TRANSUNION GENERAL PRIVACY NOTICE
Date adopted: 12th April 2019
This document provides a high-level overview about how we use and share personal data across TransUnion Information Group (TU UK). More detailed information can be found at the TransUnion Privacy Centre or in other privacy information you may have been given. This notice covers the following topics:
You have the right to object and withdraw your consent to our use of your personal data. Please see section 8 to find out more.
We are TU UK, which is a group of companies with headquarters at One Park Lane, Leeds, West Yorkshire LS3 1EP. The members of TU UK are listed in section 4 below.
TU UK forms part of a larger group of companies. However, this General Policy only covers the activities of TU UK.
Different companies in TU UK have different roles and responsibilities for different sets of personal data. Where a member of the TU UK acts as a controller of personal data it is responsible for ensuring that the data is used fairly and lawfully.
You can contact us about issues relating to personal data, including the contents of this notice, by any of the following methods:
Post: Customer Services Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP
Telephone: 0330 024 7574
This section explains how and why we use personal data, and where we get it from.
Products and services
Many of our products and services rely on personal data. For example:
- Our credit referencing services involve gathering personal data from credit providers and other organisations, and sharing that data with lenders for credit risk assessment and other purposes. This includes information about credit repayments, court judgments and insolvencies. See the Credit Reference Agency Information Notice for more details.
- Our data marketing services involve gathering personal data from data suppliers and sharing that data with organisations who use it for marketing and related purposes. This includes contact details and information about individuals’ lifestyles and preferences.
- Our consumer products (such as Immobilise) involve gathering data from consumers, such as their names and contact details. We use that information to provide the users with our services. See the privacy notices on the relevant websites for more details.
We use and share data for evaluation purposes. This includes assessing its suitability for a particular purpose and, for example, deciding whether or not it would be useful to us as part of a product or service. Sometimes it may be necessary to share data with a third party in order for them to be able to match it to data that they hold and return additional data to us.
When we evaluate data, we apply a range of safeguards to protect the interests of consumers. For example, we anonymise or pseudonymise the data where possible, we ensure it is protected with appropriate security measures, and we limit the quantities of data and the period for which it is used and retained.
Operating our business
We use personal data as part of our own internal operations. For example:
- We hold names, job titles and contact details that we get from our business contacts (such as the representatives of our clients and suppliers), and we use this to manage our relationship with them and for marketing purposes. See our Business Contact Data Privacy Notice for more details.
- We hold names, contact details and other information that we get from consumers who make contact with us, and we use that information to deal with their enquiries. See our Consumer Contact Data Privacy Notice for more details.
- We hold information about our members of staff, and we use that information to manage our relationship with them. The information includes details such as employment and educational history, background checks and performance appraisals. Members of staff can find more information on the staff intranet.
- We use CCTV cameras throughout the public areas of our business premises to help ensure the safety of our staff and visitors and the security of our information and assets.
- We use personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from consumers or regulators about how we have used personal data.
This section explains the legal basis on which we process personal data.
The UK’s data protection law allows the use of personal data where necessary for legitimate purposes provided that this isn’t outweighed by the impact it has on the relevant individuals. The law calls this the “legitimate interests” condition for processing personal data.
Most of our processing activities are based on the legitimate interests condition. This includes almost all of our credit referencing and data marketing services. For more details about the legitimate interests we are pursuing, please refer to the relevant privacy notices (see links above).
We sometimes rely on consent from the relevant individuals in order to process their personal data, but this is relatively rare. It is used as the basis for sending marketing materials to consumers by email, telephone, SMS or similar methods, for example.
Performance of our contract with the relevant individual
When a person signs up to one of our websites, we agree to provide them with products and services as set out in the Terms & Conditions for the relevant website. We need to use some of their personal data in order to be able to provide them with those products and services.
We also use this basis for processing some of our staff data.
Our group companies
We may share personal data among the members of TU UK companies where appropriate. A list of TU UK companies is set out below, although the list may be updated from time to time.
Main trading address
TransUnion Information Group Limited
(company no. 4968328)
One Park Lane, Leeds, West Yorkshire LS3 1EP
TransUnion International UK Limited
(company no. 3961870)
Callcredit Marketing Limited
(company no. 2733070)
Callcredit Data Solutions Limited
(company no. 5749125)
Callcredit Lead Generation Limited
(company no. 5373447)
(company no. 5202547)
(company no. 3794898)
Callcredit Public Sector Limited
(company no. 4152031)
3rd Floor, Red Lion Buildings, 12 Cock Lane Smithfield, London EC1A 9BU
Callcredit Spain, S.L.
(tax ID number B87839510)
Paseo de la Castellana, 259C, 16th floor, 28046 Madrid, Spain
Confirma Sistemas de Información, S.L.
(tax ID number B86303757)
Av. de la Industria, 18, 28760 Tres Cantos, Madrid, Spain
Soluciones Confirma ASNEF-SIGNE, S.L.
(tax ID number B86016649)
(company no. 5953359)
The Corporation Trust Center, 1209 Orange Street, Wilmington, Delaware 19801, USA
(company no. 5542430)
720 S. Colorado Boulevard, Penthouse North, Denver, Colorado 80246, USA
TransUnion Baltics, UAB
(company no. 302689020)
4th Floor, Zalgirio Arena, Karaliaus, Mindaugo pr. 50, Kaunas LT- 44333, Lithuania
Vilniaus m. sav . Vilniaus m. J. Jasinskio g. 16B, LT-01112, Lithuania
We may provide personal data to third parties who help us use it for the purposes described in section 2. For example:
- Our databases of personal data may be hosted by third parties on our behalf.
- Some of our products and services rely on us sending personal data to third parties who then analyse or enhance it and return the results to us.
- We use third party email broadcasting services in order to send emails or SMS messages.
- We use payment service providers in relation to any payments made by individuals.
- We sometimes use market research companies to help us better understand our customers.
- Our CCTV system is operated by a specialist sub-contractor, Cube Group Limited.
These service providers are generally not allowed to use information for their own purposes or on behalf of other organisations.
If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.
We may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.
We are based in the United Kingdom, and will access and use personal data from here. However, we also have operations elsewhere in the European Union – currently the Netherlands, Lithuania and Spain – and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.
We also send information elsewhere in the world. For example:
- When one of our overseas group companies or branch offices based overseas needs to use the information. Currently, these overseas offices are in Dubai and the United States.
- Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.
While countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:
- Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
- Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection. One example is the “Privacy Shield” scheme that has been agreed between the European and US authorities.
We keep personal data only for as long as is necessary for the purposes for which it is held. You will need to contact us (see section 1) or refer to the privacy notices for our specific activities in order to find out exactly how long the data is kept for.
We perform various profiling activities using personal data. When we refer to profiling, we mean using personal data to make predictions about people, or to categorise them into particular groups.
- Our credit referencing services include calculating and sharing credit scores. A credit score indicates our view about a person’s creditworthiness at a particular point in time.
- Our data marketing services involve combining personal data with other information such as census statistics in order to make predictions about people’s lifestyles or preferences.
We generally do not use personal data or profiling to make automated decisions that have significant effects for individuals, but some of our clients may do so. For example, clients who receive credit scores from us may use those scores to help them decide whether or not to grant credit to a particular person.
You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please use the contact details set out in section 1.
- Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it.
- Withdrawal of consent: When we rely on your consent to use your data (see section 3 above), you have the right to withdraw that consent at any time.
- Objection to direct marketing: You have the right to object to us using your personal data for direct marketing purposes. If you do this we will stop using it for those purposes.
- Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
- Objection to legitimate interests: If you disagree with us relying on the legitimate interests grounds for using your personal data (see section 3 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
- Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it.
- Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
- Portability: You have the right to receive some limited kinds of information in a portable format.
We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us using these details:
Post: Customer Relations Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP
Telephone: 0330 024 7574
You can also contact our Data Protection Officer at firstname.lastname@example.org
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at www.ico.org.uk, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.