EQUIFAX INFORMATION NOTICE

(EIN)

Version: 1.3  Adopted: 20 June 2018

This document describes how Equifax Limited (“Equifax”) hold and process personal data for each of its business functions in the UK.

Equifax core activity is credit referencing and together with the other main credit reference agencies (CRAs), Callcredit and Experian, we have drafted a separate document detailing how each CRA commonly use and share personal data we receive about you and/or your business that is part of or derived from or used in credit activity. We have called this document the ‘Credit Reference Agency Information Notice’ (CRAIN) and you can access it here: www.equifax.co.uk/crain

This Equifax Information Notice specifically relates to the Equifax UK business and should be read in conjunction with CRAIN.  It answers the following questions:

  1. Who are we and how can you contact us?
  2. What do we use personal data for (including in sub-section (c) how Equifax uses certain data sources for marketing purposes)?
  3. What are our grounds for handling personal data?
  4. What kinds of personal data do we use, and where do we get it from?
  5. Who do we share personal data with?
  6. Where is personal data stored and sent?
  7. How long is personal data kept for?
  8. Do we make decisions about you or profile you using personal data?
  9. What can I do if I want to see the personal data held about me? Do I have a ‘data portability’ right in connection with my bureau data?
  10. What can I do if my personal data is wrong?
  11. Can I object to the use of my personal data and have it deleted?
  12. Can I restrict what Equifax does with my personal data?
  13. Who can I complain to if I’m unhappy about the use of my personal data?

You have the right to object to Equifax using your personal data. Please see Section 11 to find out more.

1. WHO IS EQUIFAX AND HOW CAN I CONTACT THEM?

Equifax provides one of the largest sources of detailed consumer and business data in the UK, providing insight into the behaviours and drivers behind the economy, helping our clients drive their business forward and consumers access the products and services they can reasonably afford.

Equifax Limited is regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency and a credit broker.

We also provide other information services such as marketing data broking.

We can be contacted by any of the following methods:
Post:      Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS.
Web Address:  https://www.equifax.co.uk/Contact-us/Contact_Us_Personal_Solutions.html
Secure email via: www.equifax.co.uk/ask
Phone:  0333 321 4043 or 0800 014 2955

Additionally, Equifax Ltd has a dedicated Data Protection Officer who can be contacted as follows:
Post:      Equifax Ltd, Data Protection Officer, PO Box 10036, Leicester, LE3 4FS.
Email:    UKDPO@equifax.com

2. WHAT DOES EQUIFAX USE PERSONAL DATA FOR?

(a) CREDIT REFERENCE AGENCY PROCESSING

Credit reference agencies receive personal data about you that’s part of, derived from or used in credit activity.  Credit referencing activities include:

  • Credit reporting and affordability checks
  • Verifying data like identity, age and residence, and preventing and detecting criminal activity, fraud and money laundering
  • Account management
  • Tracing and debt recovery
  • Screening
  • Statistical analysis, analytics and profiling

Please refer to CRAIN for more details on these activities:  www.equifax.co.uk/crain

(b) FRAUD PREVENTION AGENCY PROCESSING

A Fraud Prevention Agency (FPA) collects, maintains and shares, data on known and suspected fraudulent activity. Equifax also acts as a FPA.

How data may be used by fraud prevention agencies:

FPAs may supply the data received from its clients about you, your financial associates and your business (if you have one) to other organisations (please see Section 5 for more information on these organisations). This may be used by these organisations and other FPAs and CRAs to: -

  • Prevent crime, fraud and money laundering by, for example;
    • checking details provided on applications for credit and credit related or other products and services
    • managing credit and credit related accounts or products or services
    • cross-checking details provided on proposals and claims for all types of insurance
    • checking details on applications for jobs or as part of employment
  • Verify your identity if you or your financial associate applies for facilities including all types of insurance proposals and claims
  • Trace your whereabouts and recover debts that you owe
  • Conduct other checks to prevent or detect fraud
  • Undertake statistical analysis and system testing
  • Your personal data may also be used for other purposes where you’ve given consent or where required or permitted by law

(c) MARKETING SERVICES PROCESSING

Equifax’s Marketing Services offers products and services that enable our clients to work with accurate and reliable data to improve consumer marketing via offline channels such as postal mail and online channels such as email and digital marketing.

Equifax use a range of data sources to enable the following key marketing activities:

  • Prospecting - Contact Data - Equifax creates marketing lists which contain contact data (such as name, address, email address, telephone number) that are provided or sold to clients (where permitted) who use them to contact potential new customers.  This activity is commonly known as Data Broking. Prior to supplying the contact data, Equifax will select those records that are considered to be the most appropriate for the client’s requirements based on a range of data attributes that it holds against each record.
  • Prospecting - Contact and Attribute Data - In addition to supplying contact data, the data can be appended with additional information  about a consumer (often known as an attribute) which enable organisations to undertake analysis on a marketing list prior to contact in order to identify potential customers that they wish to offer products and services. 
  • Marketing to a Client’s Existing Customers – Equifax will append data and attributes to a client’s existing or lapsed customer lists in order to enable clients to identify and contact those customers that it wishes to offer products and services to.
  • Data Accuracy - Equifax will use its data to help clients ensure they hold accurate data on their customers and prospects, for example to confirm your residency at an address.
  • Marketing Data Linking – Equifax will use the contact data to match information on a consumer to other data sources.  As an example, an email address held by Equifax will be used to match to an email address within a third party data source in order to enable the data held on a consumer within both data sources to be combined and accessed.
  • Profiling - To support our Marketing Services solutions Equifax creates Attributes, Models and Scores that assist clients in Profiling. Profiling helps clients identify consumers who may be interested in certain products and services based on identifying traits and characteristics associated with the consumer.

(d) GENERAL INFORMATION SERVICES PROCESSING

To facilitate the processing detailed in this Section, Equifax also performs the following:

Database activities

Equifax carries out certain processing activities internally which support databases effectiveness and efficiencies.  For example:

  • Data loading: data supplied to Equifax is checked for integrity, validity, consistency, quality and age to ensure it is fit for purpose. These checks pick up things like irregular dates of birth, names, addresses, account start and default dates, and gaps in status history.
  • Data matching: data supplied to Equifax is matched to their existing databases to help make sure it is assigned to the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. Where permitted Equifax use the personal data individuals have provided to its clients together with data from other sources to create and confirm identities, which are used to underpin the services Equifax provide.  
  • Data linking: as Equifax compiles data into its databases, Equifax creates links between different pieces of data. For example, people who appear financially associated with each other may be linked together, and addresses where someone has previously lived can be linked to each other and to that person’s current address.
  • Systems and product testing: data may be used to help support the development and testing of new products and technologies.

Other uses with your permission

From time to time Equifax may use the personal data it holds or receives about you for other purposes where you’ve given your consent.

Uses as required by or permitted by law

Your personal data may also be used for other purposes where required or permitted by law.

3. WHAT ARE EQUIFAX LEGAL GROUNDS FOR HANDLING PERSONAL DATA?

Legitimate interests

The UK’s data protection law allows the use of personal data where its purpose is legitimate and isn’t outweighed by the interests, fundamental rights or freedoms of data subjects.

The law calls this the Legitimate Interests condition for personal data processing.

Where Equifax function as a Credit Reference Agency or Fraud Prevention Agency, the Legitimate Interests being pursued here include:

  • Promoting responsible lending and helping to prevent over-indebtedness
  • Helping prevent and detect crime and fraud and anti-money laundering services and verify identity
  • Supporting tracing and collections
  • Complying with and supporting compliance with legal and regulatory requirements

Please refer to CRAIN for more details on the above activities:  www.equifax.co.uk/crain

Where Equifax perform Marketing Services, the Legitimate Interests being pursued here for us and other organisations include:

  • Our ability to conduct, manage and grow our business and to help organisations market more effectively, for example, with offers and services that are better tailored and relevant to you.
  • Our clients legitimate interest in finding new customers or making sure they offer appropriate products and services to existing customers through their marketing activities.

Equifax use of this personal data is subject to an extensive framework of safeguards that help make sure that individuals’ rights are protected. These include the information given to individuals about how their personal data will be used and how they can exercise their rights to obtain their personal data, have it corrected or restricted, object to it being processed, and complain if they’re dissatisfied. These safeguards help sustain a fair and appropriate balance to ensure Equifax credit referencing, fraud prevention and marketing services activities don’t override the interests, fundamental rights and freedoms of data subjects.

Consent

The UK’s data protection law allows the use of personal data where an individual has given consent to the processing of his or her personal data for one or more specific purposes.

Where Equifax process and supply contact data to support our Marketing Services under consent for marketing and/or customer management purposes to our clients, this will only be sourced from data suppliers who have collected the appropriate consent for your data to be used as per our defined purposes.  Where consent is collected by a third party, this means that you, the consumer, have agreed to your data being passed to us, as a named data controller and data broker, either at point of consent capture or via a third party that was named at point of consent capture and that we will pass your data on to other organisations for the purposes that were shown at the point of consent capture and/or in an associated privacy policy or within any documentation such as this page that can be accessed as part of the consent capture process.

For details of the companies and sectors that we may share your consented data with, please see Section 5.

4. WHAT KINDS OF PERSONAL DATA DOES EQUIFAX USE, AND WHERE DO THEY GET IT?

(a) CREDIT REFERENCE AGENCY/FRAUD PREVENTION AGENCY PROCESSING

Equifax obtains and uses information from different sources and these may sometimes vary from other CRAs.  Details of the types, description and source of information common to all 3 main CRAs can be found   in CRAIN: www.equifax.co.uk/crain

(b) MARKETING SERVICES PROCESSING

Subject to the type of consent that you provided to the organisation that collected your consent, and based on the data that you provided, the following shows the data that is supplied to and used by Equifax:

Contact Data – Equifax will receive your Title, Name (forename and surname), Postal Address, Email Address and Telephone Number(s) where provided and where you provided consent for this data to be shared.

Date of Birth – Equifax will receive your Date of Birth where you have supplied it
In addition to the data that you provide when registering, Equifax also receives information that is collected at the point your consent is captured.  This data includes:

Consented Contact Channels – an indicator to show which contact channels you have consented to be contacted by, for example post, email or telephone, or a combination of channels;

Date of Consent Capture – this is the date you have registered and provided your consent and where applicable, will also show the most recent date of consent;

Source of Consent – a code will be supplied that shows which organisation has collected your consent;

Named Companies/Sectors– Equifax will hold a list of the sectors and/or company names that were listed, normally in the privacy policy of the website where your consent was captured.

Activities Consented To – Equifax will hold details of the information you were provided with at the point of consent capture which informed you of how your data will be used;

Suppression Data - where you choose to amend or remove your consent to be contacted, Equifax may receive the relevant contact details (e.g. your name, address, telephone number, email address) so that they can be added to our suppression files.  This will ensure that your contact details are removed from any future marketing data that Equifax supplies to its clients and will be shared with some of our clients to enable them to remove you from the data that has been supplied.

The consented data may be used in isolation or combined with other data held by Equifax or its clients.  It will be used to create attributes that help describe an individual, household or geographic area. New attributes are regularly developed and will be added here when available. 

Current attributes include:

  • Demographics - age, gender, marital status, residency confirmation, head of household, household composition (adults and children in a household), length of residency, earliest known residency, number of children
  • Trigger and Events – Had a baby, House for Sale/Rent or in move process
  • Lifestyle - hobbies, interests, purchasing preferences

These attributes can be used for:

  • Analytical purposes
  • To update and correct both Equifax and its clients’ databases
  • To determine your suitability for offers and services

Our current list of Marketing Services’ data providers can be found here with a link to their respective website:

Marketing Source Provider Description of Data Contact Details:
Data Mixx Limited Contact data including:
  • Name and Address;
  • Email Address;
  • Telephone Numbers;

Date of Birth

Data Mixx
Parallel House
32 London Road
Guildford
Surrey
GU1 2AB

Email:
compliance@datamixx.co.uk

Ideal Media Today Limited Contact data including:
  • Name and Address;
  • Email Address;
  • Telephone Numbers

Date of Birth

Attribute Lifestyle data including:

  • Gender;
  • Insurance Renewal Dates;
  • Hobbies and Interests;
  • Investor.
Ideal Media
Third Floor
Capital Tower
Greyfriars Road
Cardiff
CF103AG

Email:
datacompliance@ideal-o.com

Tel:
0870 777 1959

Bounty Limited Contact data including:
  • Name and Address;
Date of Birth
Birth Data
Bounty
29 Broadwater Road
Welwyn Garden City Hertfordshire
AL7 3BQ
Email:
privacy@bounty.com
TwentyCI Limited Mover Data including:
Address
Move Status
Estimated Move Date
TwentyCi Limited
8 Whittle Court
Milton Keynes
Buckinghamshire
MK5 8FT
Email: enquiries@twentyci.co.uk
Tel: 01908 829300

Privacy Policy: www.twentyci.co.uk/privacy-policy/


We also obtain certain publicly available information from sources such as the Edited Electoral Register (the ‘Open Register’) which allows the names and addresses present on it to be used for marketing activities.  The following companies currently receive Edited Electoral Register data from Equifax under Legitimate Interests:

  • Acxiom Limited
  • CACI Limited
  • Express Gifts Limited trading as “Studio” and “Ace”
  • OMNIS Data Limited
  • Shop Direct Limited
  • Vanquis Bank Limited
  • Virgin Media Limited
  • Zopa Limited (and its affiliates)

How to withdraw Marketing Consent(s)/Unsubscribe from Marketing Activity

You may withdraw your consent for your personal data to be used for further marketing activity at any time.

If you wish to withdraw your consent you can either use the contact details in the above table to communicate with the company that supplied your data to Equifax or you can notify us using the contact information provided below.  If you wish to review your marketing permissions, you should contact the relevant company above.

Equifax Contact Details:
Post:      Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS.
Secure email via: www.equifax.co.uk/ask
Phone:  0333 321 4043 or 0800 014 2955

When you do contact Equifax to withdraw your consent for marketing, we will add your data to our marketing suppression files.  These files are applied to the Equifax marketing contact data prior to supplying data to a client in order to remove records that do not have consent to be marketed to.  They may also be shared with some clients in order to ensure they suppress your data from their files.  This process does require that Equifax processes your marketing contact data in order to include it in its suppression files.

5. WHO DOES EQUIFAX SHARE PERSONAL DATA WITH?

This section describes the types of recipient Equifax share data with. Equifax operate our own access control processes.  For example, before we share data with any another organisation, we check that organisation’s identity and, where applicable, confirm where it is registered with regulators.

In many cases where an organisation uses Equifax services, there will be information accessible, for example from a website or at point of application or service, to explain that the organisation may check your data with a credit reference or fraud prevention agency (for things like identity authentication and fraud checking). In some cases, some organisations have the ability to compel CRAs, by law, to disclose certain data for certain purposes.

Members of the Equifax credit data sharing arrangement

Each organisation that shares financial data with Equifax is also entitled to receive similar kinds of financial data contributed by other organisations. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utilities companies and mobile phone providers.

Fraud Prevention Agencies

If Equifax believes that fraud has been or might be committed, it may share data with FPAs. These FPAs collect, maintain and share data on known and suspected fraudulent activity. Equifax and some other CRAs also act as FPAs.

Equifax shares information with the major fraud prevention agency in the UK, Cifas, who can be contacted here:

Equifax shares information with the major fraud prevention agency in the UK, Cifas, who can be contacted here: www.cifas.org.uk and whose fair processing notices are here: https://www.cifas.org.uk/fpn

Resellers/Distributors

Equifax also uses other organisations to help provide its services to clients and may provide personal data to them in connection with that purpose. Details of our current list of such organisations are detailed here and will be updated as appropriate:

Company Details Description of Service
Market Me Now Limited
www.marketmenow.co.uk
Name and address data for postal mailings
GB Group plc (‘GBG’)
www.gbgplc.com
  • Detect fraud in relation to the granting of credit to consumers
  • Assist in the prevention of money laundering
  • Manage risk through ID verification
  • Employee screening to assist with the hiring process
LexisNexis Risk Solutions
https://risk.lexisnexis.co.uk/
  • To help prevent, detect and investigate financial crime and fraud, including identity validation, verification and authentication services.
  • To support tracing, asset reunification, debt collection and general customer data management activities.
  • To comply with various legal and regulatory requirements, such as those required by the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA), and to assist in the prevention of money laundering and counter-terrorist financing.
  • To support insurance providers in the underwriting and pricing of insurance policies and assessment of insurance risk
  • For consumer credit risk assessment purposes to promote responsible lending.
  • For internal testing and development, modelling, evaluation and research or scoring.
Communisis UK Limited
www.communisis.com
Name, address and attribute data to support profiling and marketing communications
Iovation Inc.
www.iovation.com
Fraud prevention and authentication tool provider
Sagacity Solutions Limited
www.sagacitysolutions.co.uk
Data management and consultancy provider
Jumio UK Limited
www.jumio.com
Facial biometrics and document validation services
BAE Systems Applied Intelligence Limited
www.baesystems.com/en/cybersecurity/home
Threat analytics, managed security services, financial crime, cyber defence and digital transformation services
CoCreate Design and Marketing Limited
www.cocreatedesign.com
Web application and development services
Synectics Solutions Limited
www.synectics-solutions.com
Detection of potentially fraudulent customer applications for credit, savings, insurance and money transmissions
Fair Isaac Services Limited
www.fico.com
Data analytical services
Threatmetrix Inc.
www.threatmetrix.com
Fraud prevention software


Marketing Services Clients

Equifax has a range of clients with whom it shares Marketing Services data in order to enable them to undertake the activities listed in Section 2(c).  This data can be provided to our clients under consent or under legitimate interests.  Where Equifax supplies Marketing Services data to a client under consent, they will be listed in the Companies table below.  Where Equifax supplies Marketing Services data to a client under legitimate interests, they will be in one of the sectors listed in the Sectors table below.  They may also be listed in the Companies table.

Companies

Company Details Description of Service
Advanced Payment Solutions Ltd (t/a Cashplus)
www.cashplusgroup.com
Name and Address data for postal marketing
Express Gifts Limited trading as “Studio” and “Ace”
www.studio.co.uk
www.ace.co.uk
Name and Address data for postal Marketing
Lendable Operations Limited
www.lendable.co.uk
Name and Address data for postal marketing
Optimum Credit Limited
www.optimumcredit.co.uk
Name and Address data for postal marketing
Shop Direct Limited
www.very.co.uk
www.littlewoods.com
Name and Address data plus attributes for postal marketing
Vanquis Bank Limited
www.vanquis.co.uk
Name and Address data plus attributes for postal marketing
Virgin Media Limited
www.virginmedia.com
Name and Address data plus attributes for postal marketing
Zopa Limited (and its affiliates)
www.zopa.com
Name and Address data plus attributes for postal marketing


Sectors

Primary Sector Sub Sectors
Charity Ages
Charity Animals
Charity  Armed and Ex Services
Charity Arts
Charity Children and Youth
Charity Community
Charity Culture and Heritage
Charity Disabled
Charity Environmental
Charity Education and Training
Charity Employment Trades and Professions
Charity Family
Charity Homeless
Charity Hospices
Charity Human Rights
Charity International
Charity  Learning Disabilities and SEN
Charity Medical Welfare
Charity Mental Health
Charity Overseas Aid
Charity Religious
Charity Rescue Services
Charity Social Welfare
Charity Sports Recreation
Charity Visual Impairments
Finance Pensions
Finance Loans
Finance Credit cards
Finance Mortgages
Finance Automotive (including dealerships and accessories)
Finance Investments & savings
Finance Insurance Home, Car, Travel, Pet, Personal, Other Insurance
FMCG Supermarkets
FMCG Pharmacies
FMCG Consumables
Home and Family Building works
Home and Family Buying
Home and Family Changing Career
Home and Family Children
Home and Family Computers
Home and Family Computing
Home and Family Conservatories
Home and Family Coverings
Home and Family DIY
Home and Family Education
Home and Family Electricity Services
Home and Family Employment
Home and Family Extensions
Home and Family Finding New Employment
Home and Family Floorings
Home and Family Furniture
Home and Family Further Education
Home and Family Garages
Home and Family Gas Services
Home and Family Health Issues
Home and Family Home Appliance
Home and Family Learning
Home and Family Letting
Home and Family LPG Services
Home and Family Oil Services
Home and Family Other Household Utility Services
Home and Family Returning to Work
Home and Family Self-Employment
Home and Family Selling
Home and Family Smoking
Home and Family Stables
Home and Family Starting Work
Home and Family Telephones
Home and Family TV
Legal Accident Claims Management
Legal Claims Management Companies
Legal Debt Collection
Legal Debt Consolidation
Legal Legal Liability Claims
Legal Legal Protection Claims
Legal Legal Services
Legal Packaged Bank Account Reclaim
Legal Personal Accident Claims
Legal Personal Injury Claims
Legal Personal Liability Claims
Legal PPI Companies and Claims
Legal Voluntary Arrangements
Legal Will Writing
Legal Wills
Lifestyle Health & Well-being
Lifestyle Fitness
Lifestyle Charities
Lifestyle Media & publishing companies
Lifestyle Leisure
Lifestyle Gaming
Lifestyle Legal Services
Lifestyle Educational institutions
Lifestyle Photography
Marketing Services Providers Marketing Services Providers
Marketing Services Providers Data Brokers
Media Magazine offers
Media Cinema
Media Competitions
Media Magazine readership
Media Media
Media Media and Publishing
Media Newspaper readership and subscriptions
Media Offers
Media Social Media
Media Specialist Magazines
Media Surveys - Free and Paid
Media Theatre
Media TV and films
Media Web Promotions
Motoring Bicycles
Motoring Boats Powered and Sail
Motoring Caravans
Motoring Gliding
Motoring Helicopter
Motoring Mobile Homes
Motoring Motorbikes
Motoring Motor vehicles
Motoring Motorcycling
Motoring Motorhomes
Motoring Motoring
Motoring Planes
Retail Online retail
Retail General stores
Retail Automotive (including dealerships and accessories)
Retail Property
Retail Home furnishings
Retail Home improvement
Retail Fashion and clothing
Retail Telecoms and utilities
Travel Holidays
Travel Hotel
Travel Airlines
Travel Travel Booking


Other organisations

Some data, where permitted in accordance with industry rules or where it’s public information, can be shared with other organisations that have a legitimate use for it - ID verification services, for example.

Public bodies, law enforcement and regulators

The police and other law enforcement agencies, as well as public bodies like local and central authorities and Equifax’s regulators, can sometimes request Equifax supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax, investigating complaints or assessing how well a particular industry sector is working.

Equifax Group Companies

Equifax shares personal data with other companies within its group where required for the purposes of administration of products/services, IT back office and software support. Such group companies include: Equifax Inc. Equifax Commercial Services Limited, Equifax Consumer Information Services LLC, Equifax Chile and Equifax Costa Rica (“Equifax Group”).

Processors

Equifax uses other trusted organisations to perform tasks on its behalf for the following services:

Service Category Country(s) of Operation
(See section 6. for more information on Equifax overseas processing)
IT  infrastructure and operations software support UK & India
IT back office business process software support India
IT back office helpdesk service support India
IT service management support US
Customer call centre services UK & Philippines
Customer call centre support services US
Processing administration services India
Telephone support services UK
Printing and mailing house services UK
Merchant payment processor for customer payments Ireland
Cloud services provider US
Identity and fraud prevention service provider US
Marketing communication services UK
Confidential Waste Services UK


Many of these services are provided by companies within the Equifax Group: 

Equifax Group Company Details Country(s) of Operation
(See section 6. for more information on Equifax overseas processing)
Description of Service
Equifax Inc. US Administrative support, IT and Security back office software support, software development and cloud disaster recovery
Equifax Commercial Services Limited Ireland Customer call centre and complaints handling services
Equifax Consumer Services LLC US Website portal services
Servicios Equifax Chile Ltda Chile Back office incident and diagnosis support for Interconnect systems
Verdad Informatica de Costa Rica S.A. Costa Rica Back office incident and diagnosis support for Interconnect systems

In addition to the above, Equifax has service arrangements in place with auditors, consulting and professional service providers. A full list of these parties is available on request.

Individuals

People are entitled to obtain copies of the personal data Equifax holds about them. You can find out how to do this in Section 9 below.

6. WHERE IS PERSONAL DATA STORED AND SENT?

Equifax is based in the UK, and keep their main databases there. All information and personal data held by Equifax is stored on encrypted services at a secure physical location. Equifax also has internal policies and controls in place to ensure that personal data is kept secure as well as to minimise the risk of any personal data being lost, misused, disclosed or accidently destroyed.

Equifax also has operations elsewhere inside and outside the European Economic Area, and personal data may be accessed by or transferred to Equifax Group companies or service providers. In both cases, the personal data use in those locations is protected by European data protection standards.

Details of the main processors Equifax use and where they operate can be found above in Section 5.

While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when Equifax does send or allow access to personal data overseas we will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. To do this Equifax:

  • ensures third parties have entered into contractual duty of confidentiality with Equifax;
  • third parties are obliged to implement appropriate technical and organisational measures to ensure the security of personal data;
  • put in place a contract with the recipient containing mandatory terms approved by the European Commission  as providing a suitable level of protection for personal data. These are commonly referred to as Standard Contractual Clauses or ‘EU Model Clauses’.

7. FOR HOW LONG DOES EQUIFAX RETAIN PERSONAL DATA?

Identifiers

Identification data like names and addresses are kept while there’s a continuing need to keep it. This need will be assessed on a regular basis, and data that’s no longer needed for any purpose will be disposed of.

Financial accounts and repayment data

Data about live and settled accounts is kept on credit files for six years from the date they’re settled or closed. If the account is recorded as defaulted, the data is kept for six years from the date of the default.

Court judgments, decrees and administration orders

Generally, court judgments and other decrees and orders are kept on credit files for six years from the date of the judgment, decree or order. But they can be removed if the debt is repaid within one calendar month of the original date or if the judgment is set aside or recalled by the courts.

Bankruptcies, IVAs, debt relief orders and similar events

Data about bankruptcies, IVAs and other insolvency-related events and arrangements are usually kept on credit files for six years from the date they begin. This period is extended if they last longer than six years. Some data, such as a bankruptcy restrictions order, can also remain on the credit file for longer than six years.

Although the start of these events is automatically reported to Equifax, the end (such as a discharge from bankruptcy or completion of an IVA) might not be. This is why people are advised to contact us and the other CRAs when this happens to make sure their credit files are updated accordingly.

Search footprints

Equifax keep most search footprints for one year from the date of the search, although we keep debt collection searches for up to two years.

Derived or created data

Equifax also creates data, and links and matches between data. For example, Equifax keep address links and aliases for as long as they’re considered relevant for credit referencing purposes.

Links between people are kept on credit files for as long as we believe those individuals continue to be financially connected. When two people stop being financially connected, either person can write to us and ask for the link to be removed. We will then follow a process to check the people are no longer associated with each other and then update our records accordingly.

Marketing Services data

Equifax will retain the marketing data that you have provided consent for the period of time we believe appropriate to the type of permission you originally provided and the channel for the marketing activity.

  • For permissions linked to electronic marketing – 24 months from when permission was given
  • For permissions linked to postal marketing – up to 36 months from when permission was given

Other data

Other third party supplied data such as politically exposed persons (PEPs) and sanctions data and mortality data will be stored for a period determined by criteria such as the agreed contractual terms.

Archived data

Equifax holds data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence of legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards. 

8. DOES EQUIFAX MAKE DECISIONS ABOUT ME OR PROFILE ME?

Lending decisions

Equifax doesn’t tell a lender if it should offer you credit – this is for the lender to decide. CRAs provide data and analytics that help lenders make decisions about lending.

Please refer to CRAIN for more details on this:  www.equifax.co.uk/crain

Scores and ratings

When requested, Equifax does use the data we obtain to produce credit, risk, fraud, identity, affordability, screening, collection and/or insolvency scores and credit ratings; these are explained in Section 4 above.

Please refer to CRAIN for more details on this:  www.equifax.co.uk/crain

9. WHAT CAN I DO IF I WANT TO SEE MY PERSONAL DATA HELD BY EQUIFAX? DO I HAVE A ‘PORTABILITY RIGHT’ IN CONNECTION WITH MY EQUIFAX DATA?

Data access right

You have a right to find out what personal data Equifax holds about you and for a copy of this information to be provided to you free of charge.

The most relevant information Equifax holds about you is likely to be contained in your own credit report.

View Statutory Credit Report On-line

Equifax provides a quick and efficient way to access your credit report for free and on-line within a few minutes where we can positively confirm your on-line identity.  Click below to start the process:

https://www.econsumer.equifax.co.uk/consumer/uk/order.ehtml?prod_cd=UKSCR

Request a paper copy of your Statutory Credit Report

You can request a free postal copy of your Statutory Credit Report in two ways, online or via our credit report application form which you can download then post to the following address:

Equifax Ltd
Customer Service Centre
PO Box 10036
Leicester
LE3 4FS

A copy of your Statutory Credit Report will be posted to your home address within one month but is likely to be much quicker than that.

Request a copy of other personal data held by Equifax

You can also request a free downloadable copy (available in PDF format) of the other information Equifax holds about you. Click below to start the process:

https://equifaxuk.custhelp.com/app/answers/detail/a_id/890

It may take us up to one month to collate and provide you with this information.

If you require a copy of your personal data in a format such as braille or audio, please use one of the contact channels detailed in Section 1 above to make your request.

Data portability right

New data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it’s processed on certain grounds, such as consent. This is not a right that will apply to Equifax data where this data is processed on the grounds of legitimate interests. To find out more about legitimate interests please go to Section 3 above.

10. WHAT CAN I DO IF MY PERSONAL DATA IS WRONG?

When Equifax receives personal data, we perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, we can often only rely on our suppliers to provide accurate data.

If you think that any personal data Equifax holds about you is wrong or incomplete, you have the right to challenge it. It’s worth knowing that when acting as a credit reference agency or fraud prevention agency we won’t have the right to change the data without permission from the organisation that supplied it, so we will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy.

If the data does turn out to be wrong, we will update our records accordingly. If we still believe the data showing on your credit report is correct after completing our checks, we’ll continue to hold and keep it - although you can ask us to add a note to your credit report indicating that you disagree or providing an explanation of the circumstances.
If you’d like to do this, please use one of the contact channels detailed in Section 1 above.

11. CAN I OBJECT TO EQUIFAX USE OF MY PERSONAL DATA AND HAVE IT DELETED?

(a) CREDIT REFERENCE AGENCY/FRAUD PREVENTION AGENCY PROCESSING

This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be deleted, in connection with credit reference data. To understand these rights and how they apply to the processing of credit reference data, it’s important to know that the Equifax holds and process personal information in bureau data under the Legitimate Interests ground for processing (see Section 3 above for more information about this), and don’t rely on consent for this processing.

You have the right to lodge an objection about the processing of your personal data to Equifax. If you want to do this, please use one of the contact channels detailed in Section 1 above.

Whilst you have complete freedom to contact Equifax with your objection at any time, you should know that under the General Data Protection Regulation (“GDPR”), your right to object doesn’t automatically lead to a requirement for processing to stop, or for personal data to be deleted, in all cases.

Please note that, because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes the personal data is needed for (like supporting responsible lending, and preventing over indebtedness, fraud and money laundering) it will be very rare that Equifax does not have compelling, overriding grounds to carry on using the personal data following an objection. In many cases, it won’t be appropriate for Equifax to restrict or to stop processing or delete bureau data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise wouldn’t be eligible for.

(b) MARKETING SERVICES PROCESSING

You have the right at any time to stop Equifax (in our capacity as a marketing data broker) using your marketing information in relation to its marketing services activities under consent. 

You also have the right to request your marketing data be removed from our marketing services data where it has been provided under consent.
Post:      Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS.
Secure email via: www.equifax.co.uk/ask
Phone:  0333 321 4043 or 0800 014 2955

12. CAN I RESTRICT WHAT THE CREDIT REFERENCE AGENCIES DO WITH MY PERSONAL DATA?

In some circumstances, you can ask Equifax to restrict how they use your personal data. Your rights are set out at Article 18 of the GDPR. You can find the contact details for Equifax in Section 1 above.

This is not an absolute right, and your personal data may still be processed where certain grounds exist. This is:

  • With your consent;
  • For the establishment, exercise, or defence of legal claims;
  • For the protection of the rights of another natural or legal person;
  • For reasons of important public interest.

Only one of these grounds needs to be demonstrated to continue data processing.

Equifax will consider and respond to requests we receive, including assessing the applicability of these exemptions.

Please note that given the importance of complete and accurate credit records, for purposes including for responsible lending, it will usually be appropriate to continue processing credit report data -in particular, to protect the rights of another natural or legal person, or because it’s an important public interest of the union or member state.

13. WHO CAN I COMPLAIN TO IF I’M UNHAPPY ABOUT THE USE OF MY PERSONAL DATA?

Equifax works hard to give you the best possible service. We try to make it as easy as possible for you to share your concerns with us, and we want you to be happy with how we handle them.

If you have a complaint, please contact our Complaints Team.  Full contact details and the Equifax complaints procedure can be found by clicking here.

If you’re unhappy with how Equifax has investigated your complaint, you have the right to refer it to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like Equifax. You can contact them by:

You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:

  • Phone on 0303 123 1113
  • Email at casework@ico.org.uk (you need to add a subject line of 'Report a Concern')
  • Writing to them at First Contact Team, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
  • Going to their  website at www.ico.org.uk

14. WHERE CAN I FIND OUT MORE?

The Information Commissioner’s Office publishes advice and information for consumers in its Credit Explained leaflet, available at https://ico.org.uk/media/for-the-public/documents/1282/credit-explained-dp-guidance.pdf.