Equifax information notice equifax uk

Equifax core activity is credit referencing and together with the other main credit reference agencies (CRAs), Callcredit and Experian, we have drafted a separate document detailing how each CRA commonly use and share personal data we receive about you and/or your business that is part of or derived from or used in credit activity. We have called this document the ‘Credit Reference Agency Information Notice’ (CRAIN) and you can access it here: www.equifax.co.uk/crain

• Prospecting – Contact Data – Equifax creates marketing lists which contain contact data (such as name, address, email address, telephone number) that are provided or sold to clients (where permitted) who use them to contact potential new customers.

This activity is commonly known as Data Broking. Prior to supplying the contact data, Equifax will select those records that are considered to be the most appropriate for the client’s requirements based on a range of data attributes that it holds against each record.

• Prospecting – Contact and Attribute Data – In addition to supplying contact data, the data can be appended with additional information about a consumer (often known as an attribute) which enable organisations to undertake analysis on a marketing list prior to contact in order to identify potential customers that they wish to offer products and services.

• Marketing Data Linking – Equifax will use the contact data to match information on a consumer to other data sources. As an example, an email address held by Equifax will be used to match to an email address within a third party data source in order to enable the data held on a consumer within both data sources to be combined and accessed.

• Data matching: data supplied to Equifax is matched to their existing databases to help make sure it is assigned to the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. Where permitted Equifax use the personal data individuals have provided to its clients together with data from other sources to create and confirm identities, which are used to underpin the services Equifax provide.

Equifax use of this personal data is subject to an extensive framework of safeguards that help make sure that individuals’ rights are protected. These include the information given to individuals about how their personal data will be used and how they can exercise their rights to obtain their personal data, have it corrected or restricted, object to it being processed, and complain if they’re dissatisfied. These safeguards help sustain a fair and appropriate balance to ensure Equifax credit referencing, fraud prevention and marketing services activities don’t override the interests, fundamental rights and freedoms of data subjects.

Where Equifax process and supply contact data to support our Marketing Services under consent for marketing and/or customer management purposes to our clients, this will only be sourced from data suppliers who have collected the appropriate consent for your data to be used as per our defined purposes. Where consent is collected by a third party, this means that you, the consumer, have agreed to your data being passed to us, as a named data controller and data broker, either at point of consent capture or via a third party that was named at point of consent capture and that we will pass your data on to other organisations for the purposes that were shown at the point of consent capture and/or in an associated privacy policy or within any documentation such as this page that can be accessed as part of the consent capture process.

Suppression Data – where you choose to amend or remove your consent to be contacted, Equifax may receive the relevant contact details (e.g. your name, address, telephone number, email address) so that they can be added to our suppression files. This will ensure that your contact details are removed from any future marketing data that Equifax supplies to its clients and will be shared with some of our clients to enable them to remove you from the data that has been supplied.

When you do contact Equifax to withdraw your consent for marketing, we will add your data to our marketing suppression files. These files are applied to the Equifax marketing contact data prior to supplying data to a client in order to remove records that do not have consent to be marketed to. They may also be shared with some clients in order to ensure they suppress your data from their files. This process does require that Equifax processes your marketing contact data in order to include it in its suppression files. 5. WHO DOES EQUIFAX SHARE PERSONAL DATA WITH?

In many cases where an organisation uses Equifax services, there will be information accessible, for example from a website or at point of application or service, to explain that the organisation may check your data with a credit reference or fraud prevention agency (for things like identity authentication and fraud checking). In some cases, some organisations have the ability to compel CRAs, by law, to disclose certain data for certain purposes.

Equifax has a range of clients with whom it shares Marketing Services data in order to enable them to undertake the activities listed in Section 2(c). This data can be provided to our clients under consent or under legitimate interests. Where Equifax supplies Marketing Services data to a client under consent, they will be listed in the Companies table below. Where Equifax supplies Marketing Services data to a client under legitimate interests, they will be in one of the sectors listed in the Sectors table below. They may also be listed in the Companies table.

The police and other law enforcement agencies, as well as public bodies like local and central authorities and Equifax’s regulators, can sometimes request Equifax supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax, investigating complaints or assessing how well a particular industry sector is working.

Equifax shares personal data with other companies within its group where required for the purposes of administration of products/services, IT back office and software support. Such group companies include: Equifax Inc. Equifax Commercial Services Limited, Equifax Consumer Information Services LLC, Equifax Chile and Equifax Costa Rica (“ Equifax Group”).

Equifax is based in the UK, and keep their main databases there. All information and personal data held by Equifax is stored on encrypted services at a secure physical location. Equifax also has internal policies and controls in place to ensure that personal data is kept secure as well as to minimise the risk of any personal data being lost, misused, disclosed or accidently destroyed.

While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when Equifax does send or allow access to personal data overseas we will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. To do this Equifax:

Links between people are kept on credit files for as long as we believe those individuals continue to be financially connected. When two people stop being financially connected, either person can write to us and ask for the link to be removed. We will then follow a process to check the people are no longer associated with each other and then update our records accordingly.

Equifax holds data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence of legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards. 8. DOES EQUIFAX MAKE DECISIONS ABOUT ME OR PROFILE ME?

New data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it’s processed on certain grounds, such as consent. This is not a right that will apply to Equifax data where this data is processed on the grounds of legitimate interests. To find out more about legitimate interests please go to Section 3 above. 10. WHAT CAN I DO IF MY PERSONAL DATA IS WRONG?

If you think that any personal data Equifax holds about you is wrong or incomplete, you have the right to challenge it. It’s worth knowing that when acting as a credit reference agency or fraud prevention agency we won’t have the right to change the data without permission from the organisation that supplied it, so we will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy.

If the data does turn out to be wrong, we will update our records accordingly. If we still believe the data showing on your credit report is correct after completing our checks, we’ll continue to hold and keep it – although you can ask us to add a note to your credit report indicating that you disagree or providing an explanation of the circumstances.

This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be deleted, in connection with credit reference data. To understand these rights and how they apply to the processing of credit reference data, it’s important to know that the Equifax holds and process personal information in bureau data under the Legitimate Interests ground for processing (see Section 3 above for more information about this), and don’t rely on consent for this processing.

Please note that, because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes the personal data is needed for (like supporting responsible lending, and preventing over indebtedness, fraud and money laundering) it will be very rare that Equifax does not have compelling, overriding grounds to carry on using the personal data following an objection. In many cases, it won’t be appropriate for Equifax to restrict or to stop processing or delete bureau data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise wouldn’t be eligible for.

Please note that given the importance of complete and accurate credit records, for purposes including for responsible lending, it will usually be appropriate to continue processing credit report data -in particular, to protect the rights of another natural or legal person, or because it’s an important public interest of the union or member state. 13. WHO CAN I COMPLAIN TO IF I’M UNHAPPY ABOUT THE USE OF MY PERSONAL DATA?