EQUIFAX INFORMATION NOTICE

(EIN)

Version: 1.9 Adopted: 13 August 2019

This Equifax Information Notice (“Notice”) describes how and why Equifax Limited (“Equifax”, “we”, “our” and “us”) hold and process personal data for each of its business functions in the UK.

Equifax is a so-called “controller” of your personal data. This means that we make decisions about how and why we process your personal data and, because of this, we are responsible for making sure our use of your personal data is in accordance with data protection laws.

Equifax’s core activity is credit referencing and, together with the other main credit reference agencies (“CRA”s), TransUnion (formerly Callcredit) and Experian, we have drafted a separate document detailing how each CRA commonly uses and shares personal data we receive about you and/or your business that is part of, derived from or used in credit activity. We have called this document the ‘Credit Reference Agency Information Notice’ (CRAIN) and you can access it here: www.equifax.co.uk/crain

We may also make available other information notices in relation to specific products or business functions. These will apply in conjunction with this Notice. For example, our group company TDX Group Limited has its own Privacy Policy in relation to its business functions (including debt management and recovery), a copy of which can be found here: https://www.tdxgroup.com/privacy

CONTENT OF THIS NOTICE:

1.       How can you contact us?

2.       How do we use your personal data?

3.       What types of personal data does Equifax collect and where do we get it?

4.       What is our legal basis for using your personal data?

5.       Who does Equifax share personal data with?

6.       Where is personal data stored and sent?

7.       How long does Equifax retain personal data?

8.       Does Equifax make decisions about you or profile you?

9.       What are your rights in relation to your personal data?

10.   Marketing Services

11.   Who can you complain to if you are unhappy about the use of your personal data?

12.   Where can you find out more?

1.       HOW CAN YOU CONTACT US?

We can be contacted by any of the following methods:

Post:      Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS.

Web Address:  https://www.equifax.co.uk/Contact-us/Contact_Us_Personal_Solutions.html

Secure email via: www.equifax.co.uk/ask

Phone: 0333 321 4043 or 0800 014 2955

Additionally, Equifax Ltd has a dedicated Data Protection Officer who can be contacted as follows:

Post:      Equifax Ltd, Data Protection Officer, PO Box 10036, Leicester, LE3 4FS.

Email:   UKDPO@equifax.com

2.       HOW DO WE USE YOUR PERSONAL DATA?

As one of the UK’s biggest credit reference agencies, we are regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency and a credit broker.

In order to provide our services, we hold detailed consumer and business data in the UK, which enables us to provide insights into the behaviours and drivers behind the economy, helping our clients drive their businesses forward and consumers and businesses access the products and services they can reasonably afford.

We have summarised our primary uses of your personal data immediately below. If you would like more information about what categories of personal data we use, where we obtain your data and more specifically how we process that data (and on what lawful basis), please see the further sections of this Notice.

Summary of personal data use:

(a) CREDIT REFERENCE AGENCY PROCESSING

As a credit reference agency, we receive personal data about you that is part of, derived from or used in credit activity.  Credit referencing activities include:

  • Credit reporting and affordability checks
  • Verifying data like identity, age and residence, and preventing and detecting criminal activity, fraud and money laundering
  • Tracing and debt recovery
  • Screening
  • Statistical analysis, analytics and profiling

Please refer to the above mentioned CRAIN for more details on these activities:  www.equifax.co.uk/crain

(b) FRAUD PREVENTION AGENCY PROCESSING

As a Fraud Prevention Agency (“FPA”), we collect, maintain and share data on known and suspected fraudulent activity.

How data is used by fraud prevention agencies:

In order to flag, prevent and monitor fraudulent (or suspected fraudulent) activity, we may supply the data received from our clients about you, your financial associates and your business (if you have one) to other organisations (please see SECTION 5 - WHO DOES EQUIFAX SHARE PERSONAL DATA WITH for more information). This may be used by these organisations and other FPAs and CRAs to:

  • Prevent crime, fraud and money laundering by, for example;
    • checking details provided on applications for credit and credit related products and services
    • managing credit and credit related accounts or products or services
    • verifying details provided as part of insurance underwriting and the pricing of insurance policies and assessment of insurance risk including insurance claims
    • checking details on applications for jobs or as part of employment
  • Verify your identity if you or your financial associate applies for facilities including all types of insurance and where a claim is made
  • Trace your whereabouts to aid asset reunification, customer management or to recover debts that you owe
  • Conduct other checks to prevent or detect fraud
  • Undertake statistical analysis and system testing
  • Your personal data may also be used for other purposes where you’ve given consent or where required or permitted by law

(c) MARKETING SERVICES PROCESSING

We also use some of your personal data in products and services that improve our clients’ consumer marketing activities, whether that is via postal mail or digital marketing.

For example, these services include:

  • Prospecting – we will collect contact details and (where lawful) provide marketing lists to our clients in order for them to contact potential new customers.
  • Refining and profiling – using data we hold about individuals and their place of residence, we will filter new or existing client marketing lists to enable our clients to better target a particular type of consumer (for example, our data might indicate which individuals or residential addresses are more likely to purchase a client’s products and services).
  • Pre-Screening – using data we hold about individuals (for example, any related county court judgements (“CCJs”) and their place of residence, we will remove contact details from marketing lists where our client’s products and services would not be appropriate for the intended recipient.
  • Updating and accuracy – we use our information to help clients ensure they hold accurate data on their customers and prospects, for example to confirm your residency at an address.

We have included a dedicated ‘Marketing Services’ section in this Notice to clearly and concisely explain how your data is obtained and used for marketing activities, including those summarised above (please see SECTION 10 - MARKETING SERVICES for further details).

Please note that SECTIONS 3 to 9 below do not specifically include or refer to the Marketing Services provided by Equifax as all the relevant information is included in SECTION 10 (MARKETING SERVICES).

(d) Global Consumer Services (GCS)

We will use your personal data when providing our services to you directly, including:

  • Credit Score and Report – using the data held on our database, we calculate your credit score and can provide a report explaining what factors have impacted that score.
  • WebDefend – using the details you provide to us (email addresses, telephone numbers, credit/debit card details, bank account numbers, driving licence number or National Insurance numbers), we identify and monitor potential instances of fraud by cross checking your data to that shown on websites used by fraudsters to trade personal data.

These services can be obtained through our website www.equifax.co.uk (the “Website”) and may be accompanied with a specific privacy policy setting out the relevant personal data processing (which we would encourage you to read). In obtaining these services, we will collect details such as your name, address, date of birth, contact details (including email and telephone number) and bank details. If you have applied through our Website, we may also collect a username and password (or other relevant log-in details).

(e) GENERAL INFORMATION SERVICES PROCESSING

In order to provide our services to clients and individuals, we need to undertake certain general background operational processing of your personal data, as follows:

  • Data loading - data supplied to Equifax is checked for integrity, validity, consistency, quality and age to ensure it is fit for purpose. These checks pick up things like irregular dates of birth, names, addresses, account start dates, and gaps in payment status history.
  • Data matching - data supplied to Equifax is matched to the data held on our existing databases to help make sure it is assigned to the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. Where permitted, Equifax use the personal data individuals have provided to its clients, together with data from other sources, to create and confirm identities, which are used to underpin the services Equifax provide.
  • Data linking - as Equifax compiles data into its databases, we create links between different pieces of data. For example, people who appear financially associated with each other may be linked together, and addresses where someone has previously lived can be linked to each other and to that person’s current address.
  • Systems and product development/testing - data may be used to help support the development and testing of new products and technologies.
  • Legal compliance and general record keeping – we will process data where required by law (for example, in order to comply with our requirements as a FCA regulated business) and may retain data where necessary for record keeping, tax compliance and to defend against claims.

3.       WHAT TYPES OF PERSONAL DATA DOES EQUIFAX COLLECT AND WHERE DO WE GET IT?

To enable us to operate as a credit reference and fraud prevention agency, it is necessary for us to collect and store numerous types of data about you.

We typically do not have a direct relationship with you (except where you receive products or services from us (or otherwise communicate with us) directly), so we obtain this data from numerous sources, including directly from publically available materials (for example, the electoral roll and published county court judgements) or from our clients (for example, where a lender provides information about you so that we can conduct a credit check).

Equifax typically acts as a controller in relation to all the data it receives from such clients, including where provision of this information is for us to locate a match to records we already hold in our database and which is then supplemented with additional information (for example, linked addresses, relevant credit data or other attributes).

All the credit reference agencies rely on similar types of data in order to provide their core credit, anti-money laundering, identification and fraud services. Details of the types, description and source of information common to all three main credit reference agencies (including Equifax) can be found in the CRAIN: www.equifax.co.uk/crain  

We have also set out the key categories of data that we collect about you and where we obtain this information, in the below table:

CATEGORY OF DATA

TYPE OF PERSONAL DATA

WHERE COLLECTED*

Identifiers

Full Name

Local authorities / Lenders / Clients / Directly (e.g. for GCS customers)

Residential Address

Local authorities / Lenders / Banks / Royal Mail / Registry Trust

Time at address

Local authorities / determined internally

Date of Birth

Lenders / Banks / Insolvency services / Registry Trust and others

Telephone Number

BT / Directly (e.g. for GCS customers)

Email Address

Directly (e.g. for GCS customers)

Alias

Generated by Equifax by cross referencing other data sets related to you

Financial Accounts and Repayment Data

Credit agreements (including balance, payment history and term)

Lenders and other clients

Closed / settled accounts

Lenders / Clients

Instances of default

Lenders / Clients

Current account turnover data (“CATO”)

Banks party to the CATO scheme

Court Judgments, Decrees and Orders

County court judgements

Registry Trust / England & Wales Register

Bankruptcies

Insolvency services / London Gazette and Belfast Gazette

Individual Voluntary Arrangements (IVAs)

Insolvency services

Debt relief orders

Insolvency services

Searches

Credit searches

Clients or customers of reseller clients that conduct a search

Debt collection searches

Clients or customers of reseller clients that conduct a search

ID checks

Clients or customers of reseller clients that conduct a search

Derived or Created Data

Credit score

Generated by Equifax

Linked addresses

Generated by Equifax by cross referencing data sets which relate to you

Linked companies (where a director or owner)

Companies House / Generated by Equifax by cross referencing data sets, which relate to you

Attributes and characteristics

Generated by Equifax – please see SECTION 8

Other Data

Instances of actual or potential fraud

CIFAS

Whether politically exposed

HM Treasury

Sanctions

Dow Jones

*Please note that the majority of data is derived from multiple sources. We have therefore listed key examples.

In addition to the above categories, we also process the following data relating to residential addresses:

  • whether it is available for sale or rent (we call this “Pre-Mover Data”), which we make available to clients so that they can (for example) ensure the occupier of the property is updated on how to migrate or obtain products and services (such as broadband); and
  • postcode level data (“PLD”), such as the value of the property, its council tax band the general affluence of the area. This is information relating to a particular geographic area (and is therefore not always ‘personal data’ because it doesn’t relate to an identifiable individual). Please be aware that some of our clients may link PLD with you based on the area in which you live. This combined data is likely to be considered your personal data, which is processed by our clients.

4.       WHAT IS OUR LEGAL BASIS FOR USING YOUR PERSONAL DATA?

We are required by data protection law to always have what is referred to as a “lawful basis” (i.e. a reason or justification) for processing your personal data.  The below sets out the relevant lawful basis we rely on for that processing.

Please note that where we have indicated that our use of your personal data is either necessary for us to comply with a legal obligation or necessary for us to take steps, at your request, to potentially enter into a contract with you (or to perform our obligations in an existing contract), we may not be able to enter into or continue our contract or engagement with you, if you elect not to provide the relevant personal data.

Legitimate interests

The UK’s data protection law allows the use of personal data where the processing is necessary for a legitimate interest pursued by us or a third party and this interest is not outweighed by the interests, fundamental rights or freedoms of data subjects.

This is commonly referred to as the ‘Legitimate Interests’ condition for personal data processing.

Where Equifax processes your personal data in our function as a Credit Reference Agency or Fraud Prevention Agency (as detailed above and in the CRAIN), we rely on our Legitimate Interests and those of our clients, which include:

  • Promoting responsible lending and helping to prevent over-indebtedness
  • Helping prevent and detect crime and fraud, supporting anti-money laundering services and verifying identity
  • Supporting tracing and collections
  • Complying with and supporting compliance with legal and regulatory requirements

Please refer to the CRAIN for more details on the above activities:  www.equifax.co.uk/crain

Contract

The UK’s data protection law allows the use of personal data where it is necessary for the performance of a contract to which you are a party.

We provide some of our services directly to individuals (for example, you may subscribe to receive your Equifax credit report). Where we process your personal data to provide you with these services, our processing will be both because it is in our Legitimate Interests to provide these services to you and also on the basis that such processing is necessary to comply with our contractual obligations to you, as an Equifax customer.

Legal Obligation

In addition to the lawful bases set out above, UK data protection law also allows us to process personal data where such processing is necessary for compliance with law.

There are many situations where such legal obligations may arise from time to time but those most likely to impact our business (and result in the processing of your personal data) are as follows:

  • Where we are required to hold or share your personal data in compliance with FCA regulations and permissions;
  • Where a crime is suspected (including fraud or money laundering) and we are required to make appropriate notifications or assist with investigations.
  • Where we are required to comply with the instructions of a regulator, court or law enforcement agency.
  • To maintain records required by law or to evidence our compliance with laws.

Consent

UK data protection law permits controllers to process personal data where you have consented to a specific use of it. Except in relation to certain marketing activities (please see SECTION 10), we typically do not rely on consent to lawfully process your personal data.

Occasionally, there may be isolated processing activities which we undertake on the basis of your consent, which we will notify you of in the relevant consent form (or similar document). For example, where we receive and/or disclose your personal data as part of an open banking arrangement (this might be where you permit your bank to disclose access to your account information, in order to assist in another lender assessing your suitability for a product such as a mortgage), our use of your personal data for those purposes is likely to be on the basis of consent.

5.       WHO DOES EQUIFAX SHARE PERSONAL DATA WITH?

As a credit reference and fraud prevention agency, our services require that your personal data be shared with certain third parties (for example our clients), who may request information about you in order to assess your suitability for a loan or other product.

In many cases, where an organisation uses Equifax services, there will be information accessible, for example from a website or at point of application or service, to explain that the organisation may check your data with a credit reference or fraud prevention agency (for example to undertake identity verification and fraud checking). In some cases, some organisations have the ability to compel CRAs, by law, to disclose certain data for certain purposes.

Where we do share your personal data, we operate comprehensive access control processes.  For example, before we share data with any another organisation, we check that organisation’s identity, location and, where applicable, confirm any necessary legal registrations.

The below sets out the different types of recipient we share your personal data with.

Members of the Equifax credit data sharing arrangement

Each organisation that shares financial data with Equifax is also entitled to receive similar kinds of financial data contributed by other organisations. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utilities companies and mobile phone providers.

Fraud Prevention Agencies (FPAs)

If Equifax reasonably suspects that fraud has been or might be committed, it may share data with FPAs. These FPAs collect, maintain and share data on known and suspected fraudulent activity. Equifax and some other CRAs also act as FPAs.

Equifax shares information with the major fraud prevention agency in the UK, Cifas, who can be contacted here:

www.cifas.org.uk

Resellers/Distributors

Equifax also uses other organisations to help provide its services to clients and may provide personal data to them in connection with that purpose. Details of our current list of such organisations are shown here and will be updated as appropriate from time to time:

Company Details

Description of Service

GB Group plc (‘GBG’)

www.gbgplc.com

•  Detect fraud in relation to the granting of credit to consumers

•  Assist in the prevention of money laundering

•  Manage risk through ID verification  

·         • Employee screening to assist with the hiring process

LexisNexis Risk Solutions

https://risk.lexisnexis.co.uk/

·   To help prevent, detect and investigate financial crime and fraud, including identity validation, verification and authentication services.

·   To support tracing, asset reunification, debt collection and general customer data management activities.

·   To comply with various legal and regulatory requirements, such as those required by the FCA or the Prudential Regulation Authority (PRA), and to assist in the prevention of money laundering and counter-terrorist financing.

·   To support insurance providers in the underwriting and pricing of insurance policies and assessment of insurance risk

·   For consumer credit risk assessment purposes to promote responsible lending.

·   For internal testing and development, modelling, evaluation and research or scoring.

Iovation Inc.

www.iovation.com

Fraud prevention and authentication tool provider

Sagacity Solutions Limited

www.sagacitysolutions.co.uk

Data management and consultancy provider

Jumio UK Limited

www.jumio.com

Facial biometrics and document validation services

BAE Systems Applied Intelligence Limited

www.baesystems.com/en/cybersecurity/home

Threat analytics, managed security services, financial crime, cyber defence and digital transformation services

CoCreate Design and Marketing Limited

www.cocreatedesign.com

Web application and development services

Synectics Solutions Limited

www.synectics-solutions.com

Detection of potentially fraudulent customer applications for credit, savings, insurance and money transmissions

Fair Isaac Services Limited

www.fico.com

Data analytical services

Threatmetrix Inc.

www.threatmetrix.com

Fraud prevention software

Other organisations

Some data, where permitted in accordance with industry rules or where it is public information, can be shared with other organisations that have a legitimate use for it - ID verification services, for example.

Public bodies, law enforcement and regulators

The police and other law enforcement agencies, as well as public bodies like local and central authorities and Equifax’s regulators, can sometimes request that Equifax supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax or investigating complaints.

Equifax Group Companies

Equifax shares personal data with other companies within its group where required for the purposes of administration of products/services, IT back office and software support. Such group companies include: Equifax Inc. Equifax Commercial Services Limited, Equifax Consumer Information Services LLC, Equifax Chile and Equifax Costa Rica (“Equifax Group”).

We also provide services to some group companies (such as TDX Group Limited) to enable those group companies to provide services to their clients.

Processors

Equifax uses other trusted organisations to perform tasks on its behalf. The following shows the countries of operation for listed services:

Service Category

Country(s) of Operation

(See section 6. for more information on Equifax overseas processing)

IT  infrastructure and operations software support

UK & India

IT back office business process software support

India

IT back office helpdesk service support

India

IT service management support

US

Customer call centre services

UK & Philippines

Customer call centre support services

US

Processing administration services

India

Telephone support services

UK

Printing and mailing house services

UK

Merchant payment processor for customer payments

Ireland

Cloud services provider

US

Identity and fraud prevention service provider

US

Marketing communication services

UK

Confidential Waste Services

UK

Many of these services are provided by companies within the Equifax Group: 

Equifax Group Company Details

Country(s) of Operation

(See section 6. for more information on Equifax overseas processing)

Description of Service

Equifax Inc.

US

Administrative support, IT and Security back office software support, software development and cloud disaster recovery

Equifax Commercial Services Limited

Ireland

Customer call centre and complaints handling services

Equifax Consumer Services LLC

US

Website portal services

Servicios Equifax Chile Ltda

Chile

Back office incident and diagnosis support for Interconnect systems

Verdad Informatica de Costa Rica S.A.

Costa Rica

Back office incident and diagnosis support for Interconnect systems

In addition to the above, Equifax has service arrangements in place with auditors, consulting and professional service providers.

Individuals

People are entitled to obtain copies of the personal data Equifax holds about them. You can find out how to do this in SECTION 9 below.

6.       WHERE IS PERSONAL DATA STORED AND SENT?

Equifax is based in the UK, and we keep our main databases here. All information and personal data held by Equifax is stored either on encrypted services at a secure physical location (whether these be our own servers or those of cloud service providers that we use).

Equifax also has internal policies and controls in place to ensure that personal data is kept secure as well as to minimise the risk of any personal data being lost, misused, disclosed or accidently destroyed.

Equifax also has operations elsewhere inside and outside the European Economic Area, and personal data may be accessed by or transferred to Equifax Group companies or service providers in other jurisdictions.

Details of the main processors Equifax use and where they operate can be found above in SECTION 5.

While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when Equifax does send or allow access to personal data overseas we will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. To do this Equifax:

  • ensures third parties have entered into a contractual duty of confidentiality with Equifax;
  • obliges third parties to implement appropriate technical and organisational measures to ensure the security of personal data;
  • ensures adequate transfer mechanisms are in place, including in many cases by putting in place a contract with the recipient containing mandatory terms approved by the European Commission as providing a suitable level of protection for personal data. These are commonly referred to as Standard Contractual Clauses or ‘EU Model Clauses’.

7.       HOW LONG DOES EQUIFAX RETAIN PERSONAL DATA?

Identifiers

Identification data like names and addresses are kept while there’s a continuing need to keep it. This need will be assessed on a regular basis, and data that’s no longer needed for any purpose will be disposed of.

Financial accounts and repayment data

Data about live and settled accounts is kept on credit files for six years from the date they’re settled or closed. If the account is recorded as defaulted, the data is kept for at least six years from the date of the default.

Court judgments, decrees and administration orders

Generally, court judgments and other decrees and orders are kept on credit files for six years from the date of the judgment, decree or order. But they can be removed if the debt is repaid within one calendar month of the original date or if the judgment is set aside or recalled by the courts.

Bankruptcies, IVAs, debt relief orders and similar events

Data about bankruptcies, IVAs and other insolvency-related events and arrangements are usually kept on credit files for six years from the date they begin. This period is extended if they last longer than six years. Some data, such as a bankruptcy restrictions order, can also remain on the credit file for longer than six years.

Although the start of these events is automatically reported to Equifax, the end (such as a discharge from bankruptcy or completion of an IVA) might not be. It is for this reason that we advise you to contact us (please see our contact details above) and the other CRAs (as applicable) when this happens, to make sure that credit files are updated accordingly.

Search footprints

Equifax keep most search footprints for at least one year from the date of the search, although we keep debt collection searches for up to two years. 

Derived or created data

Equifax also creates data and generates links and matches between data. For example, Equifax keeps address links and aliases for as long as they’re considered relevant for credit referencing and other valid purposes.

Links between people are kept on credit files for as long as we believe those individuals continue to be financially connected. When two people stop being financially connected, either person can contact us and ask for the link to be removed. We will then follow a process to check the people are no longer associated with each other and then update our records accordingly.

Other data

Other third party supplied data such as politically exposed persons (PEPs) and sanctions data and mortality data will be stored for a period determined by criteria such as the agreed contractual terms.

Archived data

Equifax holds data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence of legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards. 

8.       DOES EQUIFAX MAKE DECISIONS ABOUT YOU OR PROFILE YOU?

Lending decisions

Equifax does not tell its client lenders if they should offer you credit – this is for the lender to decide. CRAs provide data and analytics that help lenders make decisions about lending. 

Please refer to the CRAIN for more details on this:  www.equifax.co.uk/crain

Scores and ratings

When requested, Equifax does use the data we obtain to produce credit, risk, fraud, identity, affordability, screening, collection and/or insolvency scores and credit ratings.

Please refer to CRAIN for more details on this:  www.equifax.co.uk/crain

Other Profiling

Equifax will combine the information it holds about you and others to generate characteristics and attributes linked to (for example) the area in which you live (please see our comments above in relation to PLD).

Typically, these characterises and attributes are (once compiled) at an anonymous level i.e. you are not directly identified. However, where we share this data with our clients, it may be that you can be ‘re-identified’ by our client, by combining the information with data it already holds.

As described in SECTION 10 (MARKETING SERVICES), we also use attributes, characteristics and other profiled data to assist clients with their marketing services.

9.       WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA?

Data protection law provides you with a number of rights in relation to your personal data (which are summarised below and expanded in the sub-sections following). You can exercise these rights by contacting us via the details set out in SECTION 1.

Subject to the requirements of applicable laws and certain limitations or exemptions, you have the right to:

  • access your personal data and be provided with certain information in relation to it, such as the purpose for which it is processed;
  • require us to correct any inaccuracies in your personal data without undue delay;
  • require us to erase your personal data (please be aware that the right of erasure under data protection law is not an absolute right as it only applies in relation to one or more specific circumstances);
  • require us to restrict the processing of your personal data;
  • receive the personal data which you have provided to us in a commonly used, machine readable format, where we are processing it on the basis consent or to comply with a contract with you (please see the above tables) and such processing is automated; and
  • object to a decision that we make which is based solely on automated processing of your personal data.  

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the UK data protection regulator. More information can be found on the ICO website at https://ico.org.uk

We have provided further details of the above rights, below.

9.1          WHAT CAN I DO IF I WANT TO SEE MY PERSONAL DATA HELD BY EQUIFAX?

               Data access right

You have a right to find out what personal data Equifax holds about you and for a copy of this information to be provided to you free of charge.

The most relevant information Equifax holds about you is likely to be contained in your own credit report.

View Statutory Credit Report On-line

Equifax provides a quick and efficient way to access your credit report for free and on-line within a few minutes where we can positively confirm your on-line identity.  Click below to start the process:

https://www.econsumer.equifax.co.uk/consumer/uk/order.ehtml?prod_cd=UKSCR

Request a paper copy of your Statutory Credit Report

You can request a free postal copy of your Statutory Credit Report in two ways - online or via our credit report application form which you can download then post to the following address:

Equifax Ltd
Customer Service Centre
PO Box 10036
Leicester
LE3 4FS

A copy of your Statutory Credit Report will be posted to your home address within one month but is likely to be much quicker than that.

Request a copy of other personal data held by Equifax

You can also request a free downloadable copy (available in PDF format) of the other information Equifax holds about you. Click below to start the process:

https://www.subjectaccess.uk.equifax.com/subjectaccess/#/dsar-landing-page

It may take us up to one month to collate and provide you with this information.

If you require a copy of your personal data in a format such as braille or audio, please use one of the contact channels detailed in SECTION 1 above, to make your request

9.2          DO I HAVE A ‘PORTABILITY RIGHT’ IN CONNECTION WITH MY EQUIFAX DATA?

Recent data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it is processed on certain grounds, such as consent. This is not a right that will apply to Equifax data where this data is processed on the grounds of legitimate interests. To find out more about legitimate interests please go to SECTION 3 above.

9.3          WHAT CAN I DO IF MY PERSONAL DATA IS WRONG?

When Equifax receives personal data, we will check it to try and detect any defects or mistakes. Ultimately, though, we can often only rely on our suppliers to provide accurate data.

If you think that any personal data Equifax holds about you is wrong or incomplete, you have the right to challenge it. It’s worth knowing that when acting as a credit reference agency or fraud prevention agency we won’t have the right to change the data without permission from the organisation that supplied it, so we will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy.

If the data does turn out to be wrong, we will update our records accordingly. If we still believe the data showing on your credit report is correct after completing our checks, we’ll continue to hold and keep it - although you can ask us to add a note to your credit report indicating that you disagree or providing an explanation of the circumstances.

If you’d like to do this, please use one of the contact channels detailed in SECTION 1 above.

9.4          CAN I OBJECT TO EQUIFAX USE OF MY PERSONAL DATA AND HAVE IT DELETED OR RESTRICTED?

Data protection laws in the UK give you the right to object to your personal data being processed and to request that such processing be restricted or the data deleted. However, please be aware that the rights of objection, restriction and erasure are not ‘absolute rights’, meaning that they will only apply in specific circumstances.

This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be restricted or deleted.

You can contact Equifax with your objection or request at any time, using the contact details in SECTION 3.

Right of Objection:

The right of objection only applies in the following circumstances:

a)      Where the processing is based on a legitimate interest or a public interest. However, we are permitted to continue processing your data if there are ‘compelling legitimate grounds’ to continue processing your data (please see the section ‘Overriding Legitimate Grounds’ below)

b)      Where personal data is processed for the purposes of direct marketing. This is an absolute right – meaning if you raise an objection to any such processing, we will stop that processing (please be aware that we may retain a record of your objection and certain other details to ensure that your objection to marketing processing, continues to be recognised).

Right of Restriction:

The right of restriction only applies in the following circumstances:

a)      the accuracy of your data is contested by you for a period enabling us to verify the accuracy;

b)      our processing of your personal data is unlawful but you would prefer that the data not be deleted and would instead like us to simply not use it;

c)       it is no longer necessary for us to process the personal data but you would like us to retain it (rather than delete it) so that you can use it for the establishment, exercise or defence of a legal claim; or

d)      you have objected to the processing (see above) and are pending verification of any overriding legitimate grounds we may have to continue processing the data (see below).

Right of Erasure:

A right of erasure only applies in relation to one or more of the following circumstances (as applicable):

a)      The personal data is no longer necessary for the purpose we collected it for.

b)      The processing of your personal data was on the basis of your consent, which has now been revoked and there are no other lawful basis for processing your personal data.

c)       Your personal data is processed for the purposes of conducting direct marketing and you have now objected to such marketing (however, we may still need to retain some of your data in order to ensure that you are not sent marketing).

d)      We are unlawfully processing your personal data or applicable UK law requires us to erase the personal data to comply with a legal obligation.

e)      The processing of your personal data is on the basis of a legitimate interest pursued by us or a third party (or is in the public interest), you have objected to such processing and there are no overriding legitimate grounds to continue processing the personal data.

As explained earlier in this Notice, the majority of our processing of your personal data is on the basis of legitimate interest. Therefore, condition (e) above, is the one most likely to apply and we can continue processing your data if an overriding legitimate ground exists (please see below).

Overriding Legitimate Grounds

Please be aware that it is very likely that an overriding legitimate ground to continue processing your data will continue to exist (despite your objection or request for erasure). This is because of the importance of the credit referencing industry to the UK’s financial system, which helps the industry assess instances of fraud and prevent over indebtedness, fraud and money laundering.

As a result, in many cases it won’t be appropriate for Equifax to restrict or to stop processing or delete your personal data. For example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise wouldn’t be eligible for.

10.   MARKETING SERVICES

10.1        HOW DO WE USE YOUR DATA FOR DIRECT MARKETING PURPOSES?

As summarised above, we use some of your data to assist our clients with their marketing activities. Broadly, these services fit within the following categories:

  • Prospecting - Equifax creates marketing lists which contain contact data (such as name and address) that are provided or sold to clients (where permitted) who use them to contact potential new customers.  This activity is commonly known as Data Broking.
  • Prospecting (Attribute Data) – We might also supplement or refine the above marketing lists by selecting those records that are considered to be the most appropriate for the client’s requirements. This selection is based on a range of data attributes that we generate in relation to individuals or a class of individuals.  These attributes (also referred to as a ‘variable’ or a ‘characteristic’) help our clients to identify consumers who may be interested in particular products and services.
  • Pre-Screening – This is the act of removing an individual from a marketing list because the relevant product or service would not be appropriate. The purpose of pre-screening is to avoid sending marketing materials unnecessarily and to also encourage responsible lending by not advertising products and services to individuals who would not be in a position to receive them. Equifax offers a range of pre-screening services that can apply to both Equifax supplied prospecting contact data and our client’s existing customer data:
    • Equifax Credit Pre-Screening - Prior to supplying data to a client, Equifax can pre-screen the data to remove individuals who may not be considered appropriate for the product or service. For example, a lender might not consider it appropriate to market a new loan to someone who is subject to a CCJ.
    • Client Credit Pre-Screening – Where requested by the client, Equifax will append the attributes that can be used for pre-screening to the data that is supplied to a client. The client will undertake the pre-screening prior to any marketing contact.
    • Data Screening – Equifax uses a range of data to remove records that should not be contacted for marketing purposes.  These include:
      • Goneaways – Equifax identifies and removes records using its disConnect product that contains records where the previous occupant has moved from a property.
      • Deceased - Equifax will remove records where we have a deceased record for an individual.
      • Objections – Where an individual has requested not to be included in Equifax’s marketing contact data, we will remove their data from marketing lists and may also inform our clients to remove these individuals from their own lists.
      • Industry Suppressions – we hold the Mail Preference Service, Baby Mailing Preference Service and the Telephone Preference Service data and screen files against these.
  • Data Accuracy - Equifax will use its data to help clients ensure they hold accurate data on their customers and prospects, for example to ensure that they have your current postal address.
  • Profiling - To support our Marketing Services solutions Equifax creates Attributes, Models and Scores (see further details below) that assist clients in profiling consumers. This profiling helps clients identify consumers who may be interested in certain products and services based on identifying traits and characteristics associated with the consumer.

10.2        WHAT TYPES OF PEROSNAL DATA DOES EQUIFAX COLLECT AND PROCESS FOR DIRECT MAREKTING PURPOSES AND ON WHAT LAWFUL BASIS?

As with our core credit and fraud services, we typically do not have a direct relationship with you, so we obtain data from numerous sources. The three primary sources being:

1.       Publically Available Data

We obtain your name, postal address,  date of registering and where available your date of birth from the Edited Electoral Roll (“EER”) and Edited Rolling Register (“ERR”), each made available to us by local authorities.

When you registered with the Electoral Roll (e.g. to vote), you will have been given the option to opt-out of having your details placed on the EER and ERR. If you did not opt out, your data can be used for direct marketing purposes on the lawful basis of legitimate interest.

We also obtain ‘Pre-mover’ data (see SECTION 3, above), which is publically available (for example on property search websites) but which we obtain from a third party supplier, TwentyCI Limited (whose details are included in SECTION 10.4).

2.       Marketing Services Data Provider Information

We supplement the data available via the EER and ERR with contact information supplied by third party Marketing Services Data Providers.  These providers are detailed in SECTION 10.4 below. 

These Marketing Services Data Providers supply your data to Equifax where you have previously provided your consent to receive marketing from third parties.  This means that you have agreed to your data being passed to us, as a named data controller and data broker at the point that your consent to be marketed to was captured. 

When you gave your consent, information will have been made available to you, which explained the types of organisations with whom we would share your data for direct marketing purposes (please see SECTION 10.5, below).

We receive the following personal data (where available) from our Marketing Services Data Providers:

  • Contact Data  (your title, name and postal address )
  • Date of Birth
  • Permitted Contact Channels - an indicator to show which contact channels you have agreed to be contacted by, for example ‘by post’
  • Date of Permission Capture - this is the date you provided your consent to be marketed to and where applicable will also show the most recent date of your permission.
  • Data Source - a code is supplied that shows which organisation has collected your data
  • Suppression Data – you may subsequently elect to withdraw your consent to marketing and we may receive notification of this from our supplier, together with your contact details (e.g. your name, address) so that they can be added to our suppression files.  This will ensure that your contact details are removed from any future marketing data that Equifax supplies to our clients and will be shared with relevant clients (with whom we have previously shared your data for direct marketing purposes), to enable them to remove you from their marketing lists, accordingly.

3.       Credit Bureau Data

We use some of the data described in SECTION 3 (Financial Accounts and Repayment Data, Court Judgments, Decrees and Orders, Searches and Derived or Created Data) to produce ‘Attributes’ or ‘Characteristics’ which help improve our clients’ pre-screening processes prior to undertaking direct marketing.

This processing is conducted on the lawful basis of legitimate interest. The Legitimate Interests being pursued here for us and other organisations include:

  • Our ability to conduct, manage and grow our business and to help organisations market more effectively, for example, by ensuring communications are more relevant to you.
  • Our clients’ legitimate interest in finding new customers and making sure they offer appropriate products and services to existing customers through their marketing activities.

10.3        HOW DOES EQUIFAX USE ATTRIBUTES AND SCORES FOR MARKETING PURPOSES (INCLUDING PROFILING)?

The data described above may be used in isolation or combined (including with data held by our clients) to create attributes and scores that help describe an individual, household or geographic area.

The primary attributes created and used relate to the following:

  • Demographics - age, gender, residency confirmation, length of residency (based on dates data has been supplied to Equifax), earliest known residency
  • Triggers and Events – House for Sale/Rent or in move process
  • Lifestyle - Wealth and purchasing preferences

These attributes are created at different levels to assist with profiling either the individual or a broader group.  The primary levels are as follows:

Level

Description

Subject

Data regarding an individual

Family

Data regarding the people in the same household as the subject who share the same surname as the named subject or if there is a known financial associate between two individuals with different surnames

Household

Data relating to all people within a household

Postcode

Postcode level data (as explained in SECTION 3 above, PLD is not typically personal data as it does not identify any one individual, however we or our clients may link the postcode level attributes to you, thereby making it personal data)

In addition to creating attributes, Equifax also generates the following models and scores:

Subject and Household Level

Model

Description

Head of Household

Subject level model that indicates if a person is likely to be the main decision maker in a household

Household Composition

A Household level model that assigns a potential type of household group for example an all-male household

Married Flag

Subject level model that indicates if a person is likely to be married

Micromatch Motivational Models:

Financial Services 

Micromatch Telecommunications and Technology 

Home Shopping

Subject level models that aim to classify people’s purchasing habits

   

Year of Birth Model

Subject level model that provides an estimated year of birth for a person

   

Mail Order Multi Buyer Propensity Score

Subject level model that shows likelihood to make multiple mail order purchases

Risk Navigator - Base

A risk score that does not contain credit data and which is used for selections or screening

Risk Navigator – Credit Data

A risk score that does contain credit data and which can be used for screening only

                Postcode Level Models and Scores

Landscape Financial

A model that groups UK postcodes based on shared attributes

Landscape Household Composition

A model that assigns a potential type of household group

Landscape Lifestage

Model that indicates the most common lifestage in a postcode

   

Landscape Property

Estimates property value and council tax band at postcode level

Landscape Scores

Range of scores predicting credit card, loan and telco related activity

Postcode Risk Score - Base

Postcode level risk scores that are created without credit data and which are used for selections or screening

Postcode Risk Score – Credit Data

Postcode level risk scores that are created with credit data and which are used for screening

10.4        WHO ARE OUR MARKETING SERVICES DATA PROVIDERS?

Our current list of Marketing Services Data Providers is set out below with relevant contact details:

Marketing Services Data Provider

Description of Data

Contact Details:

Data Mixx Limited

Contact data including:

·         Name and Address

·         Date of Birth

Data Mixx

Parallel House

32 London Road

Guildford

Surrey

GU1 2AB

Email:

compliance@datamixx.co.uk

Ideal Media Today Limited

Contact data including:

·         Name and Address

·         Date of Birth

Ideal Media

Third Floor

Capital Tower

Greyfriars Road

Cardiff

CF103AG

Email:

datacompliance@ideal-o.com

Tel:

0870 777 1959

TwentyCI Limited

Pre-Mover Data including:

·      Address

·      Move Status

·      Estimated Move Date

TwentyCi Limited

8 Whittle Court

Milton Keynes

Buckinghamshire

MK5 8FT

Email: enquiries@twentyci.co.uk

Tel: 01908 829300

10.5 WHO DO WE SHARE MARKETING SERVICES DATA WITH?

We supply Marketing Services data to our clients and resellers.

Marketing Services Clients

Equifax has a range of clients with whom it shares Marketing Services data.  This data is provided to our clients on the basis of either your consent or a legitimate interest. 

Where Equifax supplies Marketing Services data to a client under consent, they will be listed in the table below. 

Where Equifax supplies Marketing Services data to a client under legitimate interests, they will be in one of the sectors listed in the Sectors table further below.  They may also be listed in the Companies table.

Companies

Company Details

Description of Service

Advanced Payment Solutions Ltd (t/a Cashplus)

www.cashplusgroup.com

Name and Address data for postal marketing

Express Gifts Limited trading as “Studio” and “Ace”

www.studio.co.uk

www.ace.co.uk

Name and Address data for postal marketing

Lendable Operations Limited

www.lendable.co.uk

Name and Address data for postal marketing

Optimum Credit Limited

www.optimumcredit.co.uk

Name and Address data for postal marketing

OMNIS Data Limited

https://omnisdata.co.uk/

Name and Address data for postal marketing

Shop Direct Home Shopping trading as Very and Littlewoods

www.very.co.uk

www.littlewoods.com

Name and Address data plus attributes for postal marketing

Virgin Media Limited

www.virginmedia.com

Name and Address data plus attributes for postal marketing

Zopa Limited (and its affiliates)

www.zopa.com

Name and Address data plus attributes for postal marketing

                Sectors:

We provide Marketing Services data to clients operating within the following primary and sub-sectors:

Primary Sector

Sub Sectors

Charity

Ages, Animals, Armed and Ex Services, Arts, Children and Youth, Community, Culture and Heritage, Disability, Environmental, Education and Training, Employment Trades and Professions, Family, Homeless,  Hospices, Human Rights, International, Medical Welfare, Mental Health, Overseas Aid, Religious, Rescue Services, Social Welfare, Sports Recreation and Visual Impairments

Finance

Pensions, Loans, Credit cards, Mortgages, Automotive (including dealerships and accessories), Investments and Savings, Insurance Home, Car, Travel, Pet, Personal and Other Insurance

FMCG

Supermarkets, Pharmacies, Consumables

Home and Family

Building Works, Buying, Changing Career, Children, Computers, Conservatories, DIY, Education, Employment, Electricity Services, Extensions, Finding New Employment, Floorings, Furniture, Further Education, Garages, Gas Services, Health Issues, Home Appliances, Learning, Letting, LPG Services, Oil Services, Other Household Utilities, Returning to Work, Self-Employment, Selling, Smoking, Stables, Starting Work, Telephones and TV

Legal

Accident Claims Management, Claims Management Companies, Debt Collection, Debt Consolidation, Legal Liability Claims, Legal Protection Claims, Legal Services, Packaged Bank Account Reclaim, Personal Accident Claims, Personal Injury Claims, Personal Liability Claims, PPI Companies and Claims, Voluntary Arrangements, Will Writing and Wills

Lifestyle

Health & Well-being, Fitness, Charities, Media and Publishing, Leisure, Gaming, Legal Services, Education and Photography

Marketing Services Providers

Marketing Services Providers and Data Brokers

Media

Magazine offers, Cinema, Competitions, Magazine Readership, Publishing, Newspaper Readership and Subscriptions, Offers, Theatre, Specialist Magazines, Surveys, Web Promotions, TV and Film

Motoring

Bicycles, Boats (powered and sail), Caravans, Gliding, Helicopter, Mobile Homes, Motorbikes, Motor Vehicles, Motorcycling, Motorhomes and Planes

Retail

Online retail, General Stores, Automotive, Property, Home Furnishings, Home Improvements, Fashion and Clothing, Telecoms and Utilities

Travel

Holidays, Hotels, Travel Booking and Airlines

Resellers/Distributors:

In addition to the clients noted above, we also supply Marketing Services data to the following resellers/distributors:

Company Details

Description of Service

Market Me Now Limited

www.marketmenow.co.uk

Name and address data for postal mailings

Communisis UK Limited

www.communisis.com

Name, address and attribute data to support profiling and marketing communications

Acxiom Limited

https://www.acxiom.co.uk/about-acxiom/privacy/uk-privacy-policy/

Edited Electoral Roll data

CACI Limited

https://www.caci.co.uk/content/consumer-information

Edited Electoral Roll data

10.6 DOES EQUIFAX USE MY DATA FOR ITS OWN MARKETING?

Yes, where we have your consent or it is otherwise lawful for us to do so. As noted above, we may have a direct relationship with you where you have enquired about or purchased our products and services (for example, if you obtain your credit report).

When we obtained your personal data in relation to such products/services, you may have given your consent to us sending you direct marketing – or you may have been presented with an option to opt out from receiving direct marketing (where we are able to send marketing without your consent). 

These marketing activities are distinct from those described above and only relate to our products and services. As explained below, should you no longer wish to receive any marketing communications from us, you can opt-out or unsubscribe at any time.

10.7        HOW LONG WILL WE RETAIN MARKETING SERVICES DATA?

Equifax will use the marketing data for the period of time we believe appropriate and necessary to the type of permission you originally provided (where our processing is based on consent) and the channel for the marketing activity.

For permissions linked to postal marketing, this period will be up to 36 months from when consent was given.

10.8        WHAT ARE MY RIGHTS IN RELATION TO MARKETING SERVICES DATA?

Your rights in relation to the personal data we use for Marketing Services are the same as those set out in SECTION 9, above.

In addition to these rights, you have an absolute right to object to direct marketing and (if our processing is based on consent) to withdraw your consent.

WITHDRAWING YOUR CONSENT

You may withdraw your consent for your personal data to be used for further marketing activity at any time.

Where Equifax has received your data from one or more of the Marketing Services Data Providers listed in the table above, you can withdraw your consent by either using the contact details in the above table to communicate directly with the company that supplied your data to Equifax or you can notify us directly using the contact information provided in SECTION 1.  If you wish to review your marketing permissions, you should contact the relevant company above.

When you do contact Equifax to withdraw your consent or where we are informed by a supplier that you have withdrawn your consent (or where we otherwise stop processing your data following an objection – see below), we will add your data to our marketing suppression files.  These files are applied to the Equifax marketing contact data in order to remove records that do not wish to have marketing contact.  They may also be shared with some clients in order to ensure they suppress your data from their files.  This process does require that Equifax processes your marketing contact data in order to include it in its suppression files.

OBJECTION TO MARKETING SERVICES PROCESSING

You have the right at any time to object to Equifax processing your personal data for the purposes of us (or our clients) sending direct marketing to you.

Following any such objection, we will cease processing your personal data for direct marketing purposes but may need to retain some of your personal data in order to (i) ensure that it continues to be supressed from such direct marketing use; and/or (ii) continue our use of the data for any other purposes for which we have a lawful basis to do so, as set out in this document.

11.   WHO CAN YOU COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA?

Equifax works hard to give you the best possible service. We try to make it as easy as possible for you to share your concerns with us, and we want you to be happy with how we handle them.  

If you have a complaint, please contact our Complaints Team.  Full contact details and the Equifax complaints procedure can be found by clicking here.

If you’re unhappy with how Equifax has investigated your complaint, you have the right to refer it to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like Equifax. You can contact them by:

You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:

  • Phone on 0303 123 1113
  • Email at casework@ico.org.uk (you need to add a subject line of 'Report a Concern')
  • Writing to them at First Contact Team, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
  • Going to their  website at www.ico.org.uk

12.   WHERE CAN YOU FIND OUT MORE?

The Information Commissioner’s Office publishes advice and information for consumers in its Credit Explained leaflet, available at https://ico.org.uk/media/for-the-public/documents/1282/credit-explained-dp-guidance.pdf.