Equifax Information Notice

(EIN)

Version 2 Adopted: May 2020

This Equifax Information Notice (“Notice”) describes how and why Equifax Limited (“Equifax”, “we”, “our” and “us”) hold and process personal data for each of its business functions in the UK

Equifax is a so-called “controller” of your personal data. This means that we make decisions about how and why we process your personal data and, because of this, we are responsible for making sure our use of your personal data is in accordance with data protection laws

Equifax’s core activity is ‘credit referencing’ and ‘fraud prevention’. Together with the other main credit reference agencies (“CRA”s), TransUnion (formerly Callcredit) and Experian, we have drafted a separate document detailing how each CRA commonly uses and shares personal data we receive about you and/or your business that is part of, derived from or used in credit referencing and fraud prevention activities. We have called this document the ‘Credit Reference Agency Information Notice’ (CRAIN) and you can access it here: www.equifax.co.uk/crain

You (and consumers generally) may be less familiar with other services Equifax provides, which concern the use of your data. For example, we use some of your data for marketing purposes (for example, to enable clients to contact you at an address you are listed at on the open electoral register) and to create profiles about you (for example, the generation of a ‘credit score’ is a type of profiling but we also create other profiles about you or a section of the population). This Notice clarifies these (and other) uses of your data, which you might not be already aware of

We may also make available other information notices in relation to specific products or business functions. These will apply in conjunction with this Notice. For example, our group company TDX Group Limited has its own Privacy Policy in relation to its business functions (including debt management and recovery), a copy of which can be found here: https://www.tdxgroup.com/privacy

CONTENT OF THIS NOTICE:

  1. How can you contact us?
  2. How do we use your personal data?
  3. What types of personal data does Equifax collect and where do we get it?
  4. What is our legal basis for using your personal data?
  5. Who does Equifax share personal data with?
  6. Where is personal data stored and sent?
  7. How long does Equifax retain personal data?
  8. Does Equifax make decisions about you or profile you?
  9. What are your rights in relation to your personal data?
  10. Marketing Services
  11. Who can you complain to if you are unhappy about the use of your personal data?
  12. Where can you find out more?

1. HOW CAN YOU CONTACT US?

We can be contacted by any of the following methods:

Post: Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS

Web Address: https://www.equifax.co.uk/Contact-us/Contact_Us_Personal_Solutions.html

Secure email via: www.equifax.co.uk/ask

Phone: 0333 321 4043 or 0800 014 2955

Additionally, Equifax Ltd has a dedicated Data Protection Officer who can be contacted as follows:

Post: Equifax Ltd, Data Protection Officer, PO Box 10036, Leicester, LE3 4FS

Email: UKDPO@equifax.com

2. HOW DO WE USE YOUR PERSONAL DATA?

As one of the UK’s biggest credit reference agencies, we are regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency and a credit broker

In order to provide our services, we hold detailed consumer and business data in the UK, which enables us to provide insights into the behaviours and drivers behind the economy, helping our clients drive their businesses forward and consumers and businesses access the products and services they can reasonably afford

We appreciate that the roll of a credit reference and fraud prevention agency (such as Equifax) is very complex, relying on a number of different uses of your data

To help you understand how and why we use your data, we have summarised our primary uses of your personal data immediately below

We have also produced an example ‘data journey’, which illustrates how your data would typically flow from you to Equifax, and with whom we may share it. You can access this ‘data journey’ here: www.equifax.co.uk/ein-datajourney.html

If you would like more information about what categories of personal data we use, where we obtain your data and more specifically how we process that data (and on what lawful basis), please see the further sections of this Notice or contact us using the contact details above

Summary of personal data use:

(a) CREDIT REFERENCE AGENCY PROCESSING

As a credit reference agency, we receive personal data about you that is part of, derived from or used in credit activity.

As a basic example:

Equifax might receive information such as your name, address and date of birth when you apply for a loan or credit card

We will match this to data we already hold and return information relevant to your financial standing

The lender will use the information we provide to decide whether or not you can be accepted for the loan or credit card

Should you be accepted, Equifax may then receive information about how you manage your repayments, including if you have missed a payment or if you are subject to any county court judgements

This in turn supplements the information we already hold and creates a more complete view of your financial standing, which can be shared with other lenders.

The information we receive and process in relation to your credit activity, is used by Equifax and our clients in ‘credit referencing activities’, which include:

  • Credit reporting and affordability checks (for example, information related to your financial standing guides lenders as to whether to accept your application for a loan or credit card)
  • Verifying data like your identity, your age, where you live, and preventing and detecting criminal activity, fraud and money laundering
  • Tracing your whereabouts to assist in the return of money you are owed or to reclaim debt that you owe
  • Statistical analysis, including profiling of either you as an individual (for example, to generate a ‘credit score’) or a group of people (for example, the general financial standing of a region or city)

Please refer to the above mentioned CRAIN for more details on these activities: www.equifax.co.uk/crain

(b) FRAUD PREVENTION AGENCY PROCESSING

Equifax is also a Fraud Prevention Agency (“FPA”), which means we collect, maintain and share data on known and suspected fraudulent activity

How data is used by Equifax as a fraud prevention agency:

In order to flag, prevent and monitor fraudulent (or suspected fraudulent) activity, we may supply the data received from our clients about you, your financial associates and your business (if you have one) to other organisations (please see SECTION 5 - WHO DOES EQUIFAX SHARE PERSONAL DATA WITH for more information). This may be used by these organisations and other FPAs and CRAs to:

  • Prevent crime, fraud and money laundering by, for example;
    • checking details provided on applications for credit and credit related products and services
    • managing credit and credit related accounts or products or services
    • verifying details provided as part of insurance underwriting and the pricing of insurance policies and assessment of insurance risk including insurance claims
    • checking details on applications for jobs or as part of employment
  • Verify your identity if you or your financial associate applies for facilities including all types of insurance and where a claim is made
  • Trace your whereabouts to assist in the return of money you are owed or to reclaim debt that you owe
  • Conduct other checks to prevent or detect fraud, as permitted by law
  • Undertake statistical analysis and system testing

 (c) MARKETING SERVICES PROCESSING

Equifax does not sell any ‘credit derived’ personal data for the purposes of direct marketing, without your consent

This means that at no point will we ever sell information about your financial standing, which we have received from clients (including banks), in order to permit clients to send you direct marketing communications, without your consent

Equifax does collect certain publically available data about you (or related to you), which it shares with clients for the purposes of direct marketing

The relevant information and the services we provide are summarised as follows:

  • Open register supply – The electoral register contains the names and addresses of everyone who is registered to vote in public elections. There are two versions of the electoral register; the full version and the ‘open register’ (‘edited register’ in Northern Ireland). The open register is the version that is available to anyone who wants to buy a copy and includes only the details of those individuals who have not ‘opted-out’ of being on the open register. Further information can be found at the following government website: https://www.gov.uk/electoral-register/opt-out-of-the-open-register

Equifax provides information available from the open register to clients, who are permitted to use this information for direct marketing purposes (for example, to send you postal marketing).

  • Pre-mover information – Equifax collects details of properties that are available for rent or sale and shares this information with clients, who may use it to send marketing materials to you (for example, postal marketing with offers relevant to a new or outgoing resident, such as installation or migration of broadband).

The information Equifax collects and shares only relates to the relevant property and does not include your name and any other information that would directly identify you

As explained elsewhere in this Notice, Equifax anonymises and aggregates some the information it holds (including ‘credit derived’ data) for statistical analysis purposes

In addition to the above noted marketing activities, we may make available this anonymised data to our clients (for example, analysis of the general financial strength of a town, city or other area) which our clients are permitted to use for general marketing purposes (for example, sending leaflets to all the residents in a particular area). However, our clients are not permitted to use this information to send marketing to you directly as an individual

We have included a dedicated ‘Marketing Services’ section in this Notice to clearly and concisely explain how your data is obtained and used for marketing activities, including those summarised above (please see SECTION 10 - MARKETING SERVICES for further details)

Please note that SECTIONS 3 to 9 below do not specifically include or refer to the Marketing Services provided by Equifax as all the relevant information is included in SECTION 10 (MARKETING SERVICES).

(d) Consumer Services

We will use your personal data when providing our services to you directly, including:

  • Credit Score and Report – using the data held on our database, we calculate your credit score and can provide a report explaining what factors have impacted that score.
  • WebDefend – using the details you provide to us (email addresses, telephone numbers, credit/debit card details, bank account numbers, driving licence number or National Insurance numbers), we identify and monitor potential instances of fraud by cross checking your data to that shown on websites used by fraudsters to trade personal data.

These services can be obtained through our website www.equifax.co.uk (the “Website”)

In obtaining these services, we will collect details such as your name, address, date of birth, contact details (including email and telephone number) and bank details. If you have applied through our Website, we may also collect a username and password (or other relevant log-in details)

Processing of your personal data collected either via the Website or through provision of our direct to consumer services (summarised above) is explained in a separate privacy policy available on the Website at: https://www.equifax.co.uk/About-us/Privacy_policy.html

Please ensure that you review the Website privacy policy in addition to this Notice

(e) GENERAL INFORMATION SERVICES PROCESSING

In order to provide our services to clients and individuals, we need to undertake certain general background operational processing of your personal data, as follows:

  • Data loading - data supplied to Equifax is checked for integrity, validity, consistency, quality and age to ensure it is fit for purpose. These checks pick up things like irregular dates of birth, names, addresses, account start dates, and gaps in payment status history.
  • Data matching - data supplied to Equifax is matched to the data held on our existing databases to help make sure it is assigned to the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. Where permitted, Equifax use the personal data individuals have provided to its clients, together with data from other sources, to create and confirm identities, which are used to underpin the services Equifax provide.
  • Data linking - as Equifax compiles data into its databases, we create links between different pieces of data. For example, people who appear financially associated with each other may be linked together, and addresses where someone has previously lived can be linked to each other and to that person’s current address.
  • Systems and product development/testing - data may be used to help support the development and testing of new products and technologies.
  • Legal compliance and general record keeping – we will process data where required by law (for example, in order to comply with our requirements as a FCA regulated business) and may retain data where necessary for record keeping, tax compliance and to defend against claims.

3. WHAT TYPES OF PERSONAL DATA DOES EQUIFAX COLLECT AND WHERE DO WE GET IT?

To enable us to operate as a credit reference and fraud prevention agency, it is necessary for us to collect and store numerous types of data about you

We typically do not have a direct relationship with you (except where you receive products or services from us (or otherwise communicate with us) directly), so we obtain this data from numerous sources, including directly from publically available materials (for example, the electoral roll and published county court judgements) or from our clients (for example, where a lender provides information about you so that we can conduct a credit check)

Equifax typically acts as a controller in relation to all the data it receives from such clients, including where provision of this information is for us to locate a match to records we already hold in our database and which is then supplemented with additional information (for example, addresses linked to you, your relevant credit data or other attributes relevant to you)

All the credit reference agencies rely on similar types of data in order to provide their core credit, anti-money laundering, identification and fraud services. Details of the types, description and source of information common to all three main credit reference agencies (including Equifax) can be found in the CRAIN: www.equifax.co.uk/crain

We have also set out the key categories of data that we collect about you and where we obtain this information, in the below table:

CATEGORY OF DATA

TYPE OF PERSONAL DATA

WHERE COLLECTED*

Identifiers

Full Name

Local authorities / Lenders / Clients / Directly (e.g. for consumer services customers)

Residential Address

Local authorities / Lenders / Banks / Royal Mail / Registry Trust

Time at address

Local authorities / determined internally

Date of Birth

Lenders / Banks / Insolvency services / Registry Trust and others

Telephone Number

BT / Directly (e.g. for consumer services customers)

Email Address

Directly (e.g. for consumer services customers)

Alias

Generated by Equifax by cross referencing other data sets related to you

Financial Accounts and Repayment Data

Credit agreements (including balance, payment history and term)

Lenders and other clients

Closed / settled accounts

Lenders / Clients

Instances of default

Lenders / Clients

Current account turnover data (“CATO”)

Banks party to the CATO scheme

Court Judgments, Decrees and Orders

County court judgements

Registry Trust / England & Wales Register

Bankruptcies

Insolvency services / London Gazette and Belfast Gazette

Individual Voluntary Arrangements (“IVAs”)

Insolvency services

Debt relief orders

Insolvency services

Searches (these are searches that lenders and clients may make in relation to you, when you apply for services, for example)

Credit searches

Clients or customers of reseller clients that conduct a search

Debt collection searches

Clients or customers of reseller clients that conduct a search

ID checks

Clients or customers of reseller clients that conduct a search

Derived or Created Data

Credit score

Generated by Equifax

Linked addresses

Generated by Equifax by cross referencing data sets which relate to you

Linked companies (where a director or owner)

Companies House / Generated by Equifax by cross referencing data sets, which relate to you

Attributes and characteristics

Generated by Equifax – please see SECTION 8

Other Data

Instances of actual or potential fraud

CIFAS

Whether politically exposed

HM Treasury

Sanctions

Dow Jones

*Please note that the majority of data is derived from multiple sources. We have therefore listed key examples

In addition to the above categories, we also process the following data relating to residential addresses:

  • whether it is available for sale or rent (we call this “Pre-Mover Data”), which we make available to clients so that they can (for example) ensure the occupier of the property is updated on how to migrate or obtain products and services (such as broadband); and
  • postcode level data (“PLD”), such as the value of the property, its council tax band the general affluence of the area. This is information relating to a particular geographic area (and is therefore not always ‘personal data’ because it doesn’t relate to an identifiable individual). Please be aware that some of our clients may link PLD with you based on the area in which you live. This combined data is likely to be considered your personal data, which is processed by our clients.

4. WHAT IS OUR LEGAL BASIS FOR USING YOUR PERSONAL DATA?

We are required by data protection law to always have what is referred to as a “lawful basis” (i.e. a reason or justification) for processing your personal data. The below sets out the relevant lawful basis we rely on for that processing

Please note that where we have indicated that our use of your personal data is either necessary for us to comply with a legal obligation or necessary for us to take steps, at your request, to potentially enter into a contract with you (or to perform our obligations in an existing contract), we may not be able to enter into or continue our contract or engagement with you, if you elect not to provide the relevant personal data

Legitimate interests

The UK’s data protection law allows the use of personal data where the processing is necessary for a legitimate interest pursued by us or a third party and this interest is not outweighed by the interests, fundamental rights or freedoms of data subjects

This is commonly referred to as the ‘Legitimate Interests’ condition for personal data processing

Where Equifax processes your personal data in our function as a Credit Reference Agency or Fraud Prevention Agency (as detailed above and in the CRAIN), we rely on our Legitimate Interests and those of our clients, which include:

  • Promoting responsible lending and helping to prevent over-indebtedness
  • Helping prevent and detect crime and fraud, supporting anti-money laundering services and verifying identity
  • Supporting tracing and collections
  • Complying with and supporting compliance with legal and regulatory requirements

Please refer to the CRAIN for more details on the above activities: www.equifax.co.uk/crain

Contract

The UK’s data protection law allows the use of personal data where it is necessary for the performance of a contract to which you are a party

We provide some of our services directly to individuals (for example, you may subscribe to receive your Equifax credit report). Where we process your personal data to provide you with these services, our processing will be both because it is in our Legitimate Interests to provide these services to you and also on the basis that such processing is necessary to comply with our contractual obligations to you, as an Equifax customer

Legal Obligation

In addition to the lawful bases set out above, UK data protection law also allows us to process personal data where such processing is necessary for compliance with law

There are many situations where such legal obligations may arise from time to time but those most likely to impact our business (and result in the processing of your personal data) are as follows:

  • Where we are required to hold or share your personal data in compliance with FCA regulations and permissions;
  • Where a crime is suspected (including fraud or money laundering) and we are required to make appropriate notifications or assist with investigations.
  • Where we are required to comply with the instructions of a regulator, court or law enforcement agency.
  • To maintain records required by law or to evidence our compliance with laws.

Consent

UK data protection law permits controllers to process personal data where you have consented to a specific use of it. Except in relation to certain marketing activities (please see SECTION 10), we typically do not rely on consent to lawfully process your personal data

Occasionally, there may be isolated processing activities which we undertake on the basis of your consent, which we will notify you of in the relevant consent form (or similar document)

5. WHO DOES EQUIFAX SHARE PERSONAL DATA WITH?

As a credit reference and fraud prevention agency, our services require that your personal data be shared with certain third parties (for example our clients), who may request information about you in order to assess your suitability for a loan or other products

In many cases, where an organisation uses Equifax services, there will be information accessible, for example from a website or at point of application or service, to explain that the organisation may check your data with a credit reference or fraud prevention agency (for example to undertake identity verification and fraud checking). In some cases, some organisations have the ability to compel CRAs, by law, to disclose certain data for certain purposes

Where we do share your personal data, we operate comprehensive access control processes. For example, before we share data with any another organisation, we check that organisation’s identity, location and, where applicable, confirm any necessary legal registrations

The below sets out the different types of recipient we share your personal data with

Members of the Equifax credit data sharing arrangement

Each organisation that shares financial data with Equifax is also entitled to receive similar kinds of financial data contributed by other organisations. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utilities companies and mobile phone providers

Fraud Prevention Agencies (FPAs)

If Equifax reasonably suspects that fraud has been or might be committed, it may share data with FPAs. These FPAs collect, maintain and share data on known and suspected fraudulent activity. Equifax and some other CRAs also act as FPAs

Equifax shares information with the major fraud prevention agency in the UK, Cifas, who can be contacted here:

www.cifas.org.uk

Resellers/Distributors

Equifax also uses other organisations to help provide its services to clients and may provide personal data to them in connection with that purpose. Details of our current list of such organisations are shown here and will be updated as appropriate from time to time:

Company Details

Description of Service

GB Group plc (‘GBG’)
www.gbgplc.com

  • Detect fraud in relation to the granting of credit to consumers
  • Assist in the prevention of money laundering
  • Manage risk through ID verification
  • Employee screening to assist with the hiring process

LexisNexis Risk Solutions
https://risk.lexisnexis.co.uk/

  • To help prevent, detect and investigate financial crime and fraud, including identity validation, verification and authentication services
  • To support tracing, asset reunification, debt collection and general customer data management activities
  • To comply with various legal and regulatory requirements, such as those required by the FCA or the Prudential Regulation Authority (PRA), and to assist in the prevention of money laundering and counter-terrorist financing
  • To support insurance providers in the underwriting and pricing of insurance policies and assessment of insurance risk
  • For consumer credit risk assessment purposes to promote responsible lending
  • For internal testing and development, modelling, evaluation and research or scoring.

Iovation Inc
www.iovation.com

Fraud prevention and authentication tool provider

Sagacity Solutions Limited
www.sagacitysolutions.co.uk

Data management and consultancy provider

Jumio UK Limited
www.jumio.com

Facial biometrics and document validation services

BAE Systems Applied Intelligence Limited
www.baesystems.com/en/cybersecurity/home

Threat analytics, managed security services, financial crime, cyber defence and digital transformation services

CoCreate Design and Marketing Limited
www.cocreatedesign.com

Web application and development services

Synectics Solutions Limited
www.synectics-solutions.com

Detection of potentially fraudulent customer applications for credit, savings, insurance and money transmissions

Fair Isaac Services Limited
www.fico.com

Data analytical services

Threatmetrix Inc
www.threatmetrix.com

Fraud prevention software

Other organisations

Some data, where permitted in accordance with industry rules or where it is public information, can be shared with other organisations that have a legitimate use for it - ID verification services, for example

Public bodies, law enforcement and regulators

The police and other law enforcement agencies, as well as public bodies like local and central authorities and Equifax’s regulators, can sometimes request that Equifax supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax or investigating complaints

Equifax Group Companies

Equifax shares personal data with other companies within its group where required for the purposes of administration of products/services, IT back office and software support. Such group companies include: Equifax Inc. Equifax Commercial Services Limited, Equifax Consumer Information Services LLC, Equifax Chile and Equifax Costa Rica (“Equifax Group”)

We also provide services to some group companies (such as TDX Group Limited) to enable those group companies to provide services to their clients

Processors

Equifax uses other trusted organisations to perform tasks on its behalf. The following shows the countries of operation for listed services:


Service Category

Country(s) of Operation
(See section 6. for more information on Equifax overseas processing)

IT infrastructure and operations software support

UK & India

IT back office business process software support

India

IT back office helpdesk service support

India

IT service management support

US

Customer call centre services

UK & Philippines

Customer call centre support services

US

Processing administration services

India

Telephone support services

UK

Printing and mailing house services

UK

Merchant payment processor for customer payments

Ireland

Cloud services provider

US

Identity and fraud prevention service provider

US

Marketing communication services

UK

Confidential Waste Services

UK

Many of these services are provided by companies within the Equifax Group:

Equifax Group Company Details

Country(s) of Operation
(See section 6. for more information on Equifax overseas processing)

Description of Service

Equifax Inc.

US

Administrative support, IT and Security back office software support, software development and cloud disaster recovery

Equifax Commercial Services Limited

Ireland

Customer call centre and complaints handling services

Equifax Consumer Services LLC

US

Website portal services

Servicios Equifax Chile Ltda

Chile

Back office incident and diagnosis support for Interconnect systems

Verdad Informatica de Costa Rica S.A.

Costa Rica

Back office incident and diagnosis support for Interconnect systems

In addition to the above, Equifax has service arrangements in place with auditors, consulting and professional service providers

Individuals

People are entitled to obtain copies of the personal data Equifax holds about them. You can find out how to do this in SECTION 9 below

6. WHERE IS PERSONAL DATA STORED AND SENT?

Equifax is based in the UK, and we keep our main databases here. All information and personal data held by Equifax is stored either on encrypted services at a secure physical location (whether these be our own servers or those of cloud service providers that we use)

Equifax also has internal policies and controls in place to ensure that personal data is kept secure as well as to minimise the risk of any personal data being lost, misused, disclosed or accidently destroyed

Equifax also has operations elsewhere inside and outside the European Economic Area, and personal data may be accessed by or transferred to Equifax Group companies or service providers in other jurisdictions

Details of the main processors Equifax use and where they operate can be found above in SECTION 5

While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when Equifax does send or allow access to personal data overseas we will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. To do this Equifax:

  • ensures third parties have entered into a contractual duty of confidentiality with Equifax;
  • obliges third parties to implement appropriate technical and organisational measures to ensure the security of personal data;
  • ensures adequate transfer mechanisms are in place, including in many cases by putting in place a contract with the recipient containing mandatory terms approved by the European Commission as providing a suitable level of protection for personal data. These are commonly referred to as Standard Contractual Clauses or ‘EU Model Clauses’.

7. HOW LONG DOES EQUIFAX RETAIN PERSONAL DATA?

Identifiers

Identification data like names and addresses are kept while there’s a continuing need to keep it. This need will be assessed on a regular basis, and data that is no longer needed for any purpose will be disposed of

A list of retention periods for key data sets that we process is available in the CRAIN at: www.equifax.co.uk/crain In addition, we have summarised some of these below:

Financial accounts and repayment data

Data about live and settled accounts is kept on credit files for six years from the date they’re settled or closed. If the account is recorded as defaulted, the data is kept for at least six years from the date of the default

Court judgments, decrees and administration orders

Generally, court judgments and other decrees and orders are kept on credit files for six years from the date of the judgment, decree or order. But they can be removed if the debt is repaid within one calendar month of the original date or if the judgment is set aside or recalled by the courts

Bankruptcies, IVAs, debt relief orders and similar events

Data about bankruptcies, IVAs and other insolvency-related events and arrangements are usually kept on credit files for six years from the date they begin. This period is extended if they last longer than six years. Some data, such as a bankruptcy restrictions order, can also remain on the credit file for longer than six years

Although the start of these events is automatically reported to Equifax, the end (such as a discharge from bankruptcy or completion of an IVA) might not be. It is for this reason that we advise you to contact us (please see our contact details above) and the other CRAs (as applicable) when this happens, to make sure that credit files are updated accordingly

Search footprints

Equifax keep most search footprints for at least one year from the date of the search, although we keep debt collection searches for up to two years

Derived or created data

Equifax also creates data and generates links and matches between data. For example, Equifax keeps address links and aliases for as long as they’re considered relevant for credit referencing and other valid purposes

Links between people are kept on credit files for as long as we believe those individuals continue to be financially connected. When two people stop being financially connected, either person can contact us and ask for the link to be removed. We will then follow a process to check the people are no longer associated with each other and then update our records accordingly

Other data

Other third party supplied data such as politically exposed persons (PEPs) and sanctions data and mortality data will be stored for a period determined by criteria such as the agreed contractual terms

Archived data

Equifax holds data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence of legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards

8.DOES EQUIFAX MAKE DECISIONS ABOUT YOU OR PROFILE YOU?

It is a common misconception that CRAs use your personal data to ‘decide’ whether or not a lender should provide you with credit or other services. This is not the role of a CRA

Equifax will collect and combine personal data about you to generate a ‘picture’ of you (for example, your financial standing). This is a form of profiling

Where permitted by law, Equifax then share this profile of you with our clients (for example, banks and other lenders) who will then use it to make their own decisions about you

Accordingly, Equifax does not tell its clients if they should offer you credit or services – this is for the client to decide based (at least in part) on the data and analytics that we provide

Please refer to the CRAIN for more details on this: www.equifax.co.uk/crain

Scores and ratings

The primary form of profiling Equifax undertakes is in the production of scores and ratings

When requested, Equifax uses the data we obtain to produce credit, risk, fraud, identity, affordability, screening, collection and/or insolvency scores and credit ratings about you

Please refer to CRAIN for more details on this: www.equifax.co.uk/crain

Other Profiling

Equifax will combine the information it holds about you and others to generate characteristics and attributes linked to (for example) the area in which you live (please see our comments at SECTION 4 in relation to PLD)

Typically, these characteristics and attributes are (once compiled) at an anonymous level i.e. you are not directly identified. However, where we share this data with our clients, they might link it to relevant individuals (for example, an individual living in London might be linked to the data profile we have created in relation to residents of London). Please note that clients are not permitted to link such data for direct marketing purposes (please see SECTION 10 (MARKETING SERVICES) for more information

9. WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA?

Data protection law provides you with a number of rights in relation to your personal data (which are summarised below and expanded in the sub-sections following). You can exercise these rights by contacting us via the details set out in SECTION 1

Subject to the requirements of applicable laws and certain limitations or exemptions, you have the right to:

  • access your personal data and be provided with certain information in relation to it, such as the purpose for which it is processed;
  • require us to correct any inaccuracies in your personal data without undue delay;
  • require us to erase your personal data (please be aware that the right of erasure under data protection law is not an absolute right as it only applies in relation to one or more specific circumstances);
  • require us to restrict the processing of your personal data;
  • receive the personal data which you have provided to us in a commonly used, machine readable format, where we are processing it on the basis consent or to comply with a contract with you (please see the above tables) and such processing is automated; and
  • object to a decision that we make which is based solely on automated processing of your personal data.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the UK data protection regulator. More information can be found on the ICO website at https://ico.org.uk

We have provided further details of the above rights, below

9.1 WHAT CAN I DO IF I WANT TO SEE MY PERSONAL DATA HELD BY EQUIFAX?

Data access right

You have a right to find out what personal data Equifax holds about you and for a copy of this information to be provided to you free of charge

The most relevant information Equifax holds about you is likely to be contained in your own credit report

View Statutory Credit Report On-line

Equifax provides a quick and efficient way to access your credit report for free and on-line within a few minutes where we can positively confirm your on-line identity. Click below to start the process:

https://www.econsumer.equifax.co.uk/consumer/uk/order.ehtml?prod_cd=UKSCR

Request a paper copy of your Statutory Credit Report

You can request a free postal copy of your Statutory Credit Report in two ways - online or via our credit report application form which you can download then post to the following address:

Equifax Ltd
Customer Service Centre
PO Box 10036
Leicester
LE3 4FS

A copy of your Statutory Credit Report will be posted to your home address within one month but is likely to be much quicker than that

Request a copy of other personal data held by Equifax

You can also request a free downloadable copy (available in PDF format) of the other information Equifax holds about you. Click below to start the process:

https://www.subjectaccess.uk.equifax.com/subjectaccess/#/dsar-landing-page

It may take us up to one month to collate and provide you with this information

If you require a copy of your personal data in a format such as braille or audio, please use one of the contact channels detailed in SECTION 1 above, to make your request

9.2 DO I HAVE A ‘PORTABILITY RIGHT’ IN CONNECTION WITH MY EQUIFAX DATA?

Recent data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it is processed on certain grounds, such as consent. This is not a right that will apply to Equifax data where this data is processed on the grounds of legitimate interests. To find out more about legitimate interests please go to SECTION 3 above

9.3 WHAT CAN I DO IF MY PERSONAL DATA IS WRONG?

When Equifax receives personal data, we will check it to try and detect any defects or mistakes. Ultimately, though, we can often only rely on our suppliers to provide accurate data

If you think that any personal data Equifax holds about you is wrong or incomplete, you have the right to challenge it. It’s worth knowing that when acting as a credit reference agency or fraud prevention agency we won’t have the right to change the data without permission from the organisation that supplied it, so we will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy

If the data does turn out to be wrong, we will update our records accordingly. If we still believe the data showing on your credit report is correct after completing our checks, we’ll continue to hold and keep it - although you can ask us to add a note to your credit report indicating that you disagree or providing an explanation of the circumstances

If you’d like to do this, please use one of the contact channels detailed in SECTION 1 above

9.4 CAN I OBJECT TO EQUIFAX USE OF MY PERSONAL DATA AND HAVE IT DELETED OR RESTRICTED?

Data protection laws in the UK give you the right to object to your personal data being processed and to request that such processing be restricted or the data deleted. However, please be aware that the rights of objection, restriction and erasure are not ‘absolute rights’, meaning that they will only apply in specific circumstances

This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be restricted or deleted

You can contact Equifax with your objection or request at any time, using the contact details in SECTION 3

Right of Objection:

The right of objection only applies in the following circumstances:

a) Where the processing is based on a legitimate interest or a public interest. However, we are permitted to continue processing your data if there are ‘compelling legitimate grounds’ to continue processing your data (please see the section ‘Overriding Legitimate Grounds’ below)

b) Where personal data is processed for the purposes of direct marketing. This is an absolute right – meaning if you raise an objection to any such processing, we will stop that processing (please be aware that we may retain a record of your objection and certain other details to ensure that your objection to marketing processing, continues to be recognised)

Right of Restriction:

The right of restriction only applies in the following circumstances:

a) the accuracy of your data is contested by you for a period enabling us to verify the accuracy;

b) our processing of your personal data is unlawful but you would prefer that the data not be deleted and would instead like us to simply not use it;

c) it is no longer necessary for us to process the personal data but you would like us to retain it (rather than delete it) so that you can use it for the establishment, exercise or defence of a legal claim; or

d) you have objected to the processing (see above) and are pending verification of any overriding legitimate grounds we may have to continue processing the data (see below)

Right of Erasure:

A right of erasure only applies in relation to one or more of the following circumstances (as applicable):

a) The personal data is no longer necessary for the purpose we collected it for

b) The processing of your personal data was on the basis of your consent, which has now been revoked and there are no other lawful basis for processing your personal data

c) Your personal data is processed for the purposes of conducting direct marketing and you have now objected to such marketing (however, we may still need to retain some of your data in order to ensure that you are not sent marketing)

d) We are unlawfully processing your personal data or applicable UK law requires us to erase the personal data to comply with a legal obligation

e) The processing of your personal data is on the basis of a legitimate interest pursued by us or a third party (or is in the public interest), you have objected to such processing and there are no overriding legitimate grounds to continue processing the personal data

As explained earlier in this Notice, the majority of our processing of your personal data is on the basis of legitimate interest. Therefore, condition (e) above, is the one most likely to apply and we can continue processing your data if an overriding legitimate ground exists (please see below)

Overriding Legitimate Grounds

Please be aware that it is very likely that an overriding legitimate ground to continue processing your data will continue to exist (despite your objection or request for erasure). This is because of the importance of the credit referencing industry to the UK’s financial system, which helps the industry assess instances of fraud and prevent over indebtedness, fraud and money laundering

As a result, in many cases it won’t be appropriate for Equifax to restrict or to stop processing or delete your personal data. For example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise wouldn’t be eligible for

10. MARKETING SERVICES

10.1 HOW DO WE USE YOUR DATA FOR DIRECT MARKETING PURPOSES?

As summarised above, Equifax does not sell any ‘credit derived’ personal data for the purposes of direct marketing, without your consent

This means that, unless we have your explicit consent, we will at not sell the personal data we receive about you from lenders (and other clients) when you make applications for credit (for example your current address or details of your financial standing); in order to enable clients to send you direct marketing communications

Equifax does collect certain publically available data about you (or related to you), which it shares with clients for the purposes of direct marketing

Equifax might also have a direct relationship with you (for example, because you subscribe to receive your monthly credit report) and we provide our own marketing to you because you have consented to receive it

The relevant information and marketing services we provide are explained in this section

Open register supply

The electoral register contains the names and addresses of everyone who is registered to vote in public elections. There are two versions of the electoral register; the full version and the ‘open register’ (‘edited register’ in Northern Ireland). The open register is the version that is available to anyone who wants to buy a copy and includes only the details of those individuals who have not ‘opted-out’ of being on the open register. Further information can be found at the following government website: https://www.gov.uk/electoral-register/opt-out-of-the-open-register

Equifax receives a copy of the open register on rolling basis and will make the information it contains available to our clients on a similar rolling basis

Our clients are permitted to use this information for direct marketing purposes (for example, to send you postal marketing)

When you registered with the Electoral Roll (e.g. to vote), you will have been given the option to opt-out of having your details placed on the open register. If you did not opt out, your data can be used for direct marketing purposes on the lawful basis of legitimate interest

You can ‘opt-out’ from appearing on the open register at any time by contacting your local Electoral Registration Office. Please be aware however, that while choosing to be removed from the open register will prevent companies having access to those details in the future, companies may continue to send you marketing communications using information they have previously obtained

In any case, you have the right to ‘opt-out’ from receiving these communications by notifying the relevant sender

Please see also SECTION 9 - WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA.

Pre-mover information

When a property is listed for sale or rent, that information is typically made publically available (for example, via listings at estate agents)

Through its supplier (TwentyCI Limited – please see the details below), Equifax receives details of such properties, including the address and whether it is for sale or rent (“Pre Mover Data”)

The Pre Mover Data does not include any information that identifies the current resident, landlord, seller or any other data subject

We provide the Pre Mover Data to clients who may (where permitted by law) use it to send marketing materials to you (for example, postal marketing with offers relevant to a new or outgoing resident, such as installation or migration of broadband)

You can opt-out from receiving any marketing communications at any time by notifying the relevant sender

Please see also SECTION 9 - WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA

Pre Mover Data supplier:
TwentyCi Limited
8 Whittle Court
Milton Keynes
Buckinghamshire
MK5 8FT
Email: enquiries@twentyci.co.uk
Tel: 01908 829300

Aggregated and anonymous data

Equifax anonymises and aggregates some of the information it holds (including information in relation to your financial standing) to generate analysis of an area of section of the population

In SECTION 4 (above) we explain that such anonymous analysis is used to create postcode level data (PLD), which provides a likely profile of those resident in a particular area (for example, London)

In addition to the above noted marketing activities, we make available PLD (and potentially other anonymised data analysis) to our clients

While we do permit our clients to use this data for general marketing purposes, we do not permit clients to combine this data with information it already holds about you in order to send direct marketing to you.

What is ‘general’ and ‘direct’ marketing and what do we permit?

General marketing is (for example) where an organisation is sending mailshots to every address in an area and does not know or use the identity of the people at those addresses

Where our clients use PLD to identify areas that might be most receptive to their products (for example, fibre broadband), any generic leaflets they send within that area will likely constitute general marketing

Direct marketing is where you are targeted as an individual

For example, we might supply a client with PLD which provides a general profile of the financial status of individuals who live in a borough of London, including their likelihood to purchase fibre broadband

The client would be permitted to send generic marketing to all of the households in that London borough, in relation to its roll out of new fibre broadband

The client would not be permitted to take any name and address data it already holds about you and link it with the PLD (because you live in the relevant borough, for example) so that it can specifically target you with marketing about its new fibre broadband.

10.2 ON WHAT LAWFUL BASIS DOES EQUIFAX COLLECT AND PROCESS PERSONAL DATA FOR DIRECT MAREKTING PURPOSES?

Except where we are sending direct marketing to you directly because you have opted-in to receive it (in which case, our lawful basis for processing your data is consent), all of our processing for the direct marketing purposes described above, is on the lawful basis of it being in the legitimate interests of us and our clients

10.3       WHO DO WE SHARE MARKETING SERVICES DATA WITH?

We supply Marketing Services data to our clients and resellers

Marketing Services Clients

Equifax has fewer than ten (10) clients, with whom it shares marketing data, including the distributors/resellers listed below

However the number and type of clients that we have will vary from time to time and these clients can operate in a variety of sectors, which include the following:  

Primary Sector

Sub Sectors

Charity

Ages, Animals, Armed and Ex Services, Arts, Children and Youth, Community, Culture and Heritage, Disability, Environmental, Education and Training, Employment Trades and Professions, Family, Homeless, Hospices, Human Rights, International, Medical Welfare, Mental Health, Overseas Aid, Religious, Rescue Services, Social Welfare, Sports Recreation and Visual Impairments

Finance

Pensions, Loans, Credit cards, Mortgages, Automotive (including dealerships and accessories), Investments and Savings, Insurance Home, Car, Travel, Pet, Personal and Other Insurance

FMCG

Supermarkets, Pharmacies, Consumables

Home and Family

Building Works, Buying, Changing Career, Children, Computers, Conservatories, DIY, Education, Employment, Electricity Services, Extensions, Finding New Employment, Floorings, Furniture, Further Education, Garages, Gas Services, Health Issues, Home Appliances, Learning, Letting, LPG Services, Oil Services, Other Household Utilities, Returning to Work, Self-Employment, Selling, Smoking, Stables, Starting Work, Telephones and TV

Legal

Accident Claims Management, Claims Management Companies, Debt Collection, Debt Consolidation, Legal Liability Claims, Legal Protection Claims, Legal Services, Packaged Bank Account Reclaim, Personal Accident Claims, Personal Injury Claims, Personal Liability Claims, PPI Companies and Claims, Voluntary Arrangements, Will Writing and Wills

Lifestyle

Health & Well-being, Fitness, Charities, Media and Publishing, Leisure, Gaming, Legal Services, Education and Photography

Marketing Services Providers

Marketing Services Providers and Data Brokers

Media

Magazine offers, Cinema, Competitions, Magazine Readership, Publishing, Newspaper Readership and Subscriptions, Offers, Theatre, Specialist Magazines, Surveys, Web Promotions, TV and Film

Motoring

Bicycles, Boats (powered and sail), Caravans, Gliding, Helicopter, Mobile Homes, Motorbikes, Motor Vehicles, Motorcycling, Motorhomes and Planes

Retail

Online retail, General Stores, Automotive, Property, Home Furnishings, Home Improvements, Fashion and Clothing, Telecoms and Utilities

Travel

Holidays, Hotels, Travel Booking and Airlines

Resellers/Distributors:

In addition to the clients noted above, we also supply Marketing Services data to the following resellers/distributors:


Company Details

Description of Service

Acxiom Limited
https://www.acxiom.co.uk/about-acxiom/privacy/uk-privacy-policy/

Open register data

CACI Limited
https://www.caci.co.uk/content/consumer-information

Open register data

Liveramp UK Limited
https://liveramp.uk/privacy/

Open register data

OMNIS Data Limited
https://omnisdata.co.uk/privacy-cookies/

Open register data

10.3 DOES EQUIFAX USE MY DATA FOR ITS OWN MARKETING?

Yes, where we have your consent or it is otherwise lawful for us to do so. As noted above, we may have a direct relationship with you where you have enquired about or purchased our products and services (for example, if you obtain your credit report)

When we obtained your personal data in relation to such products/services, you may have given your consent to us sending you direct marketing – or you may have been presented with an option to opt out from receiving direct marketing (where we are able to send marketing without your consent)

These marketing activities are distinct from those described above and only relate to our products and services. As explained below, should you no longer wish to receive any marketing communications from us, you can opt-out or unsubscribe at any time

Our use of your personal data for our own direct marketing purposes is explained in our Website privacy policy, available at https://www.equifax.co.uk/privacy/en_gb/

10.4 HOW LONG WILL WE RETAIN MARKETING SERVICES DATA?

Equifax’s retention of marketing services data will be based on the data sets that make up the relevant services – and in any case, will not be retained for longer than is necessary

For example, in relation to open register marketing services, your data will only be held for so long as we hold the open register data (see SECTION 5 - HOW LONG DOES EQUIFAX RETAIN PERSONAL DATA)

10.5 WHAT ARE MY RIGHTS IN RELATION TO MARKETING SERVICES DATA?

Your rights in relation to the personal data we use for Marketing Services are the same as those set out in SECTION 9, above

In addition to these rights, you have an absolute right to object to direct marketing and (if our processing is based on consent) to withdraw your consent

WITHDRAWING YOUR CONSENT

You may withdraw your consent for your personal data to be used for further marketing activity at any time

You can notify us directly using the contact information provided in SECTION 1

When you do contact Equifax to withdraw your consent (or where we otherwise stop processing your data following an objection – see below), we will add your data to our marketing suppression files. These files are applied to the Equifax marketing contact data in order to remove records about individuals who do not wish to have marketing contact. They may also be shared with some clients in order to ensure they suppress your data from their files. This process does require that Equifax processes your marketing contact data in order to include it in its suppression files

OBJECTION TO MARKETING SERVICES PROCESSING

You have the right at any time to object to Equifax processing your personal data for the purposes of us (or our clients) sending direct marketing to you

Following any such objection, we will cease processing your personal data for direct marketing purposes but may need to retain some of your personal data in order to (i) ensure that it continues to be supressed from such direct marketing use; and/or (ii) continue our use of the data for any other purposes for which we have a lawful basis to do so, as set out in this Notice

11. WHO CAN YOU COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA?

Equifax works hard to give you the best possible service. We try to make it as easy as possible for you to share your concerns with us, and we want you to be happy with how we handle them

If you have a complaint, please contact our Complaints Team. Full contact details and the Equifax complaints procedure can be found by clicking here

If you’re unhappy with how Equifax has investigated your complaint, you have the right to refer it to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like Equifax. You can contact them by:

You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:

  • Phone on 0303 123 1113
  • Email at casework@ico.org.uk (you need to add a subject line of 'Report a Concern')
  • Writing to them at First Contact Team, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
  • Going to their website at www.ico.org.uk

12. WHERE CAN YOU FIND OUT MORE?

The Information Commissioner’s Office publishes advice and information for consumers in its Credit Explained leaflet, available at https://ico.org.uk/media/for-the-public/documents/1282/credit-explained-dp-guidance.pdf.