February 20, 2019 Icon 15 mins read

TransUnion bureau privacy notice

This document provides an overview about how we use and share personal data that we receive and use in connection with our credit risk and affordability checking, fraud prevention, anti-money laundering, identity verification and tracing services, and some of our related services. It covers the following topics:

1. Who we are and how you can contact us

2. What we use personal data for

3. What kinds of personal data we use, and where we get it from

4. What our legal grounds for handling personal data are

5. Who we share the personal data with

6. Where the personal data is stored and sent

7. How long the personal data is kept for

8. Whether the personal data is used to make decisions about you or to profile you

9. Your rights in relation to the personal data we hold about you

10. Who you can complain to if you are unhappy about the use of your personal data

You have the right to object to our use of your personal data. Please see section 9 to find out more.


We are TransUnion Information Group (formerly Callcredit Information Group), which is a group of companies with headquarters at One Park Lane, Leeds, West Yorkshire LS3 1EP.

TransUnion Information Group forms part of a larger group of companies. However, this privacy notice only covers the activities of TransUnion Information Group.

The TransUnion companies which control the personal data to which this privacy notice relates are Callcredit Limited (company number 03961870) and Callcredit Public Sector Limited (company number 04152031). This means that they are each responsible for ensuring that the personal data is used fairly and lawfully.

You can contact us about issues relating to personal data, including the contents of this notice, by any of the following methods:

Post: Consumer Services Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP


Telephone: 0330 024 7574


This section explains the purposes for which we use personal data about you. More detail about the types of personal data that we might use for these purposes can be found in section 3 below.

Providing services to the organisation you are dealing with

We use your personal data to provide services to the organisation you are dealing with. These services might include, for example, credit risk and affordability checking, fraud prevention, anti-money laundering checks, identity verification, and tracing for debt collection purposes.

For example:

  • If you have applied for credit from one of our clients, they will send your data to us so that we can find you in our databases and return information about your credit history. They will use that information in order to assess your creditworthiness and decide whether you will be able to repay them.
  • If you need to prove your identity to an organisation, they may check the details you provide against the information on our databases in order to help confirm that you are who you say you are.
  • If you owe money to one of our clients and have moved without telling them, they may use our services in order to find your new address and other contact details so that they can contact you to arrange repayment.

More information about how we (and other credit reference agencies) use personal data in these kinds of service can be found in the Credit Reference Agency Information Notice.

Providing services to our other clients

We use personal data to provide services to organisations other than the one you are directly dealing with. For example, if we receive a large number of identity verification checks against a particular person in a short space of time, this may be an indicator that someone is attempting to commit identity theft or another form of fraud. When this happens, we use that indicator to provide real time fraud alerts to clients who have subscribed to that service.

More information about how we (and other credit reference agencies) use personal data in these kinds of service can be found in the Credit Reference Agency Information Notice.

Product or systems development and testing

We may sometimes use personal data while improving, developing or testing our products and systems. This includes making sure that our security measures are working properly. Where possible, we will anonymise or pseudonymise the data before doing this.

Legal and regulatory purposes

We may use your personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from you or a regulator about how we have used your personal data.


When a client uses our services they will typically send us information such as:

  • Identifiers (including your name, date of birth, and current and previous addresses). This helps us to match your information to the other information we hold in our databases.
  • The purpose for which they are requesting information about you.
  • Other relevant details such as the nature of your credit application.

When we receive that information, we match it against the other information that we hold in order to find and return additional information about you. Depending on the service we are providing, this can include information such as your credit history, credit score, any court judgments or insolvency-related events, fraud prevention indicators, and additional contact details or address history. It can also include similar kinds of information about people who are financially associated with you.

More information about the kinds of personal data we hold, and where we get it from, can be found in the Credit Reference Agency Information Notice.


Legitimate interests

The UK’s data protection law allows the use of your personal data where necessary for legitimate purposes provided that this is not outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.

The legitimate interests we are typically pursuing when providing services to our clients are:

Interest Explanation
Promoting responsible lending and helping to prevent over-indebtedness. Responsible lending means that lenders only sell products that are affordable and suitable for the borrowers’ circumstances. We help ensure this by sharing personal data about potential borrowers, their financial associates where applicable, and their financial history. A comprehensive range of measures exists in the UK to underpin the balance so that the legitimate interests are not outweighed by the interests, fundamental rights and freedoms of individuals. Further explanation about this balance is set out below.
Helping prevent and detect crime and fraud; anti-money laundering; and identity verification We provide identity, anti-fraud and anti-money laundering services to help clients meet legal and regulatory obligations, and to the benefit of individuals to support identity verification and support of the detection and prevention of fraud and money-laundering.
Supporting tracing and collections We provide services that support tracing and collections where there is a legitimate interest in the client conducting activity to find its customer and to recover the debt, or to reunite, or confirm an asset is connected with, the right person.
Complying with and supporting compliance with legal and regulatory requirements We have to comply with various legal and regulatory requirements, and our services also help other organisations comply with their own legal and regulatory obligations. For example, many kinds of financial services are regulated by the Financial Conduct Authority or the Prudential Regulation Authority, who impose obligations to check that financial products are suitable for the people they are being sold to. We provide data to help with those checks.

Our use of personal data is subject to an extensive framework of safeguards that help make sure that your rights are protected. These include the information you are given about how your personal data will be used and how you can exercise your rights to obtain your personal data, have it corrected or restricted, object to it being processed, and complain if you are dissatisfied. These safeguards help sustain a fair and appropriate balance so that our activities do not compromise your interests, fundamental rights and freedoms.

Necessity for compliance with a legal obligation

We sometimes need to use your personal data in order to comply with a legal obligation that we are under. For example, if you submit a request to us for a copy of your personal data, either directly or through a third party that you have authorised to act on your behalf, we will normally be legally required to provide that personal data. See section 9below for details of what requests you can make and how to make them.


This section describes the types of recipient we can share data with.

Users of our services

We share data with users of our services. Please refer to section 2 for examples of this kind of data sharing.

We sometimes use other organisations such as resellers, distributors and agents to help provide our services to clients and may provide personal data to them in connection with that purpose.

Service providers

We may provide your information to third parties who help us use it for the purposes described in section 2. For example, our databases of personal data may be hosted by third parties on our behalf.

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations, unless you agree otherwise.

Our group companies

In some circumstances we may share your personal data among the members of TransUnion Information Group. If we do so, then use of the data by those companies will be governed by this privacy notice.

You and your financial associates

You are entitled to obtain copies of the personal data that we hold about you. You can find out how to do this in Section 9 below.

Similarly, your financial associates are also entitled to obtain copies of the personal data that we hold about them.

Other credit reference agency data sharing activities

For a broader description of how we share data in our capacity as a credit reference agency, please refer to the Credit Reference Agency Information Notice

Business transfers

If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.


We may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office or the Financial Conduct Authority.


Within Europe

We are based in the United Kingdom, and will access and use your information from here. However, we also have operations elsewhere in the European Union – currently the Netherlands, Lithuania and Spain – and personal data may be accessed from there too. In these cases, the use of the information in those locations is protected by European data protection standards.


We also send information elsewhere in the world. For example:

  • When one of our overseas Group companies or branch offices based overseas needs to use the information in accordance with this notice. Currently, these overseas offices are in Dubai and the United States.
  • Where we perform a search of non-UK anti-fraud databases.
  • Where we use cloud-based technology or a data centre or backup facility overseas. People in other countries may also need to access that database for purposes such as technical support or system development and testing.

While countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. As a result, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. For example, these safeguards might include:

  • Putting in place a contract with the recipient containing terms which have been approved by the authorities as providing a suitable level of protection.
  • Sending the information to an organisation which is a member of a scheme which has been approved by the authorities as providing a suitable level of protection. One example is the “Privacy Shield” scheme that has been agreed between the European and US authorities.

If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above.


When we receive personal data from a client in order to provide services to them we will keep a copy of that data for a period of time in order to investigate any data supply or data load issues, restore our systems in the event of a data loss incident, and in order to investigate and respond to any complaints, claims and enquiries that we may receive from consumers, clients or regulators.

Information about how long we keep data in our capacity as a credit reference agency is available in the Credit Reference Agency Information Notice.



We do not use your personal data to make automated decisions about you. For example, as a credit reference agency, we do not decide whether or not you should be granted credit – this is for the lender to decide.

We provide data and analytics that help our clients make decisions about lending and other matters, but our clients’ own data, knowledge, processes and practices will also generally play a significant role in their decisions – and those decisions will always be for them to make.

Scores and ratings

We do use the data we hold to produce credit, risk, fraud, identity, affordability, screening, collection and insolvency scores and credit ratings. For example, in a credit score, the following factors will usually have an effect:

  • How long you have lived at your address.
  • The number and type of credit agreements you have, and how you use those credit products.
  • Whether you have been late making payments.
  • Whether you have had any court judgments made against you.
  • Whether you have been bankrupt or have had an IVA or other form of debt-related arrangement.
  • The number of credit-related searches that organisations have made against your credit file, for example when you apply for a loan or credit card, or when a debt collection agency requests information about you.


You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To enquire about exercising these rights, please use the contact details set out in section 1.

If you are looking for information about your rights in relation to the personal data we hold in our capacity as a credit reference agency, please refer to the Credit Reference Agency Information Notice.

  • Withdrawal of consent: Data protection law provides a right to withdraw consent, but it does not apply to the personal data covered by this privacy notice because we do not rely on your consent to process that personal data.
  • Objection to direct marketing: Data protection law provides a right to object to direct marketing, but we do not use the personal data covered by this privacy notice for direct marketing so it is not relevant.
  • Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
  • Objection to legitimate interests: If you disagree with us relying on the legitimate interests grounds for using your personal data (see section 4 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
  • Erasure: In certain circumstances you can ask us to delete your personal data from our systems. However, this usually will not apply to all of your data because we might have good reason for needing to keep some of it.
  • Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
  • Portability: You have the right to receive some limited kinds of information in a portable format. However, this right typically does not apply to the personal data to which this privacy notice applies.


We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us using these details:

Post: Customer Relations Team, TransUnion Information Group, One Park Lane, Leeds, West Yorkshire LS3 1EP


Telephone: 0330 024 7574

You can also contact our Data Protection Officer at

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at, by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.