General Privacy Notice

TRANSUNION GENERAL PRIVACY NOTICE

Version: 1.6
Date adopted: 13th April 2021

This privacy notice provides a high-level overview about how we use and share personal data across TransUnion Information Group. More detailed information can be found at the TransUnion Privacy Centre or in other privacy information you may have been given. given.

You have the right to object and withdraw your consent to our use of your personal data. Please see section 9 to find out more.

This notice covers the following topics:

1. Who are we and how can you contact us?

2. What do we use personal data for?

3. What kinds of personal data do we use, and where do we get it from?

4. How long is the personal data kept for?

5. What is our legal basis for handling personal data?

6. Who do we share the personal data with?

7. Where is the personal data stored and sent?

8. Is the personal data used to make decisions about you or to profile you?

9. What are your rights in relation to the personal data we hold about you?

10. Who can you complain to if you are unhappy about the use of your personal data?

1. WHO WE ARE AND HOW YOU CAN CONTACT US

About us

We are TransUnion Information Group (TU UK), which is a group of companies with headquarters at One Park Lane, Leeds, West Yorkshire LS3 1EP. The members of TU UK are listed in section 4 below. TU UK forms part of a larger group of TransUnion companies but this privacy notice only covers the activities of TU UK.

Different companies in TU UK have different roles and responsibilities for different sets of personal data. Where a member of TU UK acts as a controller of personal data it is responsible for ensuring that the data is used fairly and lawfully.

Joint controllers

TU UK companies sometimes act jointly with other TU UK companies when making decisions about your personal data. In particular, joint decisions are made when two or more TU UK companies are sharing personal data with each other.

Our members of staff work across TU UK group companies so, where our group companies make decisions jointly, those members of staff will ensure that each company involved complies with data protection rules. You can contact our Consumer Services Team if you want to enquire about any of our group companies or exercise any of your rights in respect of your personal data.

Contact details

You can contact us about issues relating to personal data, including the contents of this notice, by any of the following methods:

Post: Customer Services Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: consumer@transunion.co.uk

Telephone: 0330 024 7574

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

2. WHAT DO WE USE PERSONAL DATA FOR?

This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we use for these purposes can be found in section 3 below.

Products and services

Many of our products and services rely on personal data. For example:

• Our credit referencing and affordability services involve gathering personal data from credit providers and other organisations, and sharing that data with lenders for credit risk assessment and other purposes. This includes information about credit repayments, court judgments and insolvencies. See the Credit Reference Agency Information Notice for more details.

Example: credit referencing

If you apply for a loan from a bank or other lender, they may ask us for data about you to help them make a decision about whether or not you are likely to repay the loan, and whether you can afford the repayments. To help them with that assessment, we can provide them with information about how well you have managed your previous financial commitments, how much income goes into your current account, and whether you have had any CCJs, bankruptcies or other adverse financial circumstances.

• Our identity verification and fraud prevention services involve gathering personal data from numerous sources and using it to help our clients to confirm the identity of consumers that they are dealing with. This helps them to prevent identity theft and other kinds of fraud. Other services we provide help to reduce the risk of money laundering.
• Our open banking services allow consumers to authorise third parties to obtain access to transactions information from their current accounts. This helps to provide a faster, more efficient way for consumers to demonstrate their financial position to third parties if they choose to do so.
• Our consumer reseller services enable consumers to view their credit reports and credit scores through websites operated by our resale partners.
• • Our data marketing services involve gathering personal data from data suppliers and sharing that data with organisations who use it for marketing and related purposes. This includes names and addresses from the open version of the electoral register. We also perform analysis on clients’ data in order to help them understand their customers. Please see our Marketing Services Privacy Notice for more details.
• Our consumer products (such as CreditView) involve gathering data from consumers, such as their names and contact details. We use that information to provide the users with our services. See the privacy notices on the relevant websites for more details.

Data evaluations

We use and share data for evaluation purposes. This includes assessing its suitability for a particular purpose and, for example, deciding whether or not it would be useful to us as part of a product or service. Sometimes it may be necessary to share data with a third party in order for them to be able to match it to data that they hold and return additional data to us.

When we evaluate data, we apply a range of safeguards to protect the interests of consumers. For example, we anonymise or pseudonymise the data where possible, we ensure it is protected with appropriate security measures, and we limit the quantities of data and the period for which it is used and retained.

Similarly, we sometimes provide data to our clients in order for them to evaluate it. This can help them understand whether or not our services would be of use to them. Data is only shared in this way for limited periods of time and is subject to strict restrictions on use.

Operating our business

We use personal data as part of our own internal operations. For example:

• We hold names, job titles and contact details that we get from our business contacts (such as the representatives of our clients and suppliers), and we use this to manage our relationship with them and for marketing purposes. See our Business Contact Data Privacy Notice for more details.
• We hold names, contact details and other information that we get from consumers who make contact with us, and we use that information to deal with their enquiries. See our Consumer Contact Data Privacy Notice for more details.
• We hold information about our members of staff, and we use that information to manage our relationship with them. The information includes details such as employment and educational history, background checks and performance appraisals. Members of staff can find more information on the staff intranet.
• We use CCTV cameras throughout the public areas of our business premises to help ensure the safety of our staff and visitors and the security of our information and assets.
• We use personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from consumers or regulators about how we have used personal data.

3. WHAT KINDS OF PERSONAL DATA DO WE USE, AND WHERE DO WE GET IT FROM?

We use a wide variety of personal data in our business, and we get it from many different sources. Some of the main types of data are described in section 2 above. For more details about the kinds of data used for each of the purposes described in section 2, please visit the privacy notice referred to above, or go to www.transunion.co.uk/privacy.

Some of our most important types of data are:

4. HOW LONG IS THE PERSONAL DATA KEPT FOR?

We keep personal data only for as long as is necessary for the purposes for which it is held. You will need to contact us (see section 1) or refer to the privacy notices at www.transunion.co.uk/privacy for our specific activities in order to find out exactly how long the data is kept for. The main points we think you might be interested in are:

• Credit reference data (such as your credit history, judgments, bankruptcies, etc) generally stays on your credit file for a period of six years. After that it is not used to make any decisions about you, but it is still used for a further four years for statistical analysis purposes.
• Electoral register data is kept for the period that you reside at the relevant address, and for a further 14 years after you have moved out.
• Search footprints stay on your credit file for two years..

5. WHAT IS OUR LEGAL BASIS FOR HANDLING PERSONAL DATA?

This section explains the legal basis on which we process your personal data.

Legitimate interests

The UK’s data protection law allows the use of personal data where necessary for legitimate purposes provided that this isn’t outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.

Most of our processing activities are based on the legitimate interests condition. This includes almost all of our credit referencing and data marketing services. For more details about the legitimate interests we are pursuing, please refer to the relevant privacy notices (see links above).

Consent

We sometimes rely on consent in order to process personal data, but this is relatively rare. Again, please refer to the relevant privacy notices at www.transunion.co.uk/privacy for more details.

Performance of our contract with you

If you sign up for one of our online services, we agree to provide you with services as set out in the Terms & Conditions on the relevant website. We need to use some of your personal data in order to be able to provide you with those services. Please refer to the privacy notice on the relevant website for more details.

We also use this basis for processing some of our staff data.

6. WHO DO WE SHARE THE PERSONAL DATA WITH?

Our group companies

We may share personal data among TU UK companies where appropriate. A list of TU UK companies is set out below, although the list may be updated from time to time.

Our clients and resale partners

We share personal data with our clients for the purposes described in section 2 above. Our clients will each have their own privacy notices which will provide more information about how they (specifically) use the data we supply.

Our clients typically operate in the following sectors:

• financial services (including banks, loans, credit cards, mortgages, pensions, and investments and savings providers)
• insurance
• debt collection agencies
• gaming / gambling
• retail (including online retailers)
• telecoms and utilities
• professional services (such as legal and accountancy firms)
• the public sector

In some cases our clients may appoint an intermediary to act on their behalf; these intermediaries will often receive the data too. We also appoint data resale partners who will distribute our data to third parties.

Service providers

We and our clients may provide your information to third parties who help us use it for the purposes described in section 2. For example:

• Our databases of personal data may be hosted by third parties on our behalf.
• Some of our products and services rely on us sending personal data to third parties who then analyse or enhance it and return the results to us.
• We use third party email broadcasting services in order to send emails.
• We use payment service providers in relation to any payments made by individuals.
• We sometimes use market research companies to help us better understand our customers.
• We use cloud-based technologies such as Microsoft Office 365 and Salesforce in the course of our ordinary business operations.
• Our CCTV system is operated by a specialist sub-contractor, Cube Group Limited.

These service providers are generally not allowed to use information for their own purposes or on behalf of other organisations.

Business transfers

If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.

Regulators

We may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.

Sharing of anonymised data with third parties

We may share anonymised information with other third parties, but only where the information cannot realistically be identified as relating to you.

7. WHERE IS THE PERSONAL DATA STORED AND SENT?

Within the UK and the EU

We are based in the United Kingdom, and will access and your information from here. However, we also have operations in Lithuania and Spain, and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.

Elsewhere

We also send information elsewhere in the world. For example:

• When one of our overseas group companies or branch offices based overseas needs to use the information. For example, the wider TransUnion group has headquarters in the United States, and also has operations elsewhere in the world such as South Africa and India.
• Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.

While countries within the UK and European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

• Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
• Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection.

If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.

8. IS THE PERSONAL DATA USED TO MAKE DECISIONS ABOUT YOU OR TO PROFILE YOU?

We perform the following automated decision-making and profiling activities using your personal data. When we refer to profiling, we mean using personal data to make predictions about you, or to categorise you into particular groups.

Individual-level profiling

We and our clients use personal data in order to predict or infer new information about you. In particular:

• TransUnion International UK Limited uses the data that it gathers as a credit reference agency (such as credit and utility repayment history, judgments, insolvencies and the electoral register) to generate scores that can be used to help assess your creditworthiness.
• Our data marketing services involve combining personal data with other information such as census statistics in order to make predictions about people’s lifestyles or preferences. When we do this, we are normally processing clients’ data on their behalf.

Aggregated profiling

We and our clients also use personal data to predict or infer information about the areas that people live in. This includes information such as the lifestyle, age or wealth of the typical residents of those areas. This information is used for the purposes described in section 2 above.

Decision-making

We generally do not use personal data or profiling to make automated decisions that have significant effects for you, but some of our clients may do so. For example, clients who receive credit scores from us may use those scores to help them decide whether or not to grant you credit.

9. WHAT ARE YOUR RIGHTS IN RELATION TO THE PERSONAL DATA THAT WE HOLD ABOUT YOU?

You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please email us at consumer@transunion.co.uk, telephone us on 0330 024 7574, or refer to the other contact details in section 1.

• Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it.
• Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
• Objection to direct marketing: You have the right to object to us using your personal data for direct marketing purposes. If you do this we will stop using it for those purposes.
• Objection to legitimate interests: If you disagree with us relying on the legitimate interests grounds for using your personal data (see section 4 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
• Withdrawal of consent: When we rely on your consent to use your data (see section 4 above), you have the right to withdraw that consent at any time.
• Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it. For example, if you object to us using your data for direct marketing purposes we will need to keep a record of that objection so that we do not subsequently begin direct marketing activities in relation to you if we receive your data again.
• Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
• Portability: In some circumstances you have the right to receive some limited kinds of information in a portable format.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

10. WHO CAN YOU COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA?

We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us using these details:

Post: Customer Relations Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: customer.relations@transunion.co.uk

Telephone: 0330 024 7574

You can also contact our Data Protection Officer at dpo@transunion.co.uk

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at www.ico.org.uk by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

Credit Reference Agency Information Notice (CRAIN)

Version: 1.1 Adopted: 26 March 2020

---

IN BRIEF

We are credit reference agencies and we play a key role in the UK’s financial ecosystem. This document explains how we obtain, process and share personal data about consumers and businesses.

This section briefly summarises the key processing activities common to the credit reference agencies. For more detail, please refer to the rest of this document. In addition, we recommend reviewing each credit reference agency’s own information notices, which explain the specific processing activities of that credit reference agency. Links to these documents can be found in section 14.

• Credit reference agencies collect information about consumers and businesses from various sources and build databases that hold all of this data.
• The sources of that information include public records, such as court judgments (CCJs) and electoral register information, and financial information from lenders, utilities suppliers and telecoms businesses.
• Lenders and other organisations carry out searches against that information with one or more credit reference agencies.
• Organisations can carry out searches for several reasons. These include assessing creditworthiness and ability to afford financial products, checking the accuracy of other information, preventing and detecting crime (such as fraud or money laundering), checking identity, tracing individuals (for example to recover debts that they owe), calculating how much their insurance premiums should be, and assessing their suitability for a job or a tenancy.
• When an organisation carries out a search of someone’s information, we will record details of that search. This is known as a search footprint.
• Credit reference agencies also use consumer data for marketing-related purposes, such as helping organisations to better direct their marketing, including by screening individuals out of advertising for credit products so that those products are not offered to people who would not be eligible for them. They may also use the data to build insight to predict information or characteristics about the population, to help organisations identify who they want to market their products and services to.
• Credit reference agencies also use the data in their databases for other activities. These include analytics and profiling, such as helping lenders build scorecards to use in assessing credit applications.
• Because not every lender supplies data to every credit reference agency, your credit reference information held at each credit reference agency might be different.
• Credit reference agencies carry out several types of data processing to help achieve the aims described above. These include loading data, matching and linking data together as well as testing, developing and building our products and services.
• Consumers have certain rights that they can seek to exercise in relation to the personal data held by credit reference agencies. For example, they have rights to obtain a copy of the data, to ask the credit reference agency to correct it if it is inaccurate, and to object to the processing of the data.

Please note:

• This document describes how the credit reference agencies use and distribute the personal data described in section 4. This data is referred to as “credit reference data”.
• The credit reference agencies are independent businesses. Not all of the products and services described in this document are provided by all three of the credit reference agencies, or in the same way, and not all of the data is used by each of them.
• This document does not cover all personal data that the credit reference agencies use and distribute; for example, this document does not cover processing of personal data in relation to credit reference agency services you sign up to directly, such as services which allow you to view your own credit report and score. Section 2 and section 14 below provide links to where information can be found about each credit reference agency’s other products and services (including marketing services) and how they use and share other kinds of personal data.
• Consumers can obtain a copy of the information that each credit reference agency holds about them. Section 9 explains how this can be done.

CONTENTS

This document answers these questions:

1. 1. Who are the credit reference agencies and how can they be contacted?
2. 2. What do credit reference agencies use credit reference data for?
3. 3. What are the credit reference agencies’ legal grounds for handling credit reference data?
4. 4. What kinds of personal data do credit reference agencies use, and where do they get it from?
5. 5. Who do credit reference agencies share credit reference data with?
6. 6. Where is credit reference data stored and sent?
7. 7. For how long is credit reference data retained?
8. 8. Do the credit reference agencies make decisions about consumers or profile them?
9. 9. How can a consumer see what data the credit reference agencies hold about them? Do consumers have a ‘data portability’ right in connection with their credit reference data?
10. 10. What can a consumer do if their credit reference data is wrong?
11. 11. Can a consumer object to the use of their credit reference data and have it deleted?
12. 12. Can a consumer restrict what the credit reference agencies do with their credit reference data?
13. 13. Who can a consumer complain to if they are unhappy about the use of their credit reference data?
14. 14. Where can consumers find out more?

---

1. WHO ARE THE CREDIT REFERENCE AGENCIES AND HOW CAN THEY BE CONTACTED?

There are three main credit reference agencies in the UK.

Each is regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency. The full names and contact details for each are set out below.

In this information notice, these three companies are referred to as Equifax, Experian and TransUnion respectively. Together they are referred to as credit reference agencies.

Controllers

Each credit reference agency is a controller of the credit reference data that it holds. This means that it has certain responsibilities under data protection law to make sure that the data is used fairly and lawfully.

Where a credit reference agency operates as part of a group of companies, it may share joint responsibility with the other members of that group when sharing data with them. You can contact the relevant credit reference agency using the details above if you want to enquire about any of those group companies or exercise any of your rights in respect of your personal data.

2. WHAT DO CREDIT REFERENCE AGENCIES USE CREDIT REFERENCE DATA FOR?

Credit reference agencies use credit reference data in products and services that they offer to their clients. The purposes for which those products and services are used are described below, but please note that different clients may use the products and services in different ways. Consumers should check the privacy policies of the organisations that they deal with for details about how they use any products and services provided by the credit reference agencies.

(a) Credit reporting and affordability checks

Each credit reference agency uses credit reference data to provide credit reporting services and affordability checks to its clients.

Credit reporting

Organisations use credit reporting services to see how people and businesses are managing payments in respect of their credit arrangements and how they have done so in the past. For example, if a person applies for a bank loan to buy a car, the bank may use credit reporting services to check whether that person has defaulted on any previous credit agreements. It will then use this information, together with information from other sources, to assess the risk of offering the loan.

Affordability checks

Organisations use affordability checks to help understand whether people or businesses applying for credit are likely to be able to afford the repayments. The information provided as part of the affordability checks may affect a person’s or business’s ability to obtain credit.

These activities help promote responsible lending, prevent people and businesses from getting into more debt than they can afford, and reduce the amount of unrecoverable debt and insolvencies.

(b) Checks to validate and verify data, and help prevent and detect fraud, money laundering and other criminal activity

The credit reference agencies use credit reference data to provide validation and verification services and other services to help prevent fraud, money laundering and other criminal activity.

Some examples of how credit reference agency clients use these services are as follows:

• When a person applies to an organisation for a product or service, the organisation might ask that person to answer questions about themselves, and then check the answers against the data held by the credit reference agencies to see if they match. For example, they may ask “What is your current address?” If the address provided does not exist on the credit reference agencies’ records (for example, because it is a fictitious address) or does not match the data held by the credit reference agencies (for example, there is no record of the person at the address provided), then this may be an indicator of a mistake or fraud.
• Where some products and services are only available to people of a certain age, organisations may check whether the person they are dealing with is eligible by looking at data held by the credit reference agencies. For example, if a person is signing up to join a gambling website which is only for people who are at least 18 years old, the organisation may check to see if the age provided by the person matches that held by the credit reference agencies.
• Government and quasi-government bodies may use credit reference agency services to check whether people are entitled to certain benefits and to help recover unpaid taxes, overpaid benefits and similar debts. For example, if a person is claiming single person discount for council tax, a local authority may check with the credit reference agencies to see if any other adults are living at the same address.
• The police may use data held by credit reference agencies to help in their investigations into criminal activity.

An indication of invalid or unverified information, fraud, money laundering or other criminal activity may affect the outcome of an application for (amongst other things) a product or service, a tenancy agreement or employment. If clients using the services identify potentially fraudulent activity they may also pass the applicant’s details to a fraud prevention agency such as Cifas and/or to the police.

(c) Customer management

Credit reference agencies use credit reference data to provide products and services for organisations to use for customer management purposes. Customer management is the ongoing maintenance of an organisation’s relationship with its customers. This could include activities designed to support:

• data accuracy: for example, to correct or update data held on the organisation’s records, such as correcting spelling mistakes or adding missing fields;
• ongoing relationship and account management activities: for example, to help organisations make decisions relating to credit limit adjustments, transaction authorisations, card reissue, inbound lending requests, and to identify and manage the accounts of customers including those at risk, in early stress, in arrears, or going through a debt collection process.

(d) Tracing and debt recovery

Credit reference agencies use credit reference data to provide products and services that allow organisations to trace people. This is typically needed where a person has moved address or changed their telephone number and has not provided their new contact details. The credit reference agencies help organisations locate customers they have lost contact with by providing them with updated addresses and other contact details.

The products and services are used to support organisations’ debt recovery and debtor tracing activity. For example, if a person owes money to an organisation and moves to a new house without telling the organisation where they have moved to, the organisation may use these services to help find that person to recover the money that is owed to them.

These products and services are also used to find people in order to let them know about assets that they may have forgotten about or not be aware of, such as old dormant savings accounts or pension funds, or to find people to let them know about assets of a deceased person which they have an interest in, such as administrators or beneficiaries of a deceased person’s estate.

Please also see section 2(h) below which describes how some of the credit reference agencies provide tracing services for marketing purposes.

(e) Tenant vetting

Credit reference agencies use credit reference data to provide products and services that allow landlords to verify some of the information provided by their prospective tenants, as well as confirming that they are who they say they are and that they are likely to be willing and able to pay their rent on time. Landlords can use this information to help decide whether to agree to the tenancy, or how much of a deposit they should ask for.

(f) Staff and job candidate vetting

Credit reference agencies use credit reference data to provide products and services that allow organisations to verify some of the information provided by their staff and job candidates and confirm that they are who they say they are. They also enable employers to assess whether the staff member or candidate has a history of managing their own financial commitments well, or whether they are financially compromised. This can be used to help them decide whether the person would be or will continue to be a suitable member of staff.

(g) Insurance risk assessments and pricing

Credit reference agencies use credit reference data to provide products and services for organisations to use to assess insurance risk. For example, an insurer may find that a person’s financial standing and history can be used to help predict how likely that person is to make a claim on an insurance policy, or how large that claim might be. This can help the insurer to decide (i) whether to provide insurance to a person, and (ii) how much the insurance premium should be, and (iii) whether to allow payment for insurance on a credit instalment basis.

(h) Marketing and marketing-related services

Overview

Each credit reference agency offers its clients marketing services. Some of these marketing services use credit reference data and some do not. For details about the marketing services offered and the personal data used by the credit reference agencies, please see the following links:

Experian: https://www.experian.co.uk/privacy/consumer-information-portal

Equifax: https://www.equifax.co.uk/ein.html

TransUnion: https://www.transunion.co.uk/legal/privacy-centre?#pc-marketing-services

As well as other rights, consumers have the right to object to the processing of their credit reference data for direct marketing purposes, including any profiling that is related to direct marketing. Section 11 sets out more details on how this right can be exercised.

If a credit reference agency provides marketing services, then they may use an individual’s title, name (including aliases), address, date of birth, gender and address links information (see section 4 for more detail), as well as limited information relating to their financial standing.

Screening out

Credit reference agencies use credit reference data to provide screening services to their clients. This means that they identify people who clients may wish to screen out of marketing lists. Screening is used to help ensure that individuals do not receive irrelevant or inappropriate marketing information.

For example, a client may want to screen out from its marketing list someone who is deceased, or who is under 18, or does not reside at the address they hold, or who may not be interested in a product or service or is unlikely to be accepted for it.

Other marketing-related activities

In addition, credit reference agencies may use credit reference data to offer some or all of the following marketing services:

• They may supply the open version of the electoral register (where people have not opted out from their electoral register data being used for marketing and other purposes) to organisations for marketing purposes. This can include identifying new potential customers, verifying that names, addresses and dates of birth collected from other sources are accurate and complete, and informing customers of any errors.
• They may identify when someone has moved away from an address so that marketing is not sent to them at that old address.
• They may help build insight using profiling techniques which will be used by organisations to help them identify people that they want to communicate with about particular products and services. This insight might predict, for example, age, marital status, household composition, length of residency at an address and gender. It can help give organisations insight into the likely characteristics of the UK population at an individual, household and postcode level. Credit reference data also helps credit reference agencies to validate the insight being created.
• In certain circumstances, insight might also be used to help clients predict the financial profile of a person so that they can personalise their interactions with them and make communications more relevant and suitable. For example, they could use the insight to select products or offers that they believe would be relevant to that person.
• Models and insight created by the credit reference agencies can be matched to clients’ own contact lists so that they can make better informed decisions about how they interact with individuals.
• They may confirm whether individuals are resident at the address that the credit reference agencies or their clients hold for them. This can be done by checking the credit reference data to see if there are any open credit accounts at an address and whether the accounts have recent activity, such as where a recent payment has been made. If they do, then it is likely that they have the correct address details. This will help ensure that an individual does not receive marketing for someone else and the credit reference agencies’ clients do not send marketing to the wrong address.
• They may trace individuals to a new address so that their marketing preferences (both opt-ins and opt-outs) collected at a previous address can continue to apply at their new address and so that marketing is not sent to them at their old address.
• The credit reference agencies may also use credit reference data to help keep their own marketing suppression lists (or those of their group companies) accurate and up to date. For example, if you have previously asked to be excluded from marketing activity and your credit reference data indicates that you have since moved or changed your name, that information can be used to make sure that you continue to be excluded from marketing activity at your new address or under your new name.

(i) Profiling, statistical analysis and anonymisation

Credit reference agencies use, and allow their clients to use, credit reference data to carry out profiling of consumers through statistical analysis. This includes the creation, validation and use of scorecards, models, and attributes in connection with the assessment of risks relating to credit, fraud, affordability and debt collection. It is also used in verifying identities, to monitor and predict market trends and to enable clients to refine lending and fraud strategies, and loss forecasting.

These practices profile consumers to help determine the likelihood that a consumer with certain characteristics will act in a way that will produce certain outcomes; for example, to repay credit, to be able to afford credit, to claim on an insurance policy, to commit fraud, to respond to certain collection strategies or to become insolvent.

The credit reference agencies may also convert personal data into statistical or aggregated form so that individuals are not identified or identifiable (thereby creating anonymized data). Anonymized data is not personal data and the credit reference agencies may use such data to conduct research and analysis, including to produce statistical research and reports or for any other purposes.

(j) Data management activities

Credit reference agencies use credit reference data to carry out certain processing activities to support their own business operations. This includes supporting the effectiveness, efficiency and security of their databases, products and services, both in the context of their credit reference activities and more widely. For example:

• Data loading: credit reference data is checked for integrity, validity, consistency, quality and age to help make sure it is accurate. These checks pick up issues such as irregular dates of birth, names, addresses, account start and default dates, and gaps in status history.
• Data matching: credit reference data is matched to the credit reference agencies’ existing databases to help make sure it is assigned to the right person, even when there are discrepancies like spelling mistakes or previous names or different versions of a person’s name. Credit reference agencies use credit reference data to create and confirm identities, which they use to underpin the services that they provide.
• Data linking: when credit reference agencies compile data into their databases, they create links between different pieces of data. For example, people who appear financially associated with each other may be linked together and a person can be linked with their previous and current addresses. Also, where someone has an alias, such as a maiden name and married name, these names will be linked.
• System maintenance and testing: credit reference data may be used when carrying out system maintenance, repair and testing, and security activity.

Each credit reference agency has its own processes and standards for data management activity.

(k) New development and testing

The credit reference agencies use credit reference data to help develop new products, services and technologies and to test them. Typically, credit reference agencies will anonymise credit reference data before it is used for these purposes.

(l) Compliance with laws

The credit reference agencies use and disclose credit reference data where required by law. For example, this can happen in response to a court order or a request from a regulator, or in order to comply with a request from a person (or by a third party acting on their behalf), to exercise their legal rights in respect of the credit reference data, such as by requesting a copy of it.

3. WHAT ARE THE CREDIT REFERENCE AGENCIES’ LEGAL GROUNDS FOR HANDLING CREDIT REFERENCE DATA?

Data protection law requires the credit reference agencies to always have what is referred to as a “lawful basis” (i.e. a reason or justification) for processing personal data. There are a number of lawful bases available, but the majority of credit reference agencies’ activity is on the basis that:

• the processing is necessary to pursue the legitimate interests of the credit reference agencies and third parties (such as their clients), and those interests do not unduly prejudice the rights and freedoms of individuals; or
• the processing is necessary to comply with a legal obligation binding on the credit reference agencies.

For information about any other lawful basis relied on by each credit reference agency, please review their individual information notices (see section 14).

Legitimate interests

The credit reference agencies use credit reference data to pursue their legitimate interests, those of their clients and those of individuals. The following table explains these legitimate interests. The credit reference agencies have carried out assessments and have concluded that these interests are not overridden by the interests or fundamental rights and freedoms of individuals.

The credit reference agencies’ use of credit reference data is subject to an extensive framework of safeguards that balance the legitimate interests set out above with the fundamental rights and freedoms of the people whose data the credit reference agencies use and share. The framework includes information given to people about how their personal data will be used and how they can exercise their rights to obtain their personal data, have it corrected, erased or restricted, object to it being processed, and complain if they are dissatisfied. It also includes extensive due diligence checks on clients, robust contractual arrangements and internal data management processes that the credit reference agencies have in place. These safeguards help sustain a fair and appropriate balance and to protect the rights and freedoms of individuals.

Legal obligations

In some circumstances the credit reference agencies are required by law to use or share personal data in particular ways. This happens, for example, when a court, law enforcement agency or regulator makes a legally binding request or order for disclosure of personal data. It also happens when individual consumers exercise their rights, for example by requesting a copy of their own personal data from a credit reference agency.

4. WHAT KINDS OF PERSONAL DATA DO CREDIT REFERENCE AGENCIES USE, AND WHERE DO THEY GET IT FROM?

Each credit reference agency obtains and uses personal data from different sources, so they often hold information that is different to some degree from that held by the others. However, most of the personal data they hold falls into the categories outlined below from the sources described.

5. WHO DO CREDIT REFERENCE AGENCIES SHARE CREDIT REFERENCE DATA WITH?

This section describes the types of organisation credit reference agencies share data with. Before sharing data with any third party each credit reference agency will, where appropriate, complete its own due diligence checks to ensure that the organisation is a real business and has applicable regulatory authorisations in place.

Clients

Credit reference agencies supply their products and services to clients in various sectors, such as banks, building societies, other credit providers, utility companies, mobile phone companies, insurance companies, credit report providers, retailers, gaming organisations, tenant and employee vetting firms, professional services organisations (such as firms of solicitors and accountants), estate agents, landlords, marketing companies, charities and public bodies such as the police, central and local government and regulators.

Certain organisations that share financial data with the credit reference agencies are members of closed user groups which entitle them to receive similar kinds of financial data contributed by other organisations in the group. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utilities companies and mobile phone networks.

Resellers, distributors and agents

Credit reference agencies sometimes use other organisations to help provide their products and services to clients. To do this, they may provide credit reference data to them so that they can provide the services.

Service providers

The credit reference agencies may use other external organisations and other members of their own groups of companies to perform tasks on their behalf (for example, IT service providers, call centre providers and security service providers). To do this, they may provide or make available credit reference data to them so that they can perform the tasks.

Fraud prevention agencies

Each credit reference agency is a member of Cifas, a not-for-profit fraud prevention service. Where a credit reference agency believes that you may have been a victim of fraud, it may share that information with Cifas so that other Cifas members can access it. This enables them to perform additional checks when (for example) a credit application is made in your name. Please refer to the Cifas privacy notice at https://www.cifas.org.uk/fpn for more details.

Regulators

Regulators can sometimes require credit reference agencies to supply them with personal data. This can be for a range of purposes such investigating complaints or assessing how well a particular industry sector is working.

Individuals

People are entitled to obtain copies of the personal data the credit reference agencies hold about them. Details on how to do this are set out in section 9 below.

6. WHERE IS CREDIT REFERENCE DATA STORED AND SENT?

The three credit reference agencies are all based in the UK and keep their main databases there. They may also have operations and service providers elsewhere inside and outside the UK and the European Economic Area, and credit reference data may be accessed from those locations too. Regardless of where the credit reference data is processed, the credit reference agencies ensure that it is always, protected by applicable UK and European data protection standards.

While the UK and countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when a credit reference agency sends credit reference data overseas it makes sure suitable safeguards are in place in accordance with applicable UK and European data protection requirements, to protect the data. For example, these safeguards might include:

• Sending the data to a country that has been approved by the European authorities as having a suitably high standard of data protection law. Examples include the Isle of Man, Switzerland and Canada.
• Putting in place a contract with the receiving organisation containing terms approved by the European authorities as providing a suitable level of protection.
• Sending the data to an organisation which is a member of a scheme that has been approved by the European authorities as providing a suitable level of protection. One example is the Privacy Shield scheme agreed between the European and US authorities.

More information about the safeguards used by each credit reference agency can be obtained by contacting them at the contact details in Section 1 above.

7. FOR HOW LONG IS CREDIT REFERENCE DATA RETAINED?

Each credit reference agency may retain credit reference data for different periods of time. Information about each credit reference agency’s retention periods can be found at the following locations:

• https://www.equifax.co.uk/crain/retention
• https://www.experian.co.uk/legal/crain/data-retention
• https://www.transunion.co.uk/legal/crain-retention

These periods are subject to regular review and may change from time to time.

8. DO THE CREDIT REFERENCE AGENCIES MAKE DECISIONS ABOUT CONSUMERS OR PROFILE THEM?

Decisions about consumers

Credit reference agencies generally do not make decisions about consumers or tell organisations what decisions to make about consumers – this is for each organisation to decide. For example, credit reference agencies do not tell lenders whether to offer credit to consumers; they just provide services that help those lenders make decisions about consumers. An organisation’s own data, knowledge, processes and practices will also play a significant role in those decisions.

Credit reference agencies may provide similar services to their respective clients, but these services may lead to different decisions because (i) each credit reference agency may hold different information from the others, (ii) each client may place differing importance on some information compared to others, and (iii) each client may take into account information available to it from other sources. These are some of the reasons why a person may receive a “yes” from one lender but a “no” from another.

Scores and ratings

When requested, credit reference agencies use the data they obtain to produce credit, risk, fraud, identity, affordability, screening, collection and insolvency scores and ratings; these are explained in section 4 above.

9. HOW CAN A CONSUMER SEE WHAT DATA THE CREDIT REFERENCE AGENCIES HOLD ABOUT THEM? DO CONSUMERS HAVE A ‘DATA PORTABILITY’ RIGHT IN CONNECTION WITH THEIR CREDIT REFERENCE DATA?

Data access right

Consumers have the right to find out what personal data the credit reference agencies hold about them. Each credit reference agency provides more information about access rights on their websites.

Data portability right

Data protection legislation also contains a right to data portability. Where it applies, the right to data portability gives consumers a right to receive their personal data in a standard format. However, this right only applies when personal data is processed on certain grounds, such as consent. This right does not apply to credit reference data because it is processed on the grounds of “legitimate interests”. To find out more about legitimate interests please go to section 3 above.

10. WHAT CAN A CONSUMER DO IF THEIR CREDIT REFERENCE DATA IS WRONG?

When the credit reference agencies receive personal data, they perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, the credit reference agencies rely on the suppliers to provide accurate data.

If a consumer thinks that any personal data a credit reference agency holds about them is wrong or incomplete, the consumer has the right to challenge it. The credit reference agency will need to take reasonable steps to check the data, such as asking the organisation that supplied it to check and confirm its accuracy.

If the data turns out to be wrong, the credit reference agency will update its records accordingly. If the credit reference agency still believes that the data is correct after completing their checks, they will continue to hold and use it. Where the data is part of the consumer’s credit report, they can ask the credit reference agency to add a supplementary statement of up to 200 words explaining their views about the information. This statement will be supplied to organisations who subsequently access the information that the consumer has disputed.

To do this, consumers should contact the relevant credit reference agency using the contact details in section 1 above.

11. CAN A CONSUMER OBJECT TO THE USE OF THEIR CREDIT REFERENCE DATA AND HAVE IT DELETED?

This section helps consumers understand how to exercise their data protection rights to object to credit reference data being used by the credit reference agencies and how to ask for it to be deleted. To understand these rights and how they apply to the processing of credit reference data, it is important to know that the credit reference agencies hold and process personal information in credit reference data under the “legitimate interests” basis for processing (see section 3 above for more information about this), and do not rely on consent.

Consumers have the right to object to the processing of credit reference data by a credit reference agency. This can be done by contacting the relevant credit reference agency using the contact details in section 1 above.

Although consumers have complete freedom to contact a credit reference agency with objections at any time, under data protection law, a consumer’s right to object does not automatically lead to a requirement for processing to stop, or for personal data to be deleted.

Because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes for which the credit reference data is needed (such as supporting responsible lending, and preventing over-indebtedness, fraud and money laundering) it will be rare that the credit reference agencies do not have compelling, overriding grounds to carry on using the personal data following an objection. In many cases, it will not be appropriate for the credit reference agencies to restrict or to stop processing or delete credit reference data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise would not be eligible for.

However, as an exception from the general rule described above, all consumers have an absolute right to object to their personal data being used for direct marketing purposes. If you object to a credit reference agency using your personal data for those purposes, you can get them to stop by contacting them using the details in section 1.

12. CAN A CONSUMER RESTRICT WHAT THE CREDIT REFERENCE AGENCIES DO WITH THEIR CREDIT REFERENCE DATA?

In some circumstances, consumers can ask credit reference agencies to restrict how they use their credit reference data. Contact details for each credit reference agency are in section 1 above.

This is not an absolute right and processing will only be restricted if certain conditions are met (for example, if the processing is unlawful or the personal data is no longer required by the credit reference agencies for the purposes for which it was obtained).

Even where a restriction condition is met, a consumer’s personal data may still be processed (and shared) by the credit reference agencies where certain grounds exist. These are:

• with the consumer’s consent
• for the establishment, exercise, or defence of legal claims
• for the protection of the rights of another natural or legal person
• for reasons of important public interest

The credit reference agencies will consider and respond to requests they receive, and will assess whether any of the restriction conditions apply and, if they do, whether there are any grounds that permit the continued processing of the personal data.

Given the importance of complete and accurate credit reference data, for purposes including for example for responsible lending and preventing over-indebtedness, fraud and money laundering, it will usually be appropriate for the credit reference agencies to continue processing credit reference data on the basis of protecting the rights of another natural or legal person or for reasons of important public interest.

13. WHO CAN A CONSUMER COMPLAIN TO IF THEY ARE UNHAPPY ABOUT THE USE OF THEIR CREDIT REFERENCE DATA?

The credit reference agency

Each credit reference agency tries to ensure that it delivers the best outcomes for its clients and for consumers. If a consumer wants to make a complaint to a credit reference agency they can do so by contacting it at the following addresses.

Each credit reference agency also has a data protection officer who can be contacted about matters relating to the protection of personal data at the relevant credit reference agency. The contact details for each credit reference agency’s data protection officer are:

• Equifax: UKDPO@equifax.com
• Experian: uk.dpo@experian.com
• TransUnion: dpo@transunion.co.uk

The Information Commissioner’s Office

If a consumer is not satisfied with how a credit reference agency has investigated a complaint, the consumer can refer their concerns to the Information Commissioner’s Office which is the body that regulates the handling of personal data in the UK. The contact details are:

• Phone: 0303 123 1113
• Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF
• Website: www.ico.org.uk

The Financial Ombudsman Service

Where the complaint relates to an activity which is regulated by the Financial Conduct Authority (such as credit reporting and affordability checks), consumers also have the right to refer the matter to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like credit reference agencies. The contact details are:

• Phone: 0300 123 9 123 (or, from outside the UK, +44 20 7964 1000)
• Email: complaint.info@financial-ombudsman.org.uk
• Post: Financial Ombudsman Service, Exchange Tower London E14 9SR
• Website: https://www.financial-ombudsman.org.uk

14. WHERE CAN CONSUMERS FIND OUT MORE?

• Equifax: https://www.equifax.co.uk/ein.html
• Experian: https://www.experian.co.uk
• TransUnion: https://www.transunion.co.uk/privacy

The Information Commissioner’s Office also publishes advice and information for consumers in its Credit Explained leaflet, available at https://ico.org.uk/media/for-thepublic/documents/1282/credit-explained-dp-guidance.pdf.

TransUnion Bureau Privacy Notice

Version: 1.7
Date adopted: 4th August 2021

This privacy notice explains how we use and share personal data in connection with our credit risk and affordability assessments, anti-fraud and anti-money laundering checks, verification, debt tracing services and some of our related services. It also describes your data protection rights, including a right to object to some of the processing which TransUnion carries out. More information about your rights, and how to exercise them, is set out in section 9 below.

You have the right to object to our use of your personal data. Please see section 9 to find out more.

1. Who are we and how can you contact us?

2. What do we use personal data for?

3. What kinds of personal data do we use, and where do we get it from?

4. How long is the personal data kept for?

5. What is our legal basis for handling personal data?

6. Who do we share the personal data with?

7. Where is the personal data stored and sent?

8. Is the personal data used to make decisions about you or to profile you?

9. What are your rights?

10. Who can you complain to if you are unhappy about the use of your personal data?

1. WHO ARE WE AND HOW CAN YOU CONTACT US?

About us

We are TransUnion International UK Limited, which is a company registered in England and Wales with company number 03961870. Our trading address and registered office is at One Park Lane, Leeds, West Yorkshire LS3 1EP.

We are part of TransUnion Information Group (TU UK), which has its headquarters at the above address. Some of the members of TU UK are listed in section 6 below. TU UK forms part of a larger group of companies but this privacy notice only covers the activities of TU UK.

We are a controller of the personal data covered by this privacy notice. This means that we are responsible for ensuring that the personal data is used fairly and lawfully.

Joint controllers

We sometimes act jointly with one or more of the other TU UK companies when making decisions about your personal data. In particular, we make joint decisions when we and another TU UK company are sharing personal data with each other.

Our members of staff work across TU UK group companies so, where our group companies make decisions jointly, those members of staff will ensure that each company involved complies with data protection rules. You can contact our Consumer Services Team if you want to enquire about any of our group companies or exercise any of your rights in respect of your personal data.

Contact details

You can contact us about issues relating to personal data, including the contents of this notice, by any of the following methods:

Post: Customer Services Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: consumer@transunion.co.uk

Telephone: 0330 024 7574

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

2. WHAT DO WE USE PERSONAL DATA FOR?

This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we might use for these purposes can be found in section 3 below.

Providing services to the organisation you may be dealing with

We use your personal data to provide services to the organisation you may be dealing with. These services might include, for example, credit risk assessment, affordability assessment, anti-fraud and anti-money laundering checks, verification services, and tracing for debt collection purposes. We may also use your personal data to provide such services in relation to you in a specific role: for example, where you are acting as guarantor in relation to a personal loan to another individual, or as a director or business owner where the relevant business is applying for a commercial loan.

We may also process your personal data after services have been provided to our clients if, for example, we need to investigate any issues around the data that has been sent to us, stored by us or if we need to restore our systems in the event of a data loss incident.

More information about how we (and other credit reference agencies) use personal data in these kinds of service can be found in the Credit Reference Agency Information Notice.

Providing services to our other clients

We use personal data to provide services to organisations other than the one you are directly dealing with.

More information about how we (and other credit reference agencies) use personal data in these kinds of service can be found in the Credit Reference Agency Information Notice.

Product or systems development and testing

We sometimes use personal data while improving, developing, monitoring, maintaining and testing our products and systems. This includes making sure that our security measures are working properly. Where possible, we will anonymise, pseudonymise or aggregate the data before doing this.

Consumer queries; legal and regulatory purposes

We may use your personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from you or a regulator about how we have used your personal data.

3. WHAT KINDS OF PERSONAL DATA DO WE USE, AND WHERE DO WE GET IT FROM?

When a client uses our services, they will typically send us information such as:

• Identifiers (including your name, date of birth, and current and previous addresses). This helps us to match your information to the other information we hold in our databases.
• Other information specific to you, for example your telephone number, email address, internet protocol (IP) address, bank account or credit card number.
• Information collected from you with your consent, such as your device details or location details.
• The purpose for which they are requesting information about you.
• Other relevant details such as the nature of your credit application.

When we receive that information, we match it against the other information that we hold in order to find and return additional information about you. Depending on the service we are providing, this can include information such as your credit history, credit score, any court judgments or insolvency-related events, fraud indicators, and additional contact details or address history. It can also include similar kinds of information about people who are financially associated with you.

More information about the kinds of personal data we hold, and where we get it from, can be found in the Credit Reference Agency Information Notice.

4. HOW LONG IS THE PERSONAL DATA KEPT FOR?

When we receive personal data from a client in order to provide services to them, we will keep a copy of that data for up to fifteen months in order to investigate any data supply or data load issues, restore our systems in the event of a data loss incident, and in order to investigate and respond to any complaints, claims and enquiries that we may receive from consumers, clients or regulators.

We may keep data that has been provided to us for identify verification purposes for up to six years and three months in order to help stop fraudsters – see examples under “Fraud Alerts” in section 2 above.

Information about how long we keep data in our capacity as a credit reference agency is available in the Credit Reference Agency Information Notice.

5. WHAT IS OUR LEGAL BASIS FOR HANDLING PERSONAL DATA?

This section explains the basis on which we process your personal data.

Legitimate interests

The UK’s data protection law allows the use of your personal data where necessary for legitimate purposes provided that this is not outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.

The legitimate interests we are typically pursuing when providing services to our clients are:

Our use of personal data is subject to an extensive framework of safeguards that help make sure that your rights are protected. These include the information you are given about how your personal data will be used and how you can exercise your rights to obtain your personal data, have it corrected or restricted, object to it being processed, and complain if you are dissatisfied. These safeguards help sustain a fair and appropriate balance so that our activities do not compromise your interests, fundamental rights and freedoms.

Necessity for compliance with a legal obligation

We sometimes need to use your personal data in order to comply with a legal obligation that we are under. For example, if you submit a request to us for a copy of your personal data, either directly or through a third party that you have authorised to act on your behalf, we will normally be legally required to provide that personal data. See section 9 below for details of what requests you can make and how to make them.

6. WHO DO WE SHARE THE PERSONAL DATA WITH?

Our clients and resale partners

We share personal data with our clients for the purposes described in section 2 above. Our clients will each have their own privacy notices which will provide more information about how they (specifically) use the data we supply.

Our clients typically operate in the following sectors:

• financial services (including banks, loans, credit cards, mortgages, pensions, debt collection agencies and investments and savings providers)
• insurance
• gaming / gambling
• retail (including car sales / leasing and online retailers)
• telecoms and utilities
• marketing agencies acting for other organisations

In some cases our clients may appoint an intermediary to act on their behalf; these intermediaries will often receive the data too. We also appoint data resale partners who will distribute data to their clients in a similar manner to the ways we do.

Our group companies

We may share your personal data among the members of TU UK. If we do so, then use of the data by those companies will be governed by this privacy notice. A list of relevant TU UK companies is set out below, although the list may be updated from time to time.

Service providers

We may provide your information to third parties who help us use it for the purposes described in section 2. For example, our databases of personal data may be hosted by third parties on our behalf. More detail is provided below in respect of our key service providers.

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations, unless you agree otherwise.

You and your financial associates

You are entitled to obtain copies of the personal data that we hold about you. You can find out how to do this in section 9 below.

Similarly, your financial associates are also entitled to obtain copies of the personal data that we hold about them.

Other credit reference agency data sharing activities

For a broader description of how we share data in our capacity as a credit reference agency, please refer to the Credit Reference Agency Information Notice.

Business transfers

If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.

Regulators and law enforcement

Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required for the legal protection of our legitimate interests in compliance with applicable laws. For example, we may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.

Sharing of anonymised data with third parties

We may share anonymised information with other third parties, but only where the information cannot realistically be identified as relating to you.

7. WHERE IS THE PERSONAL DATA STORED AND SENT?

Within Europe

We are based in the United Kingdom, and will access and use your information from here. However, we also have operations elsewhere in Europe – currently Lithuania and Spain – and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.

We may also send personal data to some of our service providers who have operations within the European Union.

Elsewhere

We also send information elsewhere in the world. For example:

• When one of our overseas group companies or branch offices based overseas needs to use the information in accordance with this notice.
• Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.
• Where our service providers have operations outside the European Union (see the table at section 6 above).

While the UK and countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

• Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
• Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection.

If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.

8. IS THE PERSONAL DATA USED TO MAKE AUTOMATED DECISIONS ABOUT YOU OR TO PROFILE YOU?

Decisions

In almost all cases, we do not use your personal data to make automated decisions about you or to profile you.

We provide data and analytics that help our clients make decisions about lending and other matters (such as preventing fraud or protecting consumers), but our clients’ own data, knowledge, processes and practices will also generally play a significant role in their decisions – and those decisions will always be for them to make.

For example, when we sell our services to credit or loan providers, we do not decide whether or not you should be granted credit or a loan – this is for the lender to decide. Similarly, where we provide information to gambling companies, we do this to help them protect vulnerable consumers or those at risk of becoming overindebted. However, they will ultimately decide how to act upon that information, taking into account their legal and regulatory obligations.

Where our resale partners ask us for a copy of your credit information, we need to verify your identity in order to ensure that your credit information is not given out to fraudsters. This is an automated process and it could result in you being declined access to the services provided by that resale partner, if we cannot verify your identity.

Scores and ratings

We use the data we hold to produce credit, risk, fraud, identity, affordability, screening, collection and insolvency scores and credit ratings.

9. WHAT ARE YOUR RIGHTS?

You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please email us at consumer@transunion.co.uk, telephone us on 0330 024 7574, or refer to the other contact details in section 1.

If you are looking for information about your rights in relation to the personal data we hold in our capacity as a credit reference agency, please refer to the Credit Reference Agency Information Notice.

• Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it. (If you want to see your credit report online, please visit https://www.transunion.co.uk/consumer-solutions/your-credit-report.)
• Withdrawal of consent: When we rely on your consent to use your data, you have the right to withdraw that consent at any time. However, we do not rely on consent for the activities described in this privacy notice.
• Objection to direct marketing: You have the right to object to us using your personal data for direct marketing purposes, including any profiling or similar activities which are performed as a precursor to direct marketing. The activities described in this privacy notice do not include the use of personal data for direct marketing purposes but you have the right to object to us doing so in the future.
• Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
• Objection to processing based on legitimate interests: Where we rely on the legitimate interests legal basis for using your personal data (see section 5 above), you can object to that use of the data. We will then review and decide the extent to which we can continue to use the data in light of your particular circumstances.
• Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it.
• Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
• Portability: In some circumstances you have the right to receive some limited kinds of information in a portable format. However, this typically does not apply to the data to which this privacy notice applies.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

10. WHO CAN YOU COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA?

We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us using these details:

Post: Customer Relations Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: customer.relations@transunion.co.uk

Telephone: 0330 024 7574

You can also contact our Data Protection Officer at dpo@transunion.co.uk.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at www.ico.org.uk, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

Marketing Services Privacy Notice

Version: 1.5
Last updated: 16 October 2020

This privacy notice provides information about how we use and share personal data relating to consumers for our clients’ marketing purposes. It also describes your data protection rights, including a right to object to some of the processing which TransUnion carries out. More information about your rights, and how to exercise them, is set out in section 9 below.

You have the right to object to our use of your personal data. Please see section 9 to find out more.

This privacy notice covers the following topics:

1. 1. Who are we and how can you contact us?
2. 2. What do we use personal data for?
3. 3. What kinds of personal data do we use, and where do we get it from?
4. 4. How long is the personal data kept for?
5. 5. What is our legal basis for handling personal data?
6. 6. Who do we share the personal data with?
7. 7. Where is the personal data stored and sent?
8. 8. Is the personal data used to make decisions about you or to profile you?
9. 9. What are your rights?
10. 10. Who can you complain to if you are unhappy about the use of your personal data?
    
    

1. WHO ARE WE AND HOW CAN YOU CONTACT US?

About us

We are Callcredit Marketing Limited, which is a company registered in England and Wales with company number 02733070. Our trading address and registered office is at One Park Lane, Leeds, West Yorkshire LS3 1EP.

We are part of TransUnion Information Group (TU UK), which has its headquarters at the above address. Some of the members of TU UK are listed in section 5 below. TU UK forms part of a larger group of companies but this privacy notice only covers the activities of TU UK.

Except where we state otherwise, we are a controller of the personal data covered by this privacy notice. This means that we are responsible for ensuring that the personal data is used fairly and lawfully.

Joint controllers

We sometimes act jointly with one or more of the other TU UK companies when making decisions about your personal data. In particular, we make joint decisions when we and another TU UK company are sharing personal data with each other. Section 3 explains when this applies in more detail.

Our members of staff work across TU UK group companies so, where our group companies make decisions jointly, those members of staff will ensure that each company involved complies with data protection rules. Please contact our Consumer Services Team if you want to understand more about the allocation of data protection obligations between our group companies or if you want to exercise your data protection rights.

Contact details

You can contact us about issues relating to personal data, including the contents of this notice, by any of the following methods:

Post: Consumer Services Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: consumer@transunion.co.uk

Telephone: 0330 024 7574

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

2. WHAT DO WE USE PERSONAL DATA FOR?

This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we use for these purposes can be found in section 3 below.

Direct marketing

The open register (sometimes referred to as the edited electoral roll) is a version of the electoral register containing names and addresses of individuals who have not opted out of having their information used for marketing and other purposes.

We provide names and addresses from the open register to our clients in order for them to send marketing messages by post.

More information about the open register (and how to opt out of it) is available on the UK Government website.

Suppressions and forwarding addresses

We and our clients can use personal data to help remove you from certain marketing campaigns. This helps to avoid unnecessary marketing activity and means that you are less likely to receive marketing which you do not wish to receive or which is not intended for you. For example, you can be removed from a marketing campaign where:

• have signed up to the Royal Mail redirection service
• you have registered with the Mailing Preference Service (MPS)

We also remove details of deceased individuals to help avoid causing distress to their family.

If you have subscribed to the Royal Mail redirection service, then we and our clients can also use this personal data to update marketing mailing lists with your new address.

Product or systems development and testing

We sometimes use personal data while improving, developing, monitoring, maintaining and testing our products and systems. This includes making sure that our security measures are working properly. Where possible, we will anonymise, pseudonymise or aggregate the data before doing this.

Consumer queries; legal and regulatory purposes

If you contact us we will normally need to use your personal data to help us deal with your enquiry. We may also sometimes need to use your personal data for legal and regulatory purposes.

Acting as processors on our clients’ behalf

Some clients provide us with their own data about individuals (which will have been collected under the client’s separate privacy notices), and ask us to enhance it with further information. When this happens, we can provide the client with information about the properties or areas in which the relevant individuals live.

In doing this, we are acting as the client’s data processor; this means that the client remains responsible for ensuring that the personal data is used fairly and lawfully. You will need to refer to the privacy notices of the individual client for more detailed information about what data the client collects, what they use it for, and how to exercise your rights.

3. WHAT KINDS OF PERSONAL DATA DO WE USE AND WHERE DO WE GET IT FROM?

We obtain and use information from various different sources. These are summarised in the following table.

4. HOW LONG IS THE PERSONAL DATA KEPT FOR?

In some cases we may need to keep information indefinitely. For example, if you object to us using your data for marketing purposes (see section 9) we will need to keep some limited information about you such as your name, address and date of birth so that we can remove or suppress your record from any data that we may receive in the future.

5. WHAT IS OUR LEGAL BASIS FOR HANDLING PERSONAL DATA?

This section explains the legal basis on which we process your personal data.

Legitimate interests

The UK’s data protection law allows the use of your personal data where necessary for legitimate purposes provided that this isn’t outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.

The legitimate interests we are pursuing are:

6. WHO DO WE SHARE THE PERSONAL DATA WITH?

Our clients and resale partners

We share personal data with our clients for the purposes described in section 2 above. Our clients will each have their own privacy notices which will provide more information about how they (specifically) use the data we supply.

Our clients typically operate in the following sectors:

• financial services (including banks, loans, credit cards, mortgages, pensions, and investments and savings providers)
• insurance
• gaming / gambling
• retail (including online retailers)
• telecoms and utilities
• marketing agencies acting for other organisations

In some cases our clients may appoint an intermediary to act on their behalf; these intermediaries will often receive the data too.

We also appoint data resale partners who will distribute open register data to their clients in a similar manner to the ways we do. Our current resale partner is The REaD Group Limited. Please see their privacy notice for more detail about their activities.

We do not provide data for use in relation to road traffic accident or personal injury claims, medical or clinical negligence claims, PPI compensation claims, pornography or political campaigning.

Our group companies

We may share your personal data among the members of TU UK. If we do so, then use of the data by those companies will be governed by this privacy notice. A list of relevant TU UK companies is set out below, although the list may be updated from time to time.

Service providers

We and our clients may provide your information to third parties who help us use it for the purposes described in section 2. For example, we might decide to use a third party data hosting company, or a data processing company to perform some of the data processing on our behalf.

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations, unless you agree otherwise.

Business transfers

If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.

Regulators and law enforcement

Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required for the legal protection of our legitimate interests in compliance with applicable laws. For example, we may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.

Sharing of anonymised data with third parties

We may share anonymised information with other third parties, but only where the information cannot realistically be identified as relating to you.

7. WHERE IS THE PERSONAL DATA STORED AND SENT?

Within the UK and the EU

We are based in the United Kingdom and will access and use your information from here. However, we also have operations in Lithuania, and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.

Elsewhere

We also send information elsewhere in the world. For example:

• When one of our overseas group companies or branch offices based overseas needs to use the information in accordance with this notice.
• Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.

While countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

• Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
• Sending the information to an organisation which is a member of a scheme that has been approved by the authorities as providing a suitable level of protection.

If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.

8. IS THE PERSONAL DATA USED TO MAKE AUTOMATED DECISIONS ABOUT YOU OR TO PROFILE YOU?

We do not use any personal data to make automated decisions or to profile you when we are acting as a controller.

We do perform profiling when acting as a client’s processor. For example, we may take a client’s marketing list and add information about your property or neighbourhood, which the client may use to help predict your likely preferences and lifestyle in order to aid their marketing decisions. This may result in you receiving more relevant marketing from our clients who already hold your contact details. If you do not want to receive this marketing, you should contact the sender of the marketing in order to object.

9. WHAT ARE YOUR RIGHTS?

You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please email us at consumer@transunion.co.uk, telephone us on 0330 024 7574, or refer to the other contact details in section 1.

• Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it.
• Objection to direct marketing: You have the right to object to us using your personal data for direct marketing purposes, including any profiling or similar activities which are performed as a precursor to direct marketing. If you do this we will stop using it for those purposes.

In addition:

• Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
• Objection to legitimate interests: If you disagree with us relying on the legitimate interests grounds for using your personal data (see section 5 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
• Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it. For example, if you object to us using your data for direct marketing purposes we will need to keep a record of that objection so that we do not subsequently begin direct marketing activities in relation to you if we receive your data again.
• Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
• Portability: In some circumstances you have the right to receive some limited kinds of information in a portable format. However, this does not apply to the data to which this privacy notice applies.
• Withdrawal of consent: We do not rely on your consent in order to perform the activities described in this privacy notice, so this right does not apply.

Please note that these rights apply only where we are acting as a controller of your personal data. When we are processing your data on behalf of a particular client, you will normally need to contact the client in order to exercise your rights.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

10. WHO CAN YOU COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA?

We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us using these details:

Post: Customer Relations Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: customer.relations@transunion.co.uk

Telephone: 0330 024 7574

You can also contact our Data Protection Officer at dpo@transunion.co.uk.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at www.ico.org.uk, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

Business Product & Technical Support Privacy Notice

Version: 1.4
Date adopted: 10th February 2021

This privacy notice provides information about how we use and share personal data relating to users of our business products and our technical support facilities. It also describes your data protection rights, including a right to object to some of the processing which TransUnion carries out. More information about your rights, and how to exercise them, is set out in section 9 below.

You have the right to object to our use of your personal data. Please see section 9 to find out more.

This privacy notice covers the following topics:

1. Who are we and how can you contact us?

2. What do we use personal data for?

3. What kinds of personal data do we use, and where do we get it from?

4. How long is the personal data kept for?

5. What is our legal basis for handling personal data?

6. Who do we share the personal data with?

7. Where is the personal data stored and sent?

8. Is the personal data used to make decisions about you or to profile you?

9. What are your rights?

10. Who can you complain to if you are unhappy about the use of your personal data?

11. What cookies are used on our websites that offer business product and technical support facilities?

1. WHO ARE WE AND HOW CAN YOU CONTACT US?

About Us

We are TransUnion Information Group (TU UK), which is a group of companies with headquarters at One Park Lane, Leeds, West Yorkshire LS3 1EP. The members of TU UK are listed in section 6 below.

TU UK forms part of a larger group of companies. However, this privacy notice only covers the activities of TU UK.

One or more TU UK companies act as the controller of your personal data for the purposes of this privacy notice, depending on which of them operates the relevant product. The controllers are responsible for ensuring that the personal data is used fairly and lawfully.

Joint controllers

TU UK companies sometimes act jointly with one or more of the other TU UK companies when making decisions about your personal data. In particular, this happens when TU UK companies are sharing personal data with each other.

Our members of staff work across TU UK group companies so, where our group companies make decisions jointly, those members of staff will ensure that each company involved complies with data protection rules. Please contact our Consumer Services Team if you want to understand more about the allocation of data protection obligations between our group companies or if you want to exercise your data protection rights.

Contact details

If you wish to contact us about matters relating to one of our products, please contact the relevant service desk or your client relationship manager.

If you wish to contact us about matters relating to our use of your personal data, or the contents of this notice, you can do so by any of the following methods:

Post: Consumer Services Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: consumer@transunion.co.uk

Telephone: 0330 024 7574

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

2. WHAT DO WE USE PERSONAL DATA FOR?

This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we might use for these purposes can be found in section 3 below.

Operating our products and administering accounts

We use personal data to operate our products and administer the accounts of people who use them.

Security and breach reporting

We monitor access to our products in order to help ensure that those products and the data they make available are only accessed by people who are authorised to have access to them. If we detect suspicious activity we may suspend an account and investigate.

Feedback to clients

Sometimes we share data with clients (or their affiliates, business partners or group companies) about how their members of staff are using our products – for example, how often their staff member is using a product or what they are using it for. Clients might typically ask for this information for routine product management purposes (such as to decide whether they need to continue buying the product), or for staff management purposes (for example, to check whether their staff are only using the products properly and in the course of their employment).

In some cases, such as where the information shows misconduct on the part of a client’s member of staff, the information we provide might be used against the relevant staff member as part of a disciplinary process.

Monitoring and improving our products

We use information such as how different people use our products, how long they spend on particular tasks and what sort of information they obtain in order to help customise and improve the products.

This information is also used for security and system administration and to generate aggregate non-personalised information for use by us or our clients.

Product or systems development and testing

We may sometimes use personal data while improving, developing or testing our products and systems. This includes making sure that our security measures are working properly. Where possible, we will anonymise or pseudonymise the data before doing this.

Providing technical support and responding to queries

If you contact us with a query about a product or service that we are providing, we will use your personal data in order to provide you with the assistance you ask for. This will include contacting you about your request.

We may sometimes need to contact you about support queries that have been raised by our other users.

Queries; legal and regulatory purposes

If you contact us we will normally need to use your personal data to help us deal with your enquiry. We may also sometimes need to use your personal data for legal and regulatory purposes.

3. WHAT KINDS OF PERSONAL DATA DO WE USE, AND WHERE DO WE GET IT FROM?

We obtain and use information from various different sources. These are summarised in the following table.

It is mandatory for you to provide us with your personal data in order for us to be able to provide our products correctly. It is not mandatory for you to provide us with your personal data in relation to technical support requests, but we may not be able to help you if you do not provide that information.

4. HOW LONG IS THE PERSONAL DATA KEPT FOR?

We will keep your personal data for as long as you are a registered user of any of our products and may keep it for an additional period of time from when your account is closed. We keep the data for that additional period of time in order to investigate any data supply or data load issues, restore our systems in the event of a data loss incident, and in order to investigate and respond to any complaints, claims and enquiries that we may receive from you, your employer (or its affiliates) or our regulators.

5. WHAT IS OUR LEGAL BASIS FOR HANDLING PERSONAL DATA?

This section explains the legal basis on which we process your personal data.

Legitimate interests

The UK’s data protection law allows the use of your personal data where necessary for legitimate purposes provided that this isn’t outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.

The legitimate interests we are pursuing are:

6. WHO DO WE SHARE THE PERSONAL DATA WITH?

Our group companies

We may share your personal data among the members of TU UK where necessary for the purposes specified in section 2. If we do so, then use of the data by those companies will be governed by this privacy notice. A list of TU UK companies is set out below, although the list may be updated from time to time.

Clients

As mentioned in section 2, we may supply information about your use of the product to your employer (or to its affiliates, business partners or group companies) if they ask us to do so.

Service providers

We may provide your information to third parties who help us use it for the purposes described in section 2. For example:

• Our products may be hosted by third parties on our behalf.
• We may use a third party email broadcasting service in order to send you service emails about your account.

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations, unless you agree otherwise.

Third parties who help us deal with enquiries

Sometimes we may need to supply information to third parties (such as our service providers or other companies in the TransUnion group) in order to deal with a support request or other enquiry.

Business transfers

If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.

Regulators and law enforcement

Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required for the legal protection of our legitimate interests in compliance with applicable laws. For example, we may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.

Sharing of anonymised data with third parties

We may share anonymised information with other third parties, but only where the information cannot realistically be identified as relating to you.

7. WHERE IS THE PERSONAL DATA STORED AND SENT?

Within the UK and EU

We are based in the United Kingdom and will access and use your information from here. However, we also have operations in Lithuania and Spain, and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.

Elsewhere

We also send information elsewhere in the world. For example:

• When one of our overseas group companies or branch offices based overseas needs to use the information in accordance with this notice.
• Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.

While the United Kingdom and countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

• Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
• Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection.

If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.

8. IS THE PERSONAL DATA USED TO MAKE AUTOMATED DECISIONS ABOUT YOU OR TO PROFILE YOU?

We do not use automated decision-making or profiling to make any decisions that will significantly affect you.

9. WHAT ARE YOUR RIGHTS?

You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please use the contact details set out in section 1.

• Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it.
• Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
• Objection to legitimate interests: If you disagree with us relying on the legitimate interests grounds for using your personal data (see section 5 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
• Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it.
• Withdrawal of consent: We do not rely on consent to use your personal data (see section 5 above) so your right to withdrawal of consent does not apply.
• Objection to direct marketing: We do not use your personal data for direct marketing purposes but you have the right to object to us doing so in the future.
• Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
• Portability: We do not rely on consent to use your personal data (see section 5 above) so your right to data portability does not apply.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

10. WHO CAN YOU COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA?

We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us using these details:

Post: Customer Relations Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: customer.relations@transunion.co.uk

Telephone: 0330 024 7574

You can also contact our Data Protection Officer at dpo@transunion.co.uk.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at www.ico.org.uk, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

11. WHAT COOKIES ARE USED ON OUR WEBSITES THAT OFFER BUSINESS PRODUCT AND TECHNICAL SUPPORT FACILITIES?

We use cookies and similar technologies on our websites that offer business product and technical support facilities (referred to below as the business product website(s)) to distinguish you from other users of the business product website. This helps us to provide you with a good user experience and also allows us to personalise and improve the business product website (including its security).

A cookie is a small file of letters and numbers that we put on your device. We use the following kinds of cookie:

• Strictly necessary cookies. These are cookies that are required for the operation of the business product website. They include, for example, cookies that enable you to log into secure areas of the business product website.
• Analytical/performance cookies. These cookies allow us to recognise and count the number of visitors and to see how visitors move around the business product website when they are using it. This helps us to improve the way our business product website works, for example, by ensuring that users are finding what they are looking for easily.
• Functionality cookies. These are used to recognise you when you return to our business product website. This enables us to personalise our content for you, greet you by name and remember your preferences.

You can find more information about the individual cookies we use and the purposes for which we use them on each of the relevant business product website (to the extent applicable). In addition, each of our business product websites use the following strictly necessary cookie:

You can block cookies using your browser settings that allow you to refuse all or some cookies. However, if you use your browser settings to block all cookies (including strictly necessary cookies) you may not be able to access parts of our business product websites or use some of its features. For more information about this, and about cookies in general, you may wish to visit www.aboutcookies.org.

Business Contacts Privacy Notice

Version: 1.8
Date adopted: 4th August 2021

This document provides information about how we use and share personal data relating to our business contacts.

You have the right to object and withdraw your consent to our use of your personal data. Please see section 9 to find out more.

1.Who are we and how can you contact us?

2.What do we use personal data for?

3.What kinds of personal data do we use, and where do we get it from?

4.How long is the personal data kept for?

5.What is our legal basis for handling personal data?

6.Who do we share the personal data with?

7.Where is the personal data stored and sent?

8.Is the personal data used to make decisions about you or to profile you?

9.What are your rights in relation to the personal data we hold about you?

10.Who can you complain to if you are unhappy about the use of your personal data?

1. WHO ARE WE AND HOW CAN YOU CONTACT US?

About us

We are TransUnion Information Group (TU UK), which is a group of companies with headquarters at One Park Lane, Leeds, West Yorkshire LS3 1EP. The relevant members of TU UK are listed in section 6 below.

TU UK forms part of a larger group of TransUnion companies. However, this privacy notice only covers the activities of TU UK.

Joint controllers

Our group companies each control personal data about our business contacts and their representatives. This means that they are each responsible for ensuring that the personal data is used fairly and lawfully. The group companies often act jointly with one or more of the other group companies when making decisions about your personal data. In particular, they make joint decisions when sharing personal data with each other.

Our members of staff work across TU UK group companies so, where our group companies make decisions jointly, those members of staff will ensure that each company involved complies with data protection rules. You can contact our Consumer Services Team if you want to enquire about any of our group companies or exercise any of your rights in respect of your personal data.

Contact details

You can contact us about issues relating to personal data, including the contents of this notice, by any of the following methods:

Post: Consumer Services Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: consumer@transunion.co.uk

Telephone: 0330 024 7574

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

2. WHAT DO WE USE PERSONAL DATA FOR?

This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we might use for these purposes can be found in section 3 below.

Relationship management

We use personal data for relationship management purposes. Relationship management is the ongoing maintenance of our relationship with our clients, suppliers and their representatives.

Some of our relationship management activity involves profiling – please see section 8 for more details about this.

Marketing

We use personal data for marketing purposes, typically in relation to current or potential clients and their representatives. This includes providing you with original insight, commentary and research on data and software, early notifications of exclusive events, webinars and updates on our products and services. These communications may relate to any current member of TU UK (see section 6 for examples) and any future members of TU UK.

Some of our marketing activity involves profiling – please see section 8 for more details about this.

We will not make contact with you for marketing purposes through any particular channel (such as email, telephone or post) if you have told us that you don’t want to hear from us in that way. Please note that if you ask us not to contact you for marketing purposes, you might still hear from us for other reasons – for example, as part of our ordinary relationship management activity.

Providing services

Sometimes we might need to use your personal data to provide you with information, services, alerts and facilities that you have asked for. For example, if you sign up to one of our webinars we might use your contact details to let you know how to access it.

If you are a registered user of one of our products, your personal data may be used within that product – please refer to the privacy notice available within the product or our Business Product & Technical Support Privacy Notice for more details.

Monitoring and improving our websites

We use information such as how different people navigate around our websites, how long they spend on particular pages and whether they download any of our content in order to help customise and improve the user experience of our websites. It also allows us to tailor the website to match your interests and preferences better and helps us understand who has visited which pages to determine the most popular areas of the website.

This information is also used for security and system administration and to generate aggregate non-personalised information for use by us, our business contacts, selected third parties, sponsors or advertisers (such as anonymous statistics related to the take up or use of services, or to patterns of browsing).

Legal and regulatory purposes

We may use your personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from you or a regulator about how we have used your personal data.

3. WHAT KINDS OF PERSONAL DATA DO WE USE, AND WHERE DO WE GET IT FROM?

We obtain and use information from various different sources. These are summarised in the following table.

You are free to choose whether or not you give us your personal data. However, if you are signing up to one of our products or services we might not be able to provide you with that product or service if you do not give us the information we need in order to do so.

4. HOW LONG IS THE PERSONAL DATA KEPT FOR?

We will not keep your personal data for longer than we need it.

If you are a representative of one of our clients or potential clients, this means that we will normally keep your personal data while you or your employer have an ongoing relationship with us or if you have interacted with us (including our websites or communications) within the past two years. You can request us to delete it earlier as explained in section 9.

5. WHAT IS OUR LEGAL BASIS FOR HANDLING PERSONAL DATA?

This section explains the basis on which we process your personal data.

Legitimate interests

The UK’s data protection law allows the use of your personal data where necessary for legitimate purposes provided that this isn’t outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data. We rely on this condition for most of our processing activities.

The legitimate interests we are pursuing are:

Other legal bases

In some circumstances, we may have other bases to process personal data. These are set out in the following table, along with examples of the circumstances in which they might apply.

6. WHO DO WE SHARE THE PERSONAL DATA WITH?

Our group companies

We may share your personal data among the members of TU UK. If we do so, then use of the data by those companies will be governed by this privacy notice. A list of relevant TU UK companies is set out below, although the list may be updated from time to time.

Service providers

We may provide your information to third parties who help us use it for the purposes described in section 2. For example:

• Our database of personal data may be hosted by third parties on our behalf. For example, we use cloud-based services such as Salesforce and Eloqua to help us host, manage, analyse and use our databases of personal data.
• We may use external service providers to help us perform and manage sales and relationship management activity.
• We use printing companies to produce and send personalised direct mail or other correspondence.
• We use market research companies to help us better understand our customers.
• Our auditors may obtain access to personal data in the course of accounting audits.
• Some of our products and services rely on us sending personal data to third parties who then analyse or enhance it and return the results to us.

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations, unless you agree otherwise.

Online advertising platforms

We may use third party advertising platform providers such as Google to serve advertisements to you. These third parties may use information about your visits to our and other websites in order to provide you with advertising about products and services that may be of interest to you.

Sometimes we may provide information associated with you to third parties who operate other websites (such as social media platforms) so that we can show you relevant advertisements while you are using those websites. This information will be protected so that you can only be identified if the third party already knows you – the information we provide only tells them that you are a business contact of ours.

You can configure your advertising preferences on social media such as Facebook, Twitter, Instagram or Pinterest by accessing your settings or preference options on the relevant platform. If you no longer want to receive personalised advertising on any website you visit, you can usually opt out directly through the privacy policy of the particular website you are accessing. Please note that this will not block ads that are displayed on the websites you visit; it will simply stop you receiving advertising that has been tailored to your interests. This opt-out relies on a cookie, so if you wipe all your cookies then that website will no longer know that you have opted out. The same applies if you use a different internet browser or use a new computer to access the internet. You can also opt out of such advertising by visiting the IAB opt-out platform at www.youronlinechoices.com, but please note that this and other platforms only allow you to opt out of interest-based advertising delivered by registered members.

Business transfers

If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.

Regulators

We may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.

Sharing of anonymised data with third parties

We may share anonymised information with other third parties, but only where the information cannot realistically be identified as relating to you.

7. WHERE IS THE PERSONAL DATA STORED AND SENT?

Within the UK and EU

We are based in the United Kingdom, and will access and use your information from here. However, we also have operations elsewhere in Europe – currently Lithuania and Spain – and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.

Elsewhere

We also send information elsewhere in the world. For example:

• When one of our overseas group companies based overseas needs to use the information in accordance with this notice. Further details about those group companies can be found in the table in section 6.
• Where we use cloud-based technology or a data centre or backup facility overseas. For example, our marketing database is currently hosted by a service provider in the Netherlands.
• People in other countries, including South Africa and India, may also need to access that database for purposes such as technical support or system development and testing.

While the UK and countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

• Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
• Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection.

If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.

8. IS THE PERSONAL DATA USED TO MAKE AUTOMATED DECISIONS ABOUT YOU OR TO PROFILE YOU?

We perform the following automated decision-making and profiling activities using your personal data. When we refer to profiling, we mean using personal data to make predictions about you, or to categorise you into particular groups.

Individual-level profiling

We use certain profiling techniques in order to help us to understand our clients and potential clients. This in turn helps us to understand which people might be interested in which of our products and services.

Decision-making

The activities covered by this privacy notice do not include any automated decision-making by us that has legal or similarly significant effects on you. For example, we do not use it to set the prices that we charge for our products and services.

9. WHAT ARE YOUR RIGHTS IN RESPECT OF THE PERSONAL DATA THAT WE HOLD ABOUT YOU?

You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please email us at consumer@transunion.co.uk, telephone us on 0330 024 7574, or refer to the other contact details in section 1.

• Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it.
• Withdrawal of consent: When we rely on your consent to use your data (see section 5 above), you have the right to withdraw that consent at any time. You can do this by contacting us, or (in the case of emails that are sent on the basis of consent) by clicking the “unsubscribe” link.
• Objection to direct marketing: You have the right to object to us using your personal data for direct marketing purposes. If you do this we will stop using it for those purposes.
• Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
• Objection to legitimate interests: If you disagree with us relying on the legitimate interests legal basis for using your personal data (see section 5 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
• Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it.
• Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
• Portability: You have the right to receive some limited kinds of information in a portable format.

Please refer to our Consumer Contact Privacy Notice for information about how we will handle your personal data in connection with complaints and enquiries.

10. WHO YOU CAN COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA

We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us using these details:

Post: Customer Relations Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: customer.relations@transunion.co.uk

Telephone:0330 024 7574

You can also contact our Data Protection Officer at dpo@transunion.co.uk.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at www.ico.org.uk, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

Consumer Contact Privacy Notice

Version: 1.6
Date adopted: 8th April 2021

This privacy notice provides information about how we use and share personal data relating to consumers who contact us with an enquiry, request or complaint.

You have the right to object to our use of your personal data. Please see section 9 to find out more.

1. 1. Who are we and how can you contact us?
2. 2. What do we use personal data for?
3. 3. What kinds of personal data do we use, and where do we get it from?
4. 4. How long is the personal data kept for?
5. 5. What is our legal basis for handling personal data?
6. 6. Who do we share the personal data with?
7. 7. Where is the personal data stored and sent?
8. 8. Is the personal data used to make decisions about you or to profile you?
9. 9. What are your rights?
10. 10. Who can you complain to if you are unhappy about the use of your personal data?

1. WHO ARE WE AND HOW CAN YOU CONTACT US?

About us

We are TransUnion Information Group (TU UK), which is a group of companies with headquarters at One Park Lane, Leeds, West Yorkshire LS3 1EP. The relevant members of TU UK are listed in section 6 below.

TU UK forms part of a larger group of TransUnion companies. However, this privacy notice only covers the activities of TU UK.

Joint controllers

Our group companies each control personal data about consumers who contact us. This means that they are each responsible for ensuring that the personal data is used fairly and lawfully. The group companies often act jointly with one or more of the other group companies when making decisions about your personal data. In particular, they make joint decisions when sharing personal data with each other.

Our members of staff work across TU UK group companies so, where our group companies make decisions jointly, those members of staff will ensure that each company involved complies with data protection rules. You can contact our Consumer Services Team if you want to enquire about any of our group companies or exercise any of your rights in respect of your personal data.

Contact details

You can contact us about issues relating to personal data, including the contents of this notice, by any of the following methods:

Post: Consumer Services Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: consumer@transunion.co.uk

Telephone: 0330 024 7574

2. WHAT DO WE USE PERSONAL DATA FOR?

This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we might use for these purposes can be found in section 3 below.

Dealing with your enquiry, request or complaint

We will use your personal data to deal with the matter you have contacted us about (which we refer to below as an “enquiry”). For example, this might include investigating the matter internally or with external organisations, and contacting you to ask for more information or to let you know the outcome of your enquiry.

The kinds of enquiry that we typically deal with include:

• requests for access to personal data, or to challenge the accuracy of personal data that we hold, or to request the erasure of personal data
• support requests relating to our consumer products such as CreditView
• requests for recognition of a change in gender
• complaints
• general enquiries

Identity verification

When you contact us we will often need to establish that you are who you say you are. This is necessary in order to ensure that we don’t provide your personal information to people who shouldn’t have access to it.

Asking you for feedback

We may ask you to provide us with feedback or to leave a review about the service you have received from us. Your feedback helps us to improve our services.

Products and services

Some types of enquiry that you might raise will result in changes to the personal data that we use in our products and services.

Improving systems and processes; internal reporting

We use information gathered in the course of handling complaints and requests to help us find out what went wrong, fix any problems we find, and to improve the way that we deal with similar complaints and requests in the future.

We use aggregated statistics about the enquiries, requests and complaints we receive in order to help manage our services and identify potential problems.

Legal and regulatory purposes

We may use your personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from you or a regulator about how we have handled your enquiry or used your personal data.

3. WHAT KINDS OF PERSONAL DATA DO WE USE, AND WHERE DO WE GET IT FROM?

We obtain and use information from various different sources. These are summarised in the following table.

You are free to choose whether or not you give us your personal data. However, if you do not give us the information or documentation that we need, we may not be able to comply with your request or respond to your enquiry properly.

4. HOW LONG IS THE PERSONAL DATA KEPT FOR?

We will keep your personal data for as long as we are handling your request and for an additional period of time from when we have completed it. That additional period is determined according to the purposes for which the personal data may be needed, such as:

• demonstrating that we have appropriate processes in place to deal with enquiries, requests and complaints, and that we are doing so fairly and in accordance with our regulatory requirements;
• responding to any requests from you or a regulator about how we have dealt with your request, and to show that we have dealt with your request properly;
• defending any potential legal claims or regulatory action that might arise as a result of the request.

5. WHAT IS OUR LEGAL BASIS FOR HANDLING PERSONAL DATA?

This section explains the basis on which we process your personal data when dealing with your enquiries.

Compliance with a legal obligation

The UK’s data protection law allows us to use your personal data where necessary in order to comply with legal obligations that apply to us. This means that if you make a request that we are legally required to deal with or respond to, we will use your personal data on this basis in order to comply with that requirement.

Legitimate interests

The UK’s data protection law allows the use of your personal data where necessary for legitimate purposes provided that this isn’t outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.

The legitimate interests we are pursuing are:

6. WHO DO WE SHARE THE PERSONAL DATA WITH?

Our group companies

We may share your personal data among the members of TU UK to the extent necessary to deal with your request. This will depend on which companies your request relates to, and which companies hold the relevant information. If we do this, then use of the data by those companies will be governed by this privacy notice. A list of TU UK companies is set out below, although the list may be updated from time to time.

Service providers

We may provide your information to third parties who help us use it for the purposes described in section 2. For example:

• we may use third party service providers to receive requests and enquiries from individuals and to handle them on our behalf in accordance with our policies and procedures;
• we may use third parties to hold personal data on our behalf.

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations, unless you agree otherwise.

Data suppliers and other third parties

If your request relates to data which has been supplied to us by third parties, we will often need to provide your personal data to those third parties so that your request can be properly handled. For example, if you dispute the accuracy of an entry on your credit file we will often contact the organisation which provided us with that information in order to check whether it is correct.

We may occasionally also need to check the information you provide with other third parties. For example, if you are asking us to erase your credit file because you are concerned about your personal safety, we may check what you are saying with the police or the UK Protected Persons Services.

Other credit reference agencies

For some kinds of request, such as those relating to gender recognition or victims of fraud, we have agreed a common procedure with the UK’s two other consumer credit reference agencies, Equifax Limited and Experian Limited. If you give us permission to do so, we will share your information with them in order to help ensure that your request is dealt with at all three credit reference agencies without the need for you to deal with each one separately.

Business transfers

If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.

Regulators

We may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.

Sharing of anonymised data with third parties

We may share anonymised information with other third parties, but only where the information cannot realistically be identified as relating to you.

7. WHERE IS THE PERSONAL DATA STORED AND SENT?

Within Europe

We are based in the United Kingdom, and will access and use your information from here. However, we also have operations elsewhere in Europe – currently Lithuania and Spain – and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.

Elsewhere

We also send information elsewhere in the world. For example:

• When one of our overseas group companies based overseas needs to use the information in accordance with this notice. Further details about those group companies can be found in the table in section 6.
• Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.

While the UK and countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

• Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
• Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection.

If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.

8. IS THE PERSONAL DATA USED TO MAKE AUTOMATED DECISIONS ABOUT YOU OR TO PROFILE YOU?

We do not use automated decision-making or profiling in relation to your personal data where this would have a legal or similarly significant impact on you.

9. WHAT ARE YOUR RIGHTS?

You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please use the contact details set out in section 1.

• Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it.
• Withdrawal of consent: We do not rely on consent to use your personal data (see section 5 above) so your right to withdraw consent does not apply.
• Objection to direct marketing: We do not use the personal data that this notice applies to for direct marketing purposes, but you nonetheless have a right to object to us using your data for those purposes if you wish.
• Rectification: : If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
• Objection to legitimate interests: If you disagree with us relying on the legitimate interests legal basis for using your personal data (see section 5 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
• Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it.
• Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.

10. WHO CAN YOU COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA?

We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us using these details:

Post: Customer Relations Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: customer.relations@transunion.co.uk

You can also contact our Data Protection Officer at dpo@transunion.co.uk.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at www.ico.org.uk, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

Job Applicant Privacy Notice

Version: 1.2
Date adopted: 12th April 2019

This privacy notice provides information about how we use and share the personal data that we obtain during the job application process. It covers the following topics:

1. Who we are and how you can contact us
2. What we use personal data for
3. What kinds of personal data we use, and where we get it from
4. What our legal grounds for handling personal data are
5. Who we share the personal data with
6. Where the personal data is stored and sent
7. How long the personal data is kept for
8. Whether the personal data is used to make decisions about you or to profile you
9. Your rights in relation to the personal data we hold about you
10. Who you can complain to if you are unhappy about the use of your personal data

1. WHO WE ARE AND HOW YOU CAN CONTACT US

We are TransUnion Information Group (UK UK), which is a group of companies with headquarters at One Park Lane, Leeds, West Yorkshire LS3 1EP. The relevant members of TU UK to which this privacy notice applies are listed in section 5 below.

TU UK forms part of a larger group of companies. However, this privacy notice only covers the activities of TU UK.

The particular TU UK company in the list to whom you are applying, is the controller of the personal data we hold about you for this process. This means that it is responsible for ensuring the personal data is used fairly and lawfully, and it is the legal person against whom you can exercise the rights referred to in section 9 below. Certain TU UK companies will also handle your information in the role stated in section 5.

If as a result of your application you become employed, your personal information will be processed in accordance with the TU UK Staff Privacy Notice.

You can contact us about issues relating to your personal data, including the contents of this notice, by emailing us at recruitment@transunion.co.uk

2. WHAT WE USE PERSONAL DATA FOR

This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we might use for these purposes can be found in section 3 below.

Managing the recruitment process

• To communicate with you, (and on a strict need to know basis) relevant TransUnion Information Group personnel involved in the recruitment process, and relevant third parties, for the reasons set out in this privacy notice
• To record and demonstrate how we have conducted the application and recruitment process and arrived at our decision regarding your application.

Employment Screening Checks

Due to the nature of its business, TU UK holds highly confidential data within its systems and records and is subject to stringent legal and regulatory responsibilities. To protect TU UK and its parent company’s interests, and those of its clients, partners, and other stakeholders including consumers and third parties, TU UK’s policy is to undertake identity verification checks and employment screening. These checks are mandatory to your application and will generally need to be completed before commencement of any employment. Completion of these checks will require you to present certain documentation or provide additional details, and may require signed authorisation or acknowledgement from you – further details will be provided with any offer of employment. We are mindful of your privacy so we will only undertake these checks according to the appropriate stage of the application. These checks are set out below:

If we decide to make you an offer of employment:

Your credit file, fraud prevention, and identity verification

This involves us having sight of your financial situation and history in your credit file held by a credit reference agency (including shared credit, any court judgments or orders, bankruptcy, individual voluntary arrangements or similar events), and by way of a check of your details against the Internal Fraud Database held by Cifas, a fraud prevention organisation. This search leaves a ‘footprint’ on your credit file that is visible only to you should you obtain a copy of your credit file from Callcredit Limited.

Checks undertaken if you formally accept any offer of employment we may make:

• That you have the right to work in the UK – to comply with our legal obligations concerning migrant workers, we require you to provide certain documentary evidence. You will be provided with a list of acceptable documents to determine eligibility. Where eligibility is unclear from the documentation you provide, we will contact the UK Visa and Immigration service to check validity without further reference back to you.
• Whether you have any criminal convictions that affect your suitability for the role. A check is made with the Disclosure and Barring Service (if you live in or the job is in England and Wales), or Disclosure Scotland (if you live in or the job is in Scotland). We may engage a third party for this purpose. A higher level of check may be needed for certain roles, for example where the role being applied for involves a requirement for the person to be of Financial Conduct Authority (‘FCA’) Approved Person status. Details of the level of search will be provided as part of the documentation/ process that you will be asked to provide and complete to enable the search to be carried out.
• Your employment and educational references - for a period up to the preceding 10 years
• Your qualifications and relevant trade or professional memberships – where the information you provide is incomplete, we may seek confirmation directly from the issuing/ governing body without further reference back to you.
• Whether there are any entries against you in the following public registers:
  • FCA register of Authorised Persons (restrictions or suspensions)
  • Office of Foreign Assets Control (US imposed trade sanctions)
  • HM Treasury Financial Sanctions (asset freeze targets)
  • Companies House (disqualified directors)
• Fraud Prevention Agency checks – we will conduct a further check of your details against the Internal Fraud Database held by Cifas.

Where the application is for a senior management or executive role, we review publicity and profile information available about you through internet search engines, for relevancy to the standards of integrity and conduct required of that role.

Should you become employed by TU UK, certain repeat screening checks will be undertaken at appropriate intervals, details of which are provided when employment commences.

Making reasonable disability adjustments (as applicable)

To ensure appropriate arrangements are in place throughout the recruitment process and, if your application is successful, to prepare for you commencing employment.

Monitoring to ensure our recruitment practices meet equal opportunities obligations

We are legally required to ensure that job applicants are given the same set of opportunities regardless of, amongst other things, their race or ethnic origin. We therefore require that you provide certain information in the job application form to help us monitor our practices for compliance with this requirement. If any offer of employment is taken up, we continue to keep this information throughout the employment relationship to help us to maintain fair treatment for employees irrespective of their race/ethnicity. It is only done to review our practices in relation to treatment across racial or ethnic groups, rather than to track your treatment to make decisions about you at individual level. If you have any concerns around this or require us to cease using your personal information for this purpose, please email us at recruitment@transunion.co.uk.

Legal and regulatory purposes

To respond to and defend any legal claims that may arise out the recruitment process. Also we may provide information to law enforcement agencies where they request this, or of our own choice where we consider there is a compelling reason to do so to protect our workers, visitors, customers or their consumers, or our general business interests.

3. WHAT KINDS OF PERSONAL DATA WE USE, AND WHERE WE GET IT FROM

We obtain and use information from various different sources. These are summarised in the following table.

The above information is mandatory to the application and recruitment process. We consider this appropriate having regard to the nature of our business and our legal and regulatory responsibilities as referred to above. We recognise that the employment screening checks referred to above may be more extensive than you are used to. If you wish to discuss these checks in further detail or raise a specific concern, please call your Human Resources contact at your earliest convenience, or email us at recruitment@transunion.co.uk

4. WHAT OUR LEGAL GROUNDS FOR HANDLING PERSONAL DATA ARE

This section explains the basis on which we process your personal data.

To take steps at your request prior to entering into or in order to enter into any contract of employment that may arise regarding your job application

To comply with our legal and regulatory obligations both generally as a business and in relation to your application for employment for example regarding equal opportunities and disability adjustments

Legitimate interests

The UK’s data protection law allows the use of your personal data where necessary for legitimate purposes provided that this isn’t outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.

The legitimate interests we are pursuing are:

• administering and managing the recruitment process
• assessing and confirming an applicant’s suitability for employment
• deciding to whom to offer a job
• keeping records of this process to explain or justify our position in doing so.

Special categories of personal data (SCPD)

With your consent

If you have signed up through the careers pages of the www.transunion.co.uk website to receive job alerts. You can unsubscribe from receipt of these alerts at any time.

5. WHO WE SHARE THE PERSONAL DATA WITH

Our group companies

We may share your personal data among the relevant members of TU UK. If we do so, then use of the data by those companies will be governed by this privacy notice. A list of relevant TU UK companies is set out below although the list may change from time to time.

Service providers

We may provide your information to third parties who help us use it for the purposes described in section 2. For example:

• Our database of personal data may be hosted by third parties on our behalf.
• We use a third party email broadcasting service in order to send you emails (or if we contact you by SMS message)

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations, unless you agree otherwise.

Business transfers

If we sell our business to a third party, or go through a corporate reorganisation, this will involve the transfer of our corresponding human resources records (including recruitment records), to the new undertaking for them to use in the same way as set out in this privacy notice.

6. WHERE THE PERSONAL DATA IS STORED AND SENT

Within Europe

We are primarily based in the United Kingdom, and will access and use your information from here. However, we also have operations elsewhere in the European Union – currently Lithuania and Spain and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.

Elsewhere

We also send information elsewhere in the world. For example:

• Sometimes another group company or branch office based overseas may need to use the data in accordance with this privacy notice.
• We may use cloud-based technology or a data centre or backup facility overseas, and people in other countries may also need to access data for purposes such as technical support or system development and testing.

While countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

• Putting in place a contract with the recipient containing terms which have been approved by the relevant authorities as providing a suitable level of protection.
• Sending the information to an organisation which is a member of a scheme or which has been approved by the authorities as providing a suitable level of protection. One example is the “Privacy Shield” scheme that has been agreed between the European and US authorities.

If your information has been sent overseas like this, you can obtain further information about the safeguards used by emailing us at human.resources@transunion.co.uk.

7. HOW LONG THE PERSONAL DATA IS KEPT FOR

To enable us to deal with any queries or issues that may arise from the job application process, we will, unless otherwise stated in this privacy notice, retain your personal details in our records for a period of 6 months from the date that we formally notify you of our decision. Back-up copies of emails may be retained for longer subject to appropriate safeguards. If your application is successful, to ensure business continuity we will transfer these records to your employee file upon commencement of employment.  

8. WHETHER THE PERSONAL DATA IS USED TO MAKE AUTOMATED DECISIONS ABOUT YOU OR TO PROFILE YOU

We perform the following activities using your personal data. When we refer to:

• Profiling - we mean using personal data to make predictions about you, or to categorise you into particular groups
• Automated decisions – we mean decisions made entirely by automated means which have a legal or other significant impact upon you.

We undertake the following profiling activities to help inform our recruitment decisions:

Identity verification

As explained in section 2 above, we will use the information you provide with your application to help us to verify your identity. We do this by checking the information you give us against databases such as the electoral roll and your credit file. If we cannot verify your identity we will ask for details of your previous address(es) and additional documentary address verification.

Searching your credit file

Please refer to section 2 above.

Personality profiles and aptitude testing

To provide an independent measure of your aptitude and personality, you may be asked to undertake an assessment exercise as part of the job application process. We do this using specialist third party testing solutions.

The above activities do not involve automated decisions in that we do not rely on any one, or any combination of these, as the sole basis for making a recruitment decision about you. They form only part of an overall assessment made by our recruitment team. Recruitment decisions will also take account any representations you may make if you are unhappy about the outcome of these profiling activities on your application, or any clarifying information we may ask you for in response to the outcomes.

9. YOUR RIGHTS IN RESPECT OF THE PERSONAL DATA THAT WE HOLD ABOUT YOU

You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please use the contact details set out in section 1.

• Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it.
• Withdrawal of consent: We only send you job alerts if you have indicated that you want to receive them. You can unsubscribe from these at any time via the careers pages of www.transunion.co.uk
• Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
• Objection to legitimate interests: If you disagree with us relying on the legitimate interests grounds for using your personal data (see section 4 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
• Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it.
• Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
• Portability: You have the right to receive some limited kinds of information in a portable format.

10. WHO YOU CAN COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA

If you are not happy with the way we use or handle your personal data you should make contact so that we can investigate your concerns. Please contact us by sending an email to recruitment@transunion.co.uk

You should also use this email address if you want to exercise any of your personal data rights referred to in section 9 above in relation to the job application activities referred to in this privacy notice.

You can also contact our Data Protection Officer at dpo@transunion.co.uk

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at www.ico.org.uk, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

Open Banking Privacy Notice

TRANSUNION OPEN BANKING SERVICE PRIVACY NOTICE

Version: 2.4
Date adopted: 18th May 2021

This document provides an overview about how we use and share personal data that we receive and use in connection with the account information services we provide to consumers and the TransUnion Open Banking service that we provide to our business clients.

You have the right to object to our use of your personal data. Please see section 9 to find out more.

This privacy notice covers the following topics:

1. Who we are and how you can contact us?

2. What we use personal data for?

3. What kinds of personal data we use, and where we get it from?

4. What are our legal grounds for handling personal data?

5. Who do we share the personal data with?

6. Where is the personal data stored and sent?

7. How long is the personal data kept for?

8. Is the personal data used to make automated decisions about you or to profile you?

9. What are your rights in relation to the personal data that we hold about you?

10. Who can you complain to if you are unhappy about the use of your personal data?

11. What cookies are used on the website?

You have the right to object to our use of your personal data. Please see section 9 to find out more.

This privacy notice should be read together with the Terms of Service for the Service we are providing to you. A copy of the Terms of Service is available [here]. It contains the meanings of certain words we use here, such as “Account”, “Service”, “Referring Company” and “Your Bank”.

1 WHO WE ARE AND HOW YOU CAN CONTACT US?

We are TransUnion International UK Limited, which is a company registered in England and Wales with company number 03961870. Our trading address and registered office is at One Park Lane, Leeds, West Yorkshire LS3 1EP.

TransUnion International UK Limited forms part of a larger group of companies known as the TransUnion Information Group, however this privacy notice only applies to the use of personal data obtained by TransUnion International UK Limited in connection with the delivery of this Service unless we say otherwise.

We are a controller of the personal data covered by this privacy notice. This means that we are responsible for ensuring that your personal data is used fairly and lawfully.

You can contact us about issues relating to personal data, including the contents of this notice, by any of the following methods:

Post: Consumer Services Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP

Email: consumer@transunion.co.uk

Telephone: 0330 024 7574

2. WHAT DO WE USE PERSONAL DATA FOR?

This section explains the purposes for which we use personal data about you. More details about the types of personal data that we might use for these purposes can be found in section 3 below.

• Providing you with the Service

We use your personal data to provide you with the Service, as described in the Terms of Service, a copy of which is available [here]. In order to provide you with this Service, we will need to obtain your personal data and share your personal data with the Referring Company.

As part of providing you with the Service, we also store copies of your personal data for reporting and audit purposes.

• Providing the TransUnion Open Banking service to the organisation that has directed you to us (also called the “Referring Company” in this notice)

We use your personal data to provide the TransUnion Open Banking service (as described in section 4 below) to the Referring Company that you are dealing with. In particular, we electronically provide the organisation with the information it requires to conduct an affordability assessment of your finances prior to offering you a service or a financial product. This is to save you from having to provide paper copies of your Account information to the Referring Company.

As part of the TransUnion Open Banking service we provide to the Referring Company, we also store copies of your personal data for reporting and audit purposes.

• Prevention and detection of fraud and other crime

In order to detect or prevent fraud (for example, to confirm you have only provided information about an Account that belong to you), we may use your personal data to identify suspicious or fraudulent behaviours, if we are requested to do so by the Referring Company.

We may retain and re-use this data but solely for the purposes of identity verification and the prevention of fraud, money laundering or other financial crime.

• Product/systems improvement, development and testing

We may sometimes use your personal data while improving, developing or testing our products and systems. This includes making sure that our data categorisation is accurate and that our security measures are working properly. Where possible, we will anonymise or pseudonymise (partially anonymise) the data before doing this.

• Legal and regulatory purposes

We may use your personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from you or a regulator about how we have used your personal data. This includes performing anti-money laundering checks on you (including verifying your identity), which we are required to do by law before we perform the TransUnion Open Banking service.

• Combining data

The information you give us may be combined with other information about you that is obtained from other sources, and the combined data may be used in accordance with this privacy notice. For example:

• the information you give us may be compared with data available elsewhere to validate the information you have provided (for example in the context of anti-fraud measures).
• the information you give us may be combined with other information that we collect about you to assist with the detection and prevention of fraud or financial crime.

3. WHAT KINDS OF PERSONAL DATA DO WE USE, AND WHERE DO WE GET IT FROM?

We obtain and use information from various different sources in the delivery of this Service. These are summarised in the following table.

4. WHAT ARE OUR LEGAL GROUNDS FOR HANDLING PERSONAL DATA?

This section explains the legal basis on which we process your personal data when delivering this Service to you and the TransUnion Open Banking Service to the Referring Company.

Please note that, while we require your explicit consent to provide this Service under financial regulations, we do not require your explicit consent to process your personal data in connection with the provision of this Service under data protection laws. This is because our legal basis for processing your personal data is based on the following legal grounds (rather than your consent).

• Performance of our contract with you

Where you give your explicit consent to use this Service, you enter into a contract with us for the provision of this Service, which is governed by the Terms of Service. A copy of the Terms of Service is available [here].

In order to provide you with this Service that you have consented to in accordance with the Terms of Service, we will need to obtain your personal data and share your personal data with the Referring Company.

• Legitimate Interests

The UK's data protection laws allow us to use your personal data where necessary for legitimate purposes provided that this isn't outweighed by the impact it has on you. The law calls this the "legitimate interests" basis for processing personal data.

The legitimate interests we are pursuing are:

Our use of personal data is subject to an extensive framework of safeguards that help make sure that your rights are protected. These include the information you are given in this notice about how your personal data will be used and how you can exercise your rights to obtain your personal data, have it corrected or restricted, object to it being processed, and complain if you are dissatisfied. These safeguards help sustain a fair and appropriate balance so that our activities do not compromise your interests, fundamental rights and freedoms.

• Necessity for compliance with a legal obligation

The UK's data protection laws allow us to use your personal data where necessary in order to comply with the legal and regulatory obligations that apply to us. For example, in order to provide the Service, we have to comply with our obligations as a registered account information service provider under the Payment Services Regulations 2017. This means that we use your personal data as required under these regulations.

We are required by law to perform anti-money laundering checks (including verifying your identity) on you before we perform the TransUnion Open Banking service. We will use your personal data in order to perform this check and this check will leave a footprint on your TransUnion credit file. This footprint will not impact your credit score and will only be visible to you, us and any organisation you choose to share your TransUnion credit report with.

5. WHO DO WE SHARE THE PERSONAL DATA WITH?

• The Referring Company / Our client

The purpose of this Service is to enable the electronic sharing of your Account information between Your Bank and the Referring Company you are dealing with to obtain a service or financial product. This organisation will be our client, as they will have appointed us to provide this Service for you and their other customers.

In the delivery of this Service, we facilitate the sharing of information between Your Bank and the Referring Company.

We may also share information about how you have used our website with the Referring Company. You provide this information to us when you visit our website (such as clicking on buttons to confirm your consent). This helps the Referring Client to monitoring the performance of our Services and to help identify any technical errors or areas of improvement.

• Our group companies

We may share your personal data with other companies in the TransUnion Information Group for the purposes of improving, developing and testing our existing product and services and new product development. A list of the relevant TransUnion Information Group companies is set out below:

• Service Providers

We may provide your information to third parties who help us use it for the purposes described in section 2. For example:

• our products may be hosted by third party cloud platform providers on our behalf;
• we may use third parties to support, maintain and test our products and services and to help us to answer consumer queries.

These service providers may also be our group companies, some of which are listed above.

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations.

• Business transfers

If we sell our business to a third party, or go through a corporate re-organisation, we will transfer personal data to the company that acquires the business.

If an acquirer intends to use your personal data in a way which is not set out in this notice, they will contact your shortly after the acquisition to inform you about how they are going to use your data.

• Regulators and Fraud Prevention Agencies

We may be compelled to share personal data with our regulators, including the Information Commissioner's Office and the Financial Conduct Authority. Where we suspect fraudulent activity, we may also pass personal data to the police and fraud prevention agencies.

6. WHERE IS THE PERSONAL DATA STORED AND SENT?

Within Europe

We are based in the United Kingdom, and will access and use personal data from here. One of our group companies is based in Lithuania, and so personal data may be accessed from there too. In these locations, the use of the information is protected by European data protection standards.

The Referring Company that you are dealing with, and that will be receiving your personal data, may have operations outside of Europe – please check its own privacy notice for further details.

Outside Europe

We may also send information elsewhere in the world. For example:

• When one of our overseas group companies or branch offices based overseas needs to use the information.
• Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.

While countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

• Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
• Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection.

You can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.

7. HOW LONG THE PERSONAL DATA IS KEPT FOR

We keep your personal data only for as long as necessary for the purposes for which it is used, as set out in section 2 above.

We will keep a record of your personal data used in connection with this Service and the TransUnion Open Banking Service for a period of two years.

Where we use your personal data in connection with the improvement, development and testing of our products and services, we may keep your information for a period of two years. If we have anonymised your data in connection with this purpose, we may keep and use anonymous data indefinitely.

Where we use your personal data to comply with our legal and regulatory requirements, we will typically retain a copy of your personal data for a further period of six years after we used it for that purpose.

Where we use your personal data to comply with our legal and regulatory requirements, we will typically retain a copy of your personal data for a further period of five years after we used it for that purpose.

Search footprints are kept for a total of six years however they will only be visible on your credit file for two years. A further four years of data are used for profiling and statistical analysis.

8. IS THE PERSONAL DATA USED TO MAKE AUTOMATED DECISIONS ABOUT YOU OR TO PROFILE YOU?

We do not use the personal data obtained from the delivery of this Service to make automated decisions about you.

Our role is to obtain this information from Your Bank and deliver it to the Referring Company (our client). The information that we share with our client in the delivery of this Service may then be used by our client to conduct an affordability assessment, which will help them to make a decision about providing a service or financial product to you. However, our clients will also hold other information about you which will help inform their decision.

We would recommend contacting the Referring Company that you are dealing with if you require further information about how they will use the personal data we provide to them in the delivery of the TransUnion Open Banking service.

9. WHAT ARE YOUR RIGHTS IN RELATION TO THE PERSONAL DATA THAT WE HOLD ABOUT YOU?

You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please use the contact details set out in section 1.

• Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it. We may need to ask you to provide additional information to help us to confirm that the personal data we hold is yours.
• Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
• Objection to legitimate interests: If you disagree with us relying on the legitimate interests grounds for using your personal data (see section 4 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
• Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it. For example, if you ask us to erase personal data which we are required to keep under the legal and regulatory obligations that apply to us, we will not be able to action your request.
• Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
• Portability: In some circumstances you have the right to request that we send to you or a third party a copy the personal data you have provided to us in a portable format. However, in the delivery of this Service we are predominantly using personal data provided to us from other sources and not from you directly, which means the right will rarely apply.
• Withdrawal of consent: While we rely on your consent to access this Service, we do not rely on your consent to process your personal data in the delivery of this Service, therefore your right to withdraw consent does not apply.

10. WHO CAN YOU COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA?

We try to ensure that we deliver the best levels of customer service, but if you are not happy about how we use your personal data you should contact us so that we can investigate your concerns. Please contact us using the details in section 1.

You can also contact our Data Protection Officer at: dpo@transunion.co.uk

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the UK. You can do this online through the ICO’s website at www.ico.org.uk/concerns, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

11. WHAT COOKIES ARE USED ON THE WEBSITE?

We use cookies and similar technologies to distinguish you from other users of the website. This helps us to provide you with a good experience when you browse the website and also allows us to personalise and improve the website.

A cookie is a small file of letters and numbers that we put on your device. We use the following kinds of cookie:

• Strictly necessary cookies. These are cookies that are required for the operation of the website.
• Analytical/performance cookies. These cookies allow us to recognise and count the number of visitors and to see how visitors move around the website when they are using it. This helps us to improve the way our website works.

You can find more information about the individual cookies we use and the purposes for which we use them in the table below.

You can block cookies using your browser settings that allow you to refuse all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access parts of our website or use some of its features. For more information about this, and about cookies in general, you may wish to visit www.aboutcookies.org.

TransUnion Information Group Cookie Notice

This document provides information about how we use cookies on our website at www.transunion.co.uk.

1. WHO ARE WE?

This website is operated by TransUnion Information Group Limited, which is a company registered in England and Wales with company number 04968328. Its registered office is at One Park Lane, Leeds, West Yorkshire LS3 1EP.

2. WHAT ARE COOKIES?

A cookie is a small file of letters and numbers that we put on your device when you browse our website.

3. WHAT DO WE USE COOKIES FOR?

We use cookies and similar technologies to distinguish you from other users of the website. This helps us to provide you with a good experience when you browse the website and also allows us to personalise and improve the website.

Our cookies are not used to collect information which (by itself) allows us to identify who you are. But if you separately tell us who you are, we may link your identity to the cookies we put on your device so that we can see how you are using the website. We use that information in accordance with the privacy notice that we give you when you tell us who you are.

4. WHAT COOKIES DO WE USE?

We use the following kinds of cookie:

• Strictly necessary cookies. These are cookies that are required for the operation of the website. They include, for example, cookies that enable you to log into secure areas of the website.
• Analytical/performance cookies. These cookies allow us to recognise and count the number of visitors and to see how visitors move around the website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. They also allow us to tell if you have reached our website from one of our advertising partners so that we can meet our contractual commitments to that partner.
• Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences.
• Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

You can find more information about the individual cookies we use and the purposes for which we use them in the table below.

5. HOW TO CONTROL COOKIES

Strictly necessary cookies are always on when you visit us. On your first visit to us, we’ll ask you to choose which cookies we can use. You can always change your mind by going to your settings.

You can block cookies using your browser settings that allow you to refuse all or some cookies. However, if you use your browser settings to block all cookies (including strictly necessary cookies) you may not be able to access parts of our website or use some of its features.

For more information about this, and about cookies in general, you may wish to visit https://www.aboutcookies.org.uk/.

Terms of Service

This page sets out the terms of use on which you may make use of our website at www.transunion.co.uk. Please read these terms carefully before you start to use our website. By using our website, you indicate that you accept these terms and that you agree to abide by them. If you do not agree to these terms, please refrain from using our website.

If you sign up to any of our products and services, those products and services will be subject to separate terms and conditions.

ABOUT US

This website is operated by TransUnion Information Group Limited, which is a company registered in England and Wales with company number 04968328. Its registered office is at One Park Lane, Leeds, West Yorkshire LS3 1EP.

ACCESSING OUR WEBSITE

We will not be liable if for any reason our website is unavailable at any time or for any period. From time to time, we may restrict access to some parts of our website or to our entire site. You are responsible for ensuring that all persons who access our website through your internet connection are aware of these terms, and that they comply with them.

OUR WEBSITE CHANGES REGULARLY

We aim to update our website regularly, and may change the content at any time. If the need arises, we may suspend access to our website, or close it indefinitely. Any of the material on our website may be out of date at any given time, and we are under no obligation to update such material.

INTELLECTUAL PROPERTY RIGHTS

We are the owner or the licensee of all intellectual property rights in our website, and in the material published on it. Such works are protected by copyright laws and treaties around the world. All such rights are reserved. You may print off one copy, and may download extracts, of any page(s) from our website for your personal reference and you may draw the attention of others within your organisation to material posted on our website. You must not modify the paper or digital copies of any materials you have printed off or downloaded in any way, and you must not use any illustrations, photographs, video or audio sequences or any graphics separately from any accompanying text.

Our status (and that of any identified contributors) as the authors of material on our website must always be acknowledged.

You must not use any part of the materials on our website for commercial purposes without obtaining a licence to do so from us or our licensors. If you print off, copy or download any part of our website in breach of these terms, your right to use our website will cease immediately and you must, at our option, return or destroy any copies of the materials you have made.

RELIANCE ON INFORMATION

Commentary and other materials posted on our website are not intended to amount to advice on which reliance should be placed. We disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our website, or by anyone who may be informed of any of its contents.

OUR LIABILITY

The material displayed on our website is provided without any guarantees, conditions or warranties as to its accuracy or purpose. To the extent permitted by law, we, together with third parties connected to us, hereby expressly exclude:

• all conditions, warranties and other terms which might otherwise be implied by statute, common law or the law of equity; and
• any liability for any loss or damage incurred, whether directly, indirectly or consequentially by any user in connection with our website or in connection with the use, inability to use, or results of the use of our website, any websites linked to it and any materials posted on it.

Notwithstanding any other term, we do not limit or exclude liability for:

• death or personal injury arising from our negligence or that of our employees; or
• for our fraudulent misrepresentation or that of our employees.

VIRUSES, HACKING AND OTHER OFFENCES

You must not misuse our website by knowingly introducing viruses, trojans, worms, logic bombs or other material which is malicious or technologically harmful. You must not attempt to gain unauthorised access to our website, the server on which our website is stored or any server, computer or database connected to our website. You must not attack our website via a denial-of-service attack or a distributed denial-of service attack.

By breaching this provision, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities and we will co-operate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use our website will cease immediately.

We will not be liable for any loss or damage caused by a distributed denial-of-service attack, viruses or other technologically harmful material that may infect your computer equipment, computer programs, data or other proprietary material due to your use of our website or to your downloading of any material posted on it, or on any website linked to it.

LINKING TO OUR WEBSITE

You may link to our home page, provided you do so in a way that is fair and legal and does not damage our reputation or take advantage of it, but you must not establish a link in such a way as to suggest any form of association, approval or endorsement on our part where none exists. You must not establish a link from any website that is not owned by you.

Our website must not be framed on any other site, nor may you create a link to any part of our website other than the home page. We reserve the right to withdraw linking permission without notice. The website from which you are linking must NOT:

• contain any material which is defamatory of any person;
• contain any material which is obscene, offensive, hateful or inflammatory;
• promote sexually explicit material;
• promote violence;
• promote discrimination based on race, sex, religion, nationality, disability, sexual orientation or age;
• infringe any copyright, database right or trademark of any other person.

LINKS FROM OUR WEBSITE

Where our website contains links to other sites and resources provided by third parties, these links are provided for your information only. We have no control over the contents of those sites or resources, and accept no responsibility for them or for any loss or damage that may arise from your use of them.

There are links on our website to other websites which we or our group of companies also maintain. Access to and use of those other websites are governed by separate terms and conditions and you are strongly recommended to read those terms.

JURISDICTION AND GOVERNING LAW

The English courts will have exclusive jurisdiction over any claim arising from, or related to, a visit to our website or these terms. These terms of use are governed by English law.

VARIATIONS

We may revise these terms at any time by amending this page. You are expected to check this page from time to time to take notice of any changes we made, as they are binding on you. Some of the provisions contained in these terms may also be superseded by provisions or notices published elsewhere on our website.

YOUR CONCERNS

If you have any concerns about material which appears on our website, please contact:

Customer Services Department
TransUnion Information Group
One Park Lane
Leeds, LS3 1EP

Thank you for visiting our website.

Transunion Open Banking Service Terms and Conditions

1  Meaning of words we use

Account any payment account held in your name with Your Bank in the UK into which you can deposit and withdraw income and which allows for direct debits, transfers and payment transactions. Please read these terms of service carefully (and paragraph 4 in particular) as there may be instances where we may not be able to provide Services in relation to a particular Account.

Information has the meaning given to it in paragraph 3.2 of these Terms.

Referring Company means the person or organisation that has directed you to us so that we can provide the Service.

Service means the services detailed in paragraph 3 of these Terms.

Terms means these terms of service for the Service which includes the on screen information provided to you on the Website describing how the Referring Company will use the Information and the consent described in paragraph 3.3 below.

you, your means the person who agrees to use the Service.

Your Bank means any bank or building society you hold an Account with. Please see the Website for details of the banks and building societies that are supported by the Service.

we, us, our means TransUnion International UK Limited (registered in England and Wales with company number 03961870) of One Park Lane, Leeds, West Yorkshire, LS3 1EP.

Website means the website from which we provide the Service.

2  Our agreement with you for the Service

2.1  These Terms govern the use of the Service and form an agreement between us and you. You can obtain a copy of these Terms at any time from our Website.

2.2  Only you and we have any rights under these Terms.

3  The Service

3.1  In order to use this Service you must have:

(a)   been redirected to our Website by a Referring Company to whom you are applying for a service or financial product; and

(b)   successfully passed

(i)   our anti-money laundering checks (including checks to verify your identity), which we are required to perform by law before providing you with the Service; and

(ii)   if requested by the Referring Company, additional fraud prevention checks in relation to your application for a service or financial product.

3.2  This Service will enable you to authorise us to request information about your nominated Account(s) (such as statements, details of payment transactions into and out of your Account, account balances etc.) (“Information”), from Your Bank, so that we can send this Information to the Referring Company. The Referring Company will then use this Information to conduct an affordability assessment of your finances prior to offering you a service or a financial product. The Referring Company may ask that we only send them a sub-set of the Information, if this is all they need to carry out their assessment.

3.3  In order to use this Service, you need to consent to us requesting certain Information about your nominated Account(s) from Your Bank and you must also agree that we can pass the Information we obtain to the Referring Company. We may undertake some analysis of your Information to help the Referring Company make an assessment about you, such as your affordability and creditworthiness, in connection with your application for a financial product or service. You will be asked to provide your consent to this as well. Please also refer to our Privacy Notice here which explains how we will use your Information.

3.4  If you provide your consent, we will submit a request for your Information to Your Bank in accordance with paragraph 4 and, if this request is successful, provide you with a summary of the Information we receive.

3.5  We do not check the Information we receive from Your Bank for accuracy and we have no responsibility to do so. In addition, we have no responsibility for any products and services provided to you by Your Bank or the Referring Company.

3.6  The Information we retrieve and display through the Service is only as up to date as the Information we obtain from Your Bank at the point in time you authorise us to request that Information. This means that it may not take account of recent credits to and/or withdrawals from your Account(s).

4  Steps to access the Service

4.1  After you have provided your consent in accordance with paragraph 3 above, you will then need to select which of Your Bank(s) you would like us to request Information from.

4.2  You will then be prompted to identify yourself with Your Bank. This may involve you being redirected to Your Bank's online banking login page where you may be prompted to enter your login details. If this happens, we will not see, record or store any of the login details you enter. You will be responsible for ensuring you provide the correct log in details to Your Bank. If you repeatedly provide Your Bank with incorrect login details, this may result in your access to your Account(s) being blocked and may mean we cannot provide the Service as a result.

4.3  Once you have successfully identified yourself with Your Bank, you will be asked to nominate which specific Account(s) you would like us to request Information from.

4.4  You may not be able to select all of your Accounts for a number of reasons, which may include the following:

(a)  you will only be able to select Accounts which you can access online;

(b)  you will only be able to select UK-based Accounts; and

(c)  you will only be able to select Accounts held with Your Bank(s) that are accessible to us. Our Website will display the banks and building societies we can connect with.

If Your Bank is listed on our Website but you do not see an Account you would like to select, you should contact Your Bank.

4.5  After you have selected your chosen Account(s), you will be re-directed back to our Website and we will provide the Service.

5  Our right to request your Information

5.1  We will only request Information where you have consented to us doing so. We will only share Information with you and the Referring Company. Our right to request Information from your selected Account(s) will expire once we have successfully received the Information from Your Bank(s). We will keep some or all of your Information to comply with our legal obligations. Details of how we will store and process your Information is set out in our Privacy Notice here. If you wish to repeat the Service in relation to a different Referring Company or Account you will need to provide us with permission again.

6  Availability of the Service

6.1  We will not be able to request or receive Information where Your Bank has blocked either your access to that Account or has denied our request for Information.

6.2  We may not be able to provide this Service if your internet connection, device or network connection fails.

6.3  We may refuse to provide the Service, in accordance with our rights in these Terms.

7  Charges

7.1  We will not directly charge you for providing this Service. However, we may charge the Referring Company a fee in return for our providing you with this Service and the Referring Company may pass this fee on to you.

8  Security

8.1  If you think someone else has obtained your login details that you use to access your Account(s) or you think that your Account(s) have been compromised in any way you must contact Your Bank immediately and not us.

8.2  We’ll use reasonable care and skill to ensure that our Website and Service is safe and secure and does not contain viruses or other damaging properties. If we fail to comply with this and you suffer loss and/or damage to your data, software, device, digital content and/or other equipment, we’ll be liable to you.

8.3  You must not use the Website or Service on a device or computer which you know or suspect contains or is vulnerable to viruses or other damaging properties or which does not have up-to-date anti-virus software installed on it.

8.4  If we detect that your device or computer has been compromised in a way that may allow unauthorised or malicious software to be installed, or that it may carry a virus or any malware threat, we may prevent you accessing Service on that device or computer.

9  Our responsibility to you

9.1  We will not be responsible to you for any failure to provide any Service due to scheduled or required downtime, or for any reason that is beyond our reasonable control. Examples of this include (but are not limited to):

(a)  any technical failure of Your Bank's online platform;

(b)  Your Bank denying our request to receive your Information;

(c)  failure of any machine, data processing system or transmission link; or

(d)  outages or lack of coverage or signal on any phone network.

9.2  The information we obtain about your Account(s) and the transactions on that Account is dependent on the Information we receive from Your Bank. We are not responsible if Your Bank gives us incomplete or incorrect information.

9.3  The Information we obtain from Your Bank does not represent a comprehensive illustration of your financial situation. For example, it may not take into account balances held in other accounts or a savings account, credit card, personal loan or mortgage balances.

9.4  If we do not comply with these Terms or we do not use reasonable care and skill in providing the Services to you then we will be responsible for the loss and damage which is a foreseeable result of this breach. Loss or damage is foreseeable if either it is obvious that it will happen or if, at the time the contract was made, both we and you knew it might happen. We are not responsible for any loss or damage which is not foreseeable.

9.5  We only supply the Services for domestic and private use. If you use the Services for any commercial, business or re-sale purpose we will have no liability to you for any loss of profits, loss of or damage to reputation, loss of contracts, loss of opportunity, loss of business, loss or depletion of goodwill, increased overheads or administration expenses, management time, loss of savings.

9.6  You remain responsible for keeping your online banking log-on details safe in accordance with your agreement with Your Bank.

9.7  You must not:

(a)  use the Service in any unlawful manner, for any unlawful purpose, or in any manner inconsistent with these Terms;

(b)  act fraudulently or maliciously in relation to the Service, for example, by accessing an account which is not yours or hacking into or inserting malicious code, including viruses, or harmful data, into the Service or any operating system;

(c)  infringe our intellectual property rights or those of any third party in relation to your use of the Service;

(d)  transmit any material that is illegal, fraudulent, defamatory, offensive or otherwise objectionable in relation to your use of the Service;

(e)  use the Service in a way that could damage, disable, overburden, impair or compromise our systems or security, those of our licensors, Your Bank(s) or a Referring Company or interfere with the experience of other users of the Service; or

(f)  collect or harvest any information or data from any Service or our systems or attempt to decipher or interfere with any transmissions to or from the servers running any Service.

10  Termination of the Service

10.1  The Service will be provided immediately after you have completed each of the steps described in paragraph 4 - you must have provided us with your consent to request Information relating to your Accounts, identified yourself with Your Bank and selected the relevant Account(s). You will not be able to withdraw your consent after this point. However, you may be able to withdraw from the Service prior to completing all of the steps set out in paragraph 4.

10.2  We may refuse to provide the Service or stop providing the Service (or part of it) at any time if:

(a)  we are legally obliged to do so;

(b)  where we suspect that the Service is being used fraudulently;

(c)  where we suspect unauthorised access;

(d)  you have committed a serious breach of these Terms;

(e)  we reasonably consider that by continuing to provide the Services in accordance with these Terms we may break any law, regulation, code or other duty that applies to us or which we have agreed to follow; or

(f)  we reasonably consider that we may be exposed to action from any government, regulator or law enforcement agency.

11  Queries and Complaints

11.1  Queries in relation to your Information:

(a)  in the event that there is an unexpected entry in your Information or you feel that the Information is not correct you should contact Your Bank;

(b)  in the event that you have a query about the Referring Company’s use of your Information you should contact the Referring Company.

11.2  How to complain: If you have any complaints in relation to the Services then please contact our customer services team at customer.relations@transunion.co.uk, or by writing to them at the following address:
Customer Relations Team
TransUnion
One Park Lane
LEEDS LS3 1EP
You can find our customer complaints policy here.

11.3  Complaint Resolution: We have a complaint handling process, which includes alternative dispute resolution (a process where an independent body considers the facts of a dispute and seeks to resolve it without you having to go to court). If we have sent you our final response and you are not happy with how we have handled any complaint, you may want to contact the statutory alternative dispute resolution provider for financial services in the UK – the Financial Ombudsman Service. The Ombudsman will not charge you for making a complaint and if you are not satisfied with the outcome you can still bring legal proceedings. The contact details for the Financial Ombudsman Service are:

The Financial Ombudsman Service
Exchange Tower London
E14 9SR
Tel: 0800 023 4 567 or 0300 123 9 123
E-mail: complaint.info@financial-ombudsman.org.uk Website: www.financial-ombudsman.org.uk

11.4  Online Dispute Resolution Platform: You may also complain using the European Commission’s Online Dispute Resolution platform. This is an online facility designed to help consumers to resolve complaints they have, where they have bought goods and services online. This platform can be accessed via the following link: https://webgate.ec.europa.eu/odr. This platform will not be available to UK consumers after the UK exits from the European Union.

12  General points to note

12.1  If we fail to insist that you perform any of your obligations, or if we do not enforce our rights against you, or if we delay in doing so, that will not mean that we have waived our rights against you and will not mean that you do not have to comply with those obligations and we can still insist on the strict application of these Terms later on.

12.2  If any part of the Terms becomes illegal, invalid or unenforceable in any way, this will not affect the validity of the remaining Terms in any way.

12.3  You may not transfer any of your rights or obligations under these Terms to another person without our prior written consent. We can transfer all or some of our rights and obligations under these Terms to another organisation, but this will not affect your rights under these Terms.

13  Language

The language of these Terms is English and all information provided, made available and notified to you will be in English.

14  Governing law and jurisdiction

These Terms and Conditions are governed by the law of England and Wales and you can bring legal proceedings in respect of the products in the courts of England and Wales. If you live in Scotland you can bring legal proceedings in respect of the products in either the Scottish or the English courts. If you live in Northern Ireland you can bring legal proceedings in respect of the products in either the Northern Irish or the English courts.

Important Information

TransUnion International UK Limited is registered in England and Wales with company number 03961870. Registered Office: 1 Park Lane, Leeds, West Yorkshire, LS3 1EP. TransUnion International UK Limited is part of the TransUnion Information Group (formally, Callcredit Information Group) and is registered with the Financial Conduct Authority under the Payment Services Regulations 2017 under registration number 805757 for the provision of payment services. TransUnion International UK Limited is also authorised and regulated by the Financial Conduct Authority as a Credit Reference Agency under registration number 737740. Authorisation can be checked on the Financial Services Register at www.fca.org.uk.

Please note that other taxes or costs may apply to the Services which are not paid via or imposed by us.

We are covered by the Financial Ombudsman Service (FOS). Please note that only consumers meet the FOS eligibility criteria for this Service.

TUOBST&C Version 2.1

September 2020

Accessibility

TransUnion Information Group is committed to ensuring our website is accessible to as many visitors as possible, regardless of physical abilities or software. We have taken the following steps to achieve this goal:

Standards

• This site is built using HTML and CSS 3.
• The site uses structured semantic markup. For example, table markup is used for data tables, lists are marked up using lists elements, headers are marked up as headers and so on.
• All links can be followed in any browser, even if scripting is turned off in the visitor's browser.

Images

• Content images on the site use descriptive ALT attributes.
• Purely decorative graphics include null ALT attributes.

Visual Design

• All text is sized using relative sizes to allow it to be resized by users of any browser.
• All main content is structured so as to be readable in any browser, regardless of whether it supports images, stylesheets, scripting or plugins.

Copyright Notice

The copyright in the design and content of this website are owned by TransUnion Information Group Limited. © TransUnion Information Group Limited 2019. All rights reserved.

Registered Office Details

TransUnion Information Group Limited is a company registered in England and Wales with company number 04968328. Registered Office: One Park Lane, Leeds, West Yorkshire, LS3 1EP

TransUnion International UK Limited is a company registered in England and Wales with company number 03961870. Registered Office: One Park Lane, Leeds, West Yorkshire, LS3 1EP

Callcredit Marketing Limited is a company registered in England and Wales with company number 02733070. Registered Office: One Park Lane, Leeds, West Yorkshire, LS3 1EP

TransUnion Baltics, UAB is a company registered in Lithuania with company number 302689020. Registered Office: Kaunas City Municipality, Karaliaus Mindaugo Av. 50. 44334 Kaunas, Lithuania

Callcredit Spain, S.L. Registered office: Paseo de la Castellana, 259C, Planta 16N, 28046 Madrid, Spain

Confirma Sistemas de Información S.L. Registered office: Avenida de la Industria, 18, 28760 Madrid, Spain

Soluciones Confirma Asnef-Signe S.L. Registered office: Avenida de la Industria, 18, 28760 Madrid, Spain

Financial Information

Filing History

For more information on TransUnion Information Group Limited’s filing history, including its statutory accounts, please visit the following link.

Filing History

Tax Strategy

To view TransUnion's tax strategy, as required under the Finance Act 2016, please visit the following link.

Tax Strategy

Your Data Rights

Here at TransUnion we handle lots of different kinds of data. Where we hold personal data about you, we want to ensure that you can exercise your rights over that data as easily as possible. We’ve put this page together to help you do that.

WHAT DATA CAN I EXERCISE MY RIGHTS OVER?

You can exercise your rights in relation to any personal data that we hold about you.

The kinds of personal data that you may be interested in exercising your rights over include:

• consumer credit reference data (such as information on your credit file)
• consumer marketing data (such as your name and address on the open register)
• your employment file if you are a past or present TransUnion employee
• data we hold if you are a business contact at one of our clients, potential clients or suppliers
• data relating to the staff of our clients who use our products and services
• your correspondence with us (such as queries or complaints that you have raised)

If you just want to know what kinds of data we hold and how we use and share it, please refer to our Privacy Centre.

Sometimes we hold personal data on behalf of other organisations but don’t make decisions about how or why that data will be used. In these cases, you’ll need to contact the relevant organisation directly if you want to exercise your rights over that data.

WHAT RIGHTS DO I HAVE?

You have the following rights over the personal data that we handle.

Access

You have the right to know what data we hold about you, what we use it for, where we got it from, the kinds of organisations that we share it with and how long we keep it for.

At TransUnion there are two kinds of access request you can make:

• Limited subject access request – provides you with a copy of your credit file.
• Full subject access request – provides you with any other of your personal data that you specify.

If you’re just interested in seeing what’s on your credit file, you can do this online.

Rectification

If you believe that the data we hold about you is incorrect, inaccurate or needs to be brought up date, you can ask us to correct it.

Special rules apply where you ask us to correct something on your credit file. This is because of some separate legislation known as the Consumer Credit Act 1974. In these cases:

• The first step is to request a copy of your credit file.
• You can then let us know which entries on your file need to be corrected.
• We will mark the data as being under dispute and will investigate whether or not it’s correct. This will usually involve contacting the organisation that supplied the information to us.
• When we finish our investigation we will let you know the outcome. We have a 28 day deadline for doing this.
• If you’re not happy with the outcome you have a right to add an explanatory notice of up to 200 words onto your credit file.

Erasure (also known as the right to be forgotten)

This is a right to request that we delete some or all of the personal data that we hold about you.

It’s important to appreciate that this is not an absolute right. It only applies in certain situations and is subject to certain caveats. The circumstances in which it applies are explained on the Information Commissioner’s website, here.

We usually rely on the “legitimate interests” basis for processing your data. This is where it’s necessary for us to use your data in order to achieve certain aims that we and other organisations are pursuing, provided that those aims aren’t outweighed by the impact on your rights. In these cases, if you want us to erase your data you’ll normally need to object to us using it (see below) and give us information about how our use of your data is affecting you. Then we’ll weigh up the importance of the aims we are pursuing against the effect that we’re having on you. If your rights outweigh the need for us to use the data then we will erase it; otherwise, we’ll be entitled to keep it.

If you’re asking us to erase your credit file, you need to bear in mind that accurate credit reporting is extremely important to the UK financial services industry and the wider economy. That means that it’s relatively rare that we will find that a person’s rights and interests override those aims.

You should also bear in mind that if you are successful in having your credit history erased, this could well make it harder for you to obtain credit in the future.

Please note that we are entitled to keep a copy of data for certain specified purposes, such as enforcing or defending legal claims.

Restriction

In some circumstances you can ask us to put restrictions on the ways in which we use and share your personal data.

This only applies in limited circumstances, such as where you’re disputing the accuracy of the data. And it normally only lasts for a limited amount of time, such as however long it takes for us to verify the accuracy of the data.

When data is restricted we can only use it in ways that you agree we can, or for the purposes of legal claims, in order to protect the rights of another person or for reasons of important public interest.

If you dispute the accuracy of something on your credit file, we’ll mark it as under dispute but will normally still share it with other organisations (with the dispute marker attached). It’s important that we do this because otherwise individuals could (for example) hide adverse information such as loan defaults, CCJs and bankruptcies from their credit files. Continuing to share disputed data is our way of protecting the rights of:

• lenders (who need to be able to make appropriate lending decisions), and
• other consumers (who would have to bear the increased borrowing costs that would otherwise result).

Portability

This is a right to have personal data supplied to you in a machine-readable format so that you can more easily re-use it in other services. This right only applies to TransUnion in very limited circumstances. Please ask us if you need your data supplied in this way.

Withdrawal of consent / objection

Where we’re relying on your consent in order to use your personal data you have an absolute right to withdraw that consent at any time. This will mean that we’ll need to stop using your data unless we have some other legitimate basis for continuing to use it.

In most other situations, you can object to us using your personal data; this will mean that we need to assess whether we have compelling reasons to continue using it despite your objection.

You also have a right to object to us using your data for direct marketing purposes. If you do this we’ll stop using your data for those purposes as soon as possible.

ARE THERE ANY EXCEPTIONS FROM THESE RIGHTS?

Yes.

Some of the rights are inherently limited in scope. For example, the erasure and restriction rights only apply in specific circumstances and are subject to some exceptions – please see what we say above about these.

There are also some more general exemptions. For example, if you make a subject access request we’re generally not required to provide you with information about other people. This means that you’ll often see other people’s names and job titles redacted from the material we send you. We’re also allowed to withhold information that is protected by legal privilege (such as our internal legal advice), which may happen if we are in a dispute with you.

We are also not required to provide you with information which would reveal our trade secrets, such as details of how our algorithms work. For example, we will not provide specific details about how we calculate credit scores, although we can provide you with general information about factors that will often affect your credit score.

HOW DO I EXERCISE THESE RIGHTS?

If you just want to see your credit report, you can do this online.

For any other requests about your personal data, please contact our Consumer Services Team.

HOW LONG WILL IT TAKE?

Normally we should be able to get back to you with the outcome of your request within one month. If we aren’t able to do that then we’ll explain why.

Requests to correct information on your credit file have a shorter timescale of 28 days.

Client Minimum Security Standards

Version: 1.1
Date adopted: December 08, 2021

Table of Contents:

• Introduction
• Information Security Standard Requirements
  • ISO27001
  • PCI DSS
  • SOC2
• Information Security Management
  • Information Security Management
  • Human Resources Security
  • Physical and Environmental Security
  • Access Control
  • Communications and Operations Management
  • Information Security Incident Management
  • Business Continuity Management
  • API Encryption Requirement

Introduction

Each party recognises the importance of maintaining the highest levels of Information Security Management. Confidential Information can exist in many physical and electronic forms, and is subject to many types of human, physical and/or electronic threats when being transmitted, processed and stored.

By each party providing the other party with Confidential Information, it is necessary to define a set of minimum security standard requirements which ensure the continued safe-custodianship of those assets.

This document summarises the minimum technical and organisational controls each party should implement to maintain the security and integrity of Confidential Information in accordance with Security Industry best practices.

Information Security Standard Requirements

Each party shall employ operational and technological processes and procedures in line with good industry practices to protect against unauthorised use, access, loss, destruction, theft or disclosure of any information provided under the Agreement.

ISO27001

Each party shall be either registered to ISO27001, or have suitable controls in place which are aligned to the standard and demonstratable. If the Client is in the process of working towards the certification and is able to demonstrate progression, timescale of completion must be agreed with Transunion.

PCI DSS

If a party is provided with access to Primary Account Numbers or is a Service Provider (in each case as defined by the Payment Card Industry Security Standards Council), it shall ensure that its environment and any subsequent services are provided in a manner which is compliant with the latest version of the Payment Card Industry Data Security Standard (“PCI DSS”). In addition, where applicable, each party must provide the other party with evidence of PCI DSS compliance certification. This must be an Attestation of Compliance (AoC) by an Payment Card Industry Qualified Security Assessor (PCI QSA) or appropriate Self-Assessment documentation that attests to the results of a PCI compliance audit or assessment.

SOC2

Where applicable, SOC 2 compliance reports must be provided to each party as and when requested. This standard is a minimal requirement for those providing or considering a SaaS provider.

Information Security Management

Information Security Management

Information security management defines and manages controls that an organisation needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities.

Each party shall ensure that the following requirements are met:

• All Confidential Information provided by one party to the other party shall be maintained in a secure manner at all times.
• An organisational security policy exists, which has been endorsed at Board level, setting out commitment to comprehensive and ongoing security, including the physical, technological, logical, organisational and contractual measures set out in subsequent sections of this document. This policy must be reviewed on a regular basis.
• Responsibility for maintaining and reviewing the organisational security policy on an annual basis is clearly allocated.
• Each party shall notify the other of the person, and alternate person, with overall responsibility for Information Security, and the person/alternate (if different) to be used as the point of contact in the event of a security incident.
• Sufficient resources, skills and facilities are allocated in order to meet all security responsibilities.
• Confidential Information must be classified according to its sensitivity.
• Appropriate safeguards must be implemented in order to maintain the security and integrity of personal data as required under Data Protection Legislation.

Human Resources Security

Each party will ensure that the following requirements are met:

• Background and integrity checks (in accordance with good industry practice) shall be carried out on each party’s employees agents and subcontractors (“staff”) before their initial employment or subsequent move into a job function that would give them ability to access, use, alter, damage, destroy, copy or disclose any Confidential Information provided by the other party.
• All staff must receive robust initial and ongoing training about their security responsibilities, Data Protection Legislation and other relevant legal obligations.
• All staff must be subject to enforceable obligations of confidentiality (for example, under their contracts of employment, under a contract for services or a separate confidentiality agreement as appropriate).
• Rules and procedures must be in place to withdraw security access privileges for staff not complying with these Minimum Security Standard Requirements.
• Paper disposal procedures must be in place to ensure shredding of any printed materials showing sensitive data.
• Guidelines issued to all staff to lock away any confidential items such as portable media or documents when not in use.
• Take appropriate steps to ensure the reliability of staff who have access to personal data. Such steps to include (but not necessarily limited to): (i) staff undergoing training in Data Protection Legislation and the care and handling of personal data; (ii) pre-employment screening; and (iii) monitoring staff to ensure that they are adhering to policies on Confidential Information.
• The access rights of all staff with access to information processing system(s) or media containing Confidential Information will be removed immediately upon termination of their employment, contract, or agreement, or adjusted upon change of job function.

Physical and Environmental Security

Each party shall ensure that appropriate secure measures will be implemented, at all premises, including remote working locations, at which that party (or its staff), access, store or otherwise process Confidential Information. Such appropriate measures shall include (to the extent possible and/or practical, depending on the applicable location), the following:

• Current and tested premises intrusion detection and notification systems with assigned and documented alarm procedures.
• Ensure adequate and preventative controls are in place for physical protection against natural disasters, malicious attacks and/or accidents.
• Appropriate egress and ingress controls to ensure only authorised access is permitted for those areas with sensitive or classified information being stored or processed.
• Appropriate entry controls for those authorised personnel only
• Issue of keys and codes are restricted only to those who need them for legitimate purposes connected with their duties, with supporting documentation.
• Adequate risk based implementation of security controls for offices, rooms, and facilities.
• Proper visitor management controls in place such as visitor ID tags, escort procedures in order to manage the visitor’s movement within the company; appropriate restrictions on visitor movement, especially to those areas with direct access to printed, screen, physical or logical versions of sensitive information.
• Distinct physical room or rooms for server and communications equipment; issue of keys and codes restricted only to those who need it, documentation of their issue.
• Asset disposal procedure is defined and followed to ensure all hard drives and media (e.g. tapes, CD’s) are cleansed, degaussed or shredded after use so that no remnants of data still exist and / or are recoverable.
• Actively document, implement and communicate a clear desk procedure in line with industry best practice to prevent unauthorised access to sensitive personal and/or confidential information. Clear desk procedures should include regular clear desk audits of all areas that process, store TransUnion data.

Mobile Media

Each party will encrypt all personal data contained in Mobile Media. “Mobile Media” means portable and mobile devices used to store and transport information (including, but not limited to, paper records and magnetic and other electronic media, laptops, computers, mobile phones, memory sticks, PDAs, discs, external hard drives, and magnetic tapes)

Access Control

Each party shall implement the following access control measures in respect of its technical environment:

• Access and type of access to all data/databases/networks/devices enforced based on defined, individual staff/user permissions requiring username and password logon.
• All access permissions set at least privilege and based on a need to know basis.
• Password/logon controls including complexity, expiry, uniqueness, and lockout to meet best practice standards.
• Procedures to grant/rescind user permissions in line with changes in responsibilities, including termination.
• Servers must follow a secure build-standard in line with ISO 27001 requirements and be regularly updated with the latest security patching in accordance with industry best practice.
• Screensaver non-activity lockouts on all servers and workstations in place and as per best practice.
• Display of appropriate security notices as part of the individual user logon process.
• Appropriate levels of activity logging, storage, and review to provide abuse deterrence and to enable forensics in the event of a security breach.
• Distinct logon accounts for individual users of TransUnion Services.
• Obligation to prohibit sharing of logons/passwords.
• Specific responsibility assigned to person or persons to administer user logon accounts, including change of privilege and withdrawal of privilege in the event of user security breach or termination.

Communications and Operations Management

Each party shall ensure that the following requirements are met:

• Protection of all external computer network gateways with appropriate firewalls and current security patches.
• Appropriate vulnerability scanning shall be conducted on external computer network gateways and significant findings remediated accordingly on a regular basis.
• Protection of other external communications access routes (e.g. out of band internet or remote access) with appropriate measures in line with best practice.
• Change control procedures governing amendments to firewall rule bases and other network changes relating to the other party’s Confidential Information.
• Restrictions to remote user access including appropriate user authentication and session encryption.
• Restrictions and procedures to ensure transfer and storage of Confidential Information outside of the logical security perimeter of its network is protected with either a minimum of AES 256-bit digital encryption/authentication or a complex password.
• Appropriate and current antivirus protection measures are in place.

Information Security Incident Management

Each party shall ensure that the following requirements are met:

• Implement technology and processes necessary to log all appropriate security event information. Monitoring of own environment, applications, and processes for actual or potential security intrusions or violations. The log information should be kept for a reasonably amount of time should the logs be required for an investigation.
• Adequate segregation of duties must be in place to maintain the security event information.
• Each party shall notify the other by secure medium of any occurrence of a breach of information security without undue delay upon becoming aware of any such incident or without undue delay upon becoming aware of circumstances which are reasonably likely to lead to such an incident with sufficient detail as to allow the other party to ascertain in reasonable detail the magnitude and likely consequences of the security breach.
• The parties shall co-operate with each other and any appropriate third party in respect of a security breach and will provide the available evidence should it be requested from the other party.

Business Continuity Management

Each party shall have an appropriate Business Continuity Management System (including Disaster Recovery) in place that will include a documented Business Continuity Plan and Policy. A Business Continuity Plan (BCP) must be tested and updated on a regular basis to ensure its effectiveness in the event of a disaster and its continuing relevance to the Business. There must also be a named individual in place who is responsible for the day to day management of Business Continuity.

API Encryption Requirement

If the Client is provided with access to a TransUnion API service, each party shall ensure that its communication with the API is encrypted to a suitable standard in line with industry best practice.

TransUnion UK - Modern Slavery & Human Trafficking Statement

Download TransUnion's Modern Slavery & Human Trafficking Statement 2021