fair and appropriate balance so that our activities do not compromise your interests, fundamental rights and freedoms.

  • Necessity for compliance with a legal obligation

The UK's data protection laws allow us to use your personal data where necessary in order to comply with the legal and regulatory obligations that apply to us. For example, in order to provide the Service, we have to comply with our obligations as a registered account information service provider under the Payment Services Regulations 2017. This means that we use your personal data as required under these regulations.

 

5. WHO WE SHARE THE PERSONAL DATA WITH

 

  • The Referring Company / Our client

The purpose of this Service is to enable the electronic sharing of your Account information between Your Bank and the Referring Company you are dealing with to obtain a service or financial product. This organisation will be our client, as they will have appointed us to provide this Service for you and their other customers.

In the delivery of this Service, we facilitate the sharing of information between Your Bank and the Referring Company.

We may also share information about how you have used our website with the Referring Company. You provide this information to us when you visit our website (such as clicking on buttons to confirm your consent). This helps the Referring Client to monitoring the performance of our Services and to help identify any technical errors or areas of improvement.

  • Our group companies

We may share your personal data with other companies in the TransUnion Information Group for the purposes of improving, developing and testing our existing product and services and new product development. A list of the relevant TransUnion Information Group companies is set out below:

Group company

Main trading address and registered office

TransUnion Information Group Limited
(company no. 4968328)

One Park Lane, Leeds, West Yorkshire LS3 1EP

TransUnion Baltics, UAB
(company no. 302689020)

Karaliaus Mindaugo pr. 50, Kaunas LT- 44334, Lithuania

  • Service Providers

We may provide your information to third parties who help us use it for the purposes described in section 2. For example:

  • our products may be hosted by third party cloud platform providers on our behalf;
  • we may use third parties to support, maintain and test our products and services and to help us to answer consumer queries.

These service providers may also be our group companies, some of which are listed above.

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations.

  • Business transfers

If we sell our business to a third party, or go through a corporate re-organisation, we will transfer personal data to the company that acquires the business.

If an acquirer intends to use your personal data in a way which is not set out in this notice, they will contact you shortly after the acquisition to inform you about how they are going to use your data.

  • Regulators and Fraud Prevention Agencies

We may be compelled to share personal data with our regulators, including the Information Commissioner's Office and the Financial Conduct Authority. Where we suspect fraudulent activity, we may also pass personal data to the police and fraud prevention agencies.

 

6. WHERE THE PERSONAL DATA STORED AND SENT

 

Within Europe

 

We are based in the United Kingdom and will access and use personal data from here. One of our group companies is based in Lithuania, and so personal data may be accessed from there too. In these locations, the use of the information is protected by European data protection standards.

The Referring Company that you are dealing with, and that will be receiving your personal data, may have operations outside of Europe – please check its own privacy notice for further details.

 

Outside Europe

 

We may also send information elsewhere in the world. For example:

  • When one of our overseas group companies or branch offices based overseas needs to use the information.
  • Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.

While countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

  • Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
  • Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection.

You can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.

 

7. HOW LONG THE PERSONAL DATA IS KEPT FOR

 

We keep your personal data only for as long as necessary for the purposes for which it is used, as set out in section 2 above.

We will keep a record of your personal data used in connection with this Service and the TransUnion Open Banking Service for a period of two years.

Where we use your personal data in connection with the improvement, development and testing of our products and services, we may keep your information for a period of two years. If we have anonymised your data in connection with this purpose, we may keep and use anonymous data indefinitely.

Where we use your personal data to comply with our legal and regulatory requirements, we will typically retain a copy of your personal data for a further period of five years after we used it for that purpose.

Search footprints are kept for a total of six years however they will only be visible on your credit file for two years. A further four years of data are used for profiling and statistical analysis.

 

8. WHETHER THE PERSONAL DATA IS USED TO MAKE AUTOMATED DECISIONS ABOUT YOU OR TO PROFILE YOU

 

We do not use the personal data obtained from the delivery of this Service to make automated decisions about you.

Our role is to obtain this information from Your Bank and deliver it to the Referring Company (our client). The information that we share with our client in the delivery of this Service may then be used by our client to conduct an assessment or to make a decision about you. However, our clients will likely hold other information about you which will inform their decision.

We would recommend contacting the Referring Company that you are dealing with if you require further information about how they will use the personal data we provide to them in the delivery of the TransUnion Open Banking service.

 

9. YOUR RIGHTS IN RELATION TO THE PERSONAL DATA THAT WE HOLD ABOUT YOU

 

You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please use the contact details set out in section 1.

  • Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it. We may need to ask you to provide additional information to help us to confirm that the personal data we hold is yours.
  • Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
  • Objection to legitimate interests: If you disagree with us relying on the legitimate interests grounds for using your personal data (see section 4 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
  • Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it. For example, if you ask us to erase personal data which we are required to keep under the legal and regulatory obligations that apply to us, we will not be able to action your request.
  • Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
  • Portability: In some circumstances you have the right to request that we send to you or a third party a copy the personal data you have provided to us in a portable format. However, in the delivery of this Service we are predominantly using personal data provided to us from other sources and not from you directly, which means the right will rarely apply.
  • Withdrawal of consent: While we rely on your consent to share or  access your Open Banking data, we are unable to provide this Service without it. We therefore do not rely on your consent to process your personal data in the delivery of this Service, therefore your right to withdraw consent does not apply .

 

10. WHO YOU CAN COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA

 

We try to ensure that we deliver the best levels of customer service, but if you are not happy about how we use your personal data you should contact us so that we can investigate your concerns. Please contact us using the details in section 1.

You can also contact our Data Protection Officer at: dpo@transunion.co.uk

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the UK. You can do this online through the ICO’s website at www.ico.org.uk/concerns, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

 

11. THE COOKIES USED ON THE WEBSITE

 

We use cookies and similar technologies to distinguish you from other users of the website. This helps us to provide you with a good experience when you browse the website and also allows us to personalise and improve the website.

A cookie is a small file of letters and numbers that we put on your device. Similar technology refers to any other technology that stores or accesses information from your device. We use the following kinds of cookie and similar technologies (referred to below as 'cookies'):

  • Strictly necessary cookies. These are cookies that are required for the operation of the website.
  • Analytical/performance cookies. These cookies allow us to recognise and count the number of visitors and to see how visitors move around the website when they are using it. This helps us to improve the way our website works.

You can find more information about the individual cookies we use and the purposes for which we use them in the table below.

NamePurpose
_ga, _gat, _gidThese are Google Analytics cookies used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information such as the number of visitors to the site, where visitors have come to the site from and the pages they have visited and how they interacted with the website.
tuob:cookie:acceptThis cookie is used to record whether the current user has given consent to accept cookies on their browser.
tuob:cookie:analyticsThis cookie is used to record whether the current user has given permission to collect data for analytical/performance cookies. If no consent is given, analytical/performance cookies will not collect information.
.AuthCookie.ConsumerApiStores encrypted information to identify the current user whilst navigating through the site. This cookie is removed when the user leaves the site.
.AntiForgery.ConsumerApiThis cookie is used to prevent Cross-Site Request Forgery.
_cfduid, __cf_bmThird party cookies used for security and fraud prevention purposes (namely the detection of malicious visitors and bots).
Query.ConsumerApiStores encrypted query parameter information that is passed to the website by clients.
s_ecid, s_cc, s_sq, s_vi, s_fid, AMCV_###@AdobeOrgThese are Adobe Analytics cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information such as the number of visitors to the site, where visitors have come to the site from and the pages they have visited and how they interacted with the website.

 

You can block cookies using your browser settings that allow you to refuse all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access parts of our website or use some of its features. For more information about this, and about cookies in general, you may wish to visit www.aboutcookies.org.