Privacy Hub
MyEquifax and Website Privacy Notice
This privacy notice explains how Equifax processes personal data as part of its core credit reference agency (CRA) activities. These processing activities often relate to personal data that has not been collected directly from the individual.
Last updated: December 2024
You will know us as Equifax but our legal name is Equifax Limited (“Equifax”, “we”, “our” and “us”). We are committed to protecting the privacy of individuals who use myEquifax products and services (“myEquifax”) and users visiting the Equifax.co.uk website, which includes Equifax Online Help (the “Website”).
This MyEquifax and Website Privacy Notice (“Privacy Notice”) describes how and why Equifax uses personal data relating to:
- individuals who enquire about or receive myEquifax products and services, such as Credit Report and Score (including WebDetect and SocialScan), CreditWatch, Equifax Protect, Equifax Webdefend and the Statutory Credit Report via the Website or through some other means;
- users of the Website; and
- those who communicate with us (“You”).
You should read this Privacy Notice to understand what we are doing with your personal data, including our lawful basis for processing it, who we share it with and your rights in relation to your personal data. “Personal data” is any information that relates to a living identifiable person. Your name, address and contact details are all examples if they identify you. To “Process” means any activity relating to personal data, including its collection, storage, transfer or other use.
Equifax is a “Controller” of your personal data, which means that we make decisions about how and why we process it. As a Controller, we’re responsible for making sure that it’s processed in accordance with data protection laws.
We also make available other privacy notices which relate to specific Equifax products or services, or other Equifax group companies. These apply in conjunction with this Privacy Notice, so please ensure that you read every relevant notice. Our privacy notices include:
Privacy Notice | Processing Activities |
MyEquifax and Website Privacy Notice (THIS NOTICE) | This privacy notice explains how Equifax processes personal data relating to its myEquifax products and services (e.g. Credit Report and Score, WebDetect and Social Scan) and users of the Equifax website. These processing activities usually relate to personal data that has been collected directly from the individual or from the individual’s direct use of myEquifax products and services, as well as the Equifax website. |
Equifax Credit Reference and Related Services Privacy Notice | This privacy notice explains how Equifax processes personal data as part of its core credit reference agency (CRA) activities. These processing activities often relate to personal data that has not been collected directly from the individual. |
This privacy notice, produced with Experian and Transunion (the other key CRAs), explains how personal data is processed for core credit referencing activities. This often relates to personal data that has not been collected directly from the individual. | |
This privacy notice explains how Equifax’s group company, TDX Group Limited, processes personal data to support clients with debt management and recovery. | |
This privacy notice explains how Equifax’s group company, Consents Online Limited, processes personal data to provide clients with access to consumer transaction data held within payment accounts. This is known as open banking. | |
This privacy notice describes how and why Equifax processes personal data to administer our Workforce Solutions database and related services. |
CONTENT OF THIS PRIVACY POLICY:
- How can you contact us?
- What types of personal data do we process and where do we get it?
- What do we do with your personal data and why?
- Who do we share your personal data with and why?
- Where in the world is your personal data processed?
- How do we communicate with you?
- How do we safeguard your personal data?
- How long do we keep your personal data?
- Cookies and other digital tracking technologies
- What are your rights in relation to your personal data?
- Changes to this privacy policy
1. HOW CAN YOU CONTACT US?
You can contact us by:
- Post: Equifax Limited, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS.
- Website: https://www.equifax.co.uk/Contact-us/Contact_Us_Personal_Solutions.html
- Equifax Online Help: www.equifax.co.uk/ask
- Phone: 0333 321 4043 or 0800 014 2955
Equifax has a dedicated Data Protection Officer (DPO) who can be contacted by:
- Post: Equifax Limited, Data Protection Officer, PO Box 10036, Leicester, LE3 4FS.
- Email: UKDPO@equifax.com
2. WHAT TYPES OF PERSONAL DATA DO WE PROCESS AND WHERE DO WE GET IT?
Depending on your use of myEquifax, the Website and any contact with us (through the Website or otherwise), we will collect and/or receive the following types of personal data:
Category | Type of personal data | Collected from |
Contact Information |
| You directly (e.g. where prompted to provide it or when you contact us, including through the Website). MyEquifax Family Plan main account holders (when inviting additional users to join) In relation to the Equifax Protect and Equifax WebDefend products, from third party companies that are your existing or former employer or otherwise provide services to you |
Website Information |
| The device you use to access the Website. |
myEquifax Information |
| You directly (e.g. where prompted to provide it when signing up to receive myEquifax products and services). From third party sources, in relation to the WebDetect and Social Scan products (e.g. where we have identified potentially stolen data relating to you or at risk information included on your social media profile). In relation to the Finance Monitor product, from Consents Online Limited (an Equifax Group company). For more information, see the Equifax and Consents Online Open Banking Privacy Notice. |
Survey and Feedback Information |
| You directly (e.g. when requested to provide it). Equifax uses a third party review provider, Trustpilot, to receive and publish reviews from consumers. Reviews are submitted via the Trustpilot platform in the first instance and we then show a selection of these on our website. For more information about Trustpilot’s privacy practices, please see their privacy terms here. |
Special Category Information |
| You directly or a third party acting on your behalf. |
3. WHAT DO WE DO WITH YOUR PERSONAL DATA AND WHY?
We process your personal data for specific purposes in connection with:
- your use of our Website;
- any myEquifax products and services you have enquired about, receive from us or have been invited to sign up for;
- your communications with us;
- any other engagements you may have with us; and
- the management and administration of our business.
We are required by law to always have a lawful basis (meaning a reason or justification) for processing your personal data. There are a number of lawful bases set out in data protection law but we consider the following to be most relevant to our processing of your personal data:
- The processing is necessary in order for us to enter into or perform a contract with you (Contract)
- The processing is necessary to comply with a legal obligation (Legal Obligation)
- The processing is necessary for the legitimate interests pursued by us or a third party, and these are not overridden by your interests or fundamental rights (Legitimate Interests)
- The processing is on the basis of your consent (Consent)
The table below sets out the purposes for which we process your personal data and the lawful bases we rely on for that processing.
Where we have indicated that our use of your personal data is necessary for us to enter into or perform a contract with you, and you choose not to provide the relevant personal data, we may not be able to enter into or continue our arrangement with you. Practically, this may mean that you are not able to access certain areas of our Website or receive certain services.
Purpose of Processing | Consent | Contract | Legal Obligation | Legitimate Interests |
Using your Contact Information to respond to your enquiries and/or complaints | ✔ (it is in our mutual interest to respond) | |||
Using your Contact Information to send you information relevant to any services your receive from us | ✔ (where we are required to provide any information under contract) | ✔ (it is in our mutual interest that you be updated with pertinent information) | ||
Using your Contact Information to invite you to open a Family Plan additional user account | ✔ (it is in our mutual interest that you receive an invitation) | |||
Using your Contact Information to assist in connecting your accounts to Finance Monitor | ✔ (it is in your interest that your Contact Information is pre-populated to be shared with Consents Online Limited) | |||
Using your myEquifax Information (specifically your financial account transaction data, including bank accounts) to assist you in monitoring your financial circumstances | ✔ (it is in your interest to assist you in monitoring your financial circumstances) | |||
Using your Contact Information and myEquifax information (name, DOB, current address and email address) for identity verification purposes, which may require sharing your personal data with third party identity verification provider, Mitek | ✔ (where consent is legally required, for example for the processing of biometric data) | ✔ (it is in our mutual interests to verify your identity) | ||
Using your Contact Information to send you direct marketing as set out in the section HOW DO WE COMMUNICATE WITH YOU (below) | ✔ (where consent is legally required) | ✔ (it is in our mutual interest to ensure that you are updated about products/services that may be of interest) | ||
Using your Contact Information to request Survey and Feedback Information to help us improve our products, services and customer service | ✔ (it is in our mutual interest to improve our products, services and customer service) | |||
Using Survey and Feedback Information from a third party review provider to promote our business, our Website, our products and services, and to help us improve our products, services and customer service | ✔ (it is in our mutual interest to improve our products, services and customer service) | |||
Using Website Information to ensure the operation and performance of the Website (please also see our COOKIE NOTICE) | ✔ (we need to ensure that the Website functions correctly) | |||
Using Website Information to improve the functionality of the Website | ✔ (it is in our mutual interest to improve the Website) | |||
Using your myEquifax Information to provide you with myEquifax products and services that you have enquired about, purchased or been invited to | ✔ (where such processing is necessary for us to provide the product/service) | ✔ (it is in our mutual interest to provide our product/service to you) | ||
Using Contact Information, Website Information and/or myEquifax Information to enable you to create accounts and log-in, or otherwise gain access to myEquifax products and services through the Website | ✔ (where we are required to provide access under contract) | ✔ (it is in our mutual interest to provide you with a private log-in to access services) | ||
Using assigned rewards codes to manage your subscriptions with third party rewards providers | ✔ (where such processing is necessary for us to provide the reward and manage your subscription) | |||
Using any relevant personal data to establish and enforce our legal rights or to comply with a court order, law enforcement requirement (or other legally mandated request) or legal obligation | ✔ | |||
Using any relevant personal data for our general record keeping and Website user management | ✔ (where we are required to maintain records under contract) | ✔ (we may need to store Website user data so that we can refer back to it) | ||
Using any relevant personal data in relation to managing the proposed or actual sale, restructuring or merging of any or all parts of our business | ✔ | ✔ (we have a legitimate interest in being able to sell or restructure our business and maintain continuity for us or a buyer) |
Where processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. If you decide to withdraw your consent, we will stop processing your personal data for that purpose unless there is another lawful basis that applies and we are relying on – in which case, we will let you know.
Please note that in order to provide certain myEquifax products, such as those related to your credit rating, your credit reference personal data is processed as explained in the Equifax Credit Reference and Related Services Privacy Notice and CRAIN.
Fraud Prevention Agencies (FPAs)Equifax is also a Fraud Prevention Agency (FPA) and a member of Cifas, which is a not-for-profit fraud prevention service. This means we collect, maintain and share personal data related to known and suspected fraudulent activity. Where Equifax identifies potential fraud, it may share that information with Cifas so that other Cifas members can access it. This enables them to perform additional checks when, for example, a credit application is made in your name. If fraud is detected, you could be refused certain services, finance or employment. Please see the Cifas Privacy Notice for more information.
Anonymised DataWe may convert your personal data into statistical or aggregated form so that you are not identified or identifiable, thereby protecting your privacy and creating anonymised data. Anonymised data is not personal data so we may use this data to conduct research and analysis, including to produce statistical research and reports to help us understand and improve the use of our Website.
Special Category Personal DataWe process personal data in relation to your physical and mental health if you have a disability or vulnerability that you or someone on your behalf has made us aware of. Such processing is only ever with your consent and is for the strictly limited purposes of ensuring that we can communicate with you appropriately and amend our services to assist you.
4. WHO DO WE SHARE YOUR PERSONAL DATA WITH AND WHY?
Equifax may share your personal data with:
- its affiliates, i.e. companies that control, are controlled by, or under common control with Equifax; and
- selected third parties that we work with.
These recipients within and outside our group may be processing your personal data on our behalf as a service provider (see below) or they may be processing it for their own purposes as a Controller.
We have summarised the categories of recipients with whom we are likely to share your personal data:
- Service providers: Equifax may share your personal data with entities that provide services to us, such as vendors and suppliers that provide Equifax with technology, services, and/or content for the operation and maintenance of the Website. Access to your personal data by these service providers is strictly limited to the information reasonably necessary for the service provider to perform its function. Equifax takes steps to help ensure that service providers keep your personal data confidential and comply with Equifax’s privacy and security requirements.
- Rewards partners: Equifax may share your personal data with third-party organisations that provide you with rewards, benefits or services (such as a Tastecard) associated with your product or service.
- Identity verification partners: Equifax may share your personal data with third-party partners to verify your identity.
- Disclosure for legal reasons or as necessary to protect Equifax: Equifax may release personal data to other parties: (1) to comply with valid legal requirements such as laws, regulations, search warrants or court orders; (2) in special cases, such as a physical threat to you or others, a threat to public security, or a threat to Equifax’s systems or network; or (3) where Equifax believes it is necessary to investigate or prevent suspected or actual harm, abuse, fraud or illegal conduct.
- Changes in Equifax‘s corporate structure: If all or any part of Equifax is sold, merged or otherwise transferred to another entity (including a transfer of Equifax‘s assets), the personal data you have provided to Equifax may be transferred as part of that transaction.
5. WHERE IN THE WORLD IS YOUR PERSONAL DATA PROCESSED?
Equifax Limited is a UK based company and the majority of our processing of your personal data takes place within the UK. However, Equifax Limited is part of a global group of companies, therefore your personal data may be transferred to other group members outside of the UK and/or the European Economic Area (EEA). In addition, some of our service providers may have processing operations in other jurisdictions.
While data protection laws in some jurisdictions may not provide the same level of protection to your personal data as it is provided under UK data protection laws, Equifax takes steps to ensure the appropriate protections are in place before knowingly transferring personal data outside of the UK/EEA.
Non-UK Website Users: The Website is intended for users within the United Kingdom. If you use this Website from outside the United Kingdom, please be aware that personal data you provide to Equifax or that Equifax obtains as a result of your use of this Website may be processed and transferred to the United Kingdom and be subject to the laws of the United Kingdom.
EU-U.S. and the UK Extension to the EU-U.S. Data Privacy FrameworksEquifax Inc. and its U.S. subsidiary Kount Inc. (together, "Equifax US") comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Equifax US has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom in reliance on the UK Extension to the EU-U.S. DPF. Equifax US adheres to the EU-U.S. DPF Principles for consumer data. If there is any conflict between the terms in this Privacy Notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view the Equifax certification, please visit the DPF’s website here.
Details regarding the collection, purpose, and storage of your data, as well as information regarding the use of third parties to perform services on our behalf may be found within this Privacy Notice. In the context of an onward transfer, Equifax has responsibility for processing personal data it receives under the DPF and subsequently transfers to a third party for external processing. If personal data received under the DPF is transferred to a third party, the third party's access, use, and disclosure of personal data must also be in compliance with our DPF obligations, and we will remain liable under the DPF for any failure to do so by the third party unless we prove we are not responsible for the event giving rise to the damage.
If you have a question or complaint related to participation in the DPF, we encourage you to contact the Data Protection Officer using the contact details provided in Section 1. How Can you Contact Us?. Please reference “Data Privacy Framework” when contacting us about the DPF. For any complaints related to the DPF that Equifax cannot resolve directly, we have chosen to cooperate with the relevant EU Data Protection Authority, or a panel established by the European data protection authorities, for resolving disputes with EU individuals, and the UK Information Commissioner’s Office (ICO) for resolving disputes with UK individuals. As further explained in the DPF Principles, binding arbitration is available, under certain conditions, to address residual complaints not resolved by other means. Individuals seeking additional information can visit the DPF Annex I for more information. Equifax US is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) and may be required to disclose personal data handled under the DPF in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
6. HOW DO WE COMMUNICATE WITH YOU?
We will use your personal data to communicate relevant information to you in relation to your use of the Website, to respond to any queries or complaints you have and to provide updates in relation to myEquifax products and services you receive from us.
In addition, we would like to keep you up-to-date with other products and services we provide that may be of interest to you. If you have enquired about or purchased myEquifax products and services, you will have been given the option to opt-out of receiving our newsletter and other direct marketing communications. If you have not chosen to opt-out, we will continue to send marketing communications to you.
You can opt-out of receiving direct marketing at any time by either contacting us using the details above, or following the instructions within each marketing communication.
We also use targeting and third party cookies and other digital tracking technologies on our Website, which track your browsing habits and tailor advertising to you. Please see our COOKIE NOTICE which explains our use of cookies and other digital tracking technologies and how you can amend your preferences.
7. HOW DO WE SAFEGUARD YOUR PERSONAL INFORMATION
Equifax is committed to protecting the security of your personal data. We implement appropriate technical and organisational measures, taking into account the nature, scope, context and purposes for processing, as well as the likelihood and severity of risks to your rights and freedoms.
8. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We retain your personal data for strictly limited periods of time and for no longer than is necessary to fulfil the purposes for which we are processing it. For example, we typically retain personal data relating to myEquifax customers for as long as they receive those products and services and for a period of up to 6 years following cancellation. In limited and specific cases, it may be reasonably necessary for us to retain your personal data for a longer period.
The factors that direct how long we retain personal data for include the following:
- laws or regulations we are required to follow;
- whether we are in a legal or other type of dispute with each other or any third party;
- the type of personal data held about you; and
- whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.
For more information about our retention periods, please contact us.
9. COOKIES AND OTHER DIGITAL TRACKING TECHNOLOGIES
Cookies and other digital tracking technologies help us to provide essential services, make sure the Website functions as it should, help us analyse and understand how you use it, personalise your experience and show you adverts relevant to you and your interests on the Website and on third party platforms. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. Please note that some parts of our Website may become inaccessible or not function properly if you disable or refuse cookies. For more information about what cookies and other digital tracking technologies are, how we use them and how to set or amend your preferences, please read our COOKIE NOTICE.10. WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA?
In certain circumstances, data protection laws provide you with a number of rights in relation to your personal data. You can exercise your rights by contacting us using the details provided above.
Your rights include:
- The right of access. This is also known as a data subject access request (DSAR) and allows you to receive copies of your personal data and be provided with certain information in relation to it, such as the purpose for processing. Click here for more information about how to exercise this right.
- The right to rectification, which requires us to correct inaccuracies in your personal data. Please see the section below called ‘Personal Data Corrections’ for more information.
- The right to erasure. This is also known as the right to be forgotten, and allows you to request that we erase your personal data. This right only applies in certain circumstances.
- The right to restrict processing, which requires us to restrict the processing of your personal data in certain circumstances;
- The right to data portability. This allows you to receive the personal data that you have provided to us in a machine readable format, where we are processing it on the basis of consent or have entered into a contract with you and the processing is automated.
- The right to object. In certain circumstances you can object to our processing of your personal data, such as for direct marketing purposes.
- The right not to be subject to automated decision-making, which allows you to raise queries, concerns and request a human review in relation to any decision made solely on the automated processing of your personal data.
In addition to the above, you have the right to obtain your statutory credit report free of charge. Your statutory credit report contains the personal data we hold about you that is relevant to your financial standing. Click here for more information about how to exercise this right.
Personal Data CorrectionsWe want to make sure that your personal data is accurate and up-to-date, however, as a credit reference agency, much of the personal data we hold about you is received from lenders and banks. We are not able to automatically amend this information. Instead, we are required to follow a set process of informing the relevant lender/bank and seeking their clarity as to the validity of the data. While we do so, we make a note on your file that a rectification request has been made.
For more information about your rights in relation to our core credit referencing activities (most commonly the personal data that has not been collected directly from you), please see the Equifax Credit Reference and Related Services Privacy Notice.
Complaint to the Supervisory AuthorityYou have the right to lodge a complaint with the UK’s data protection regulator, the Information Commissioner’s Office (ICO), if you are unhappy about how we have processed your personal data. More information can be found on the ICO’s website here, however, we would really appreciate the chance to deal with your concerns before you approach the ICO and so we ask that you please contact us first.
11. CHANGES TO THIS PRIVACY POLICY
Equifax may make changes to this Privacy Notice in the future. The revised notice and its effective date will be published on this Website