+44 (0) 203 026 7437
- info@whitehalllending.com
Thank you for visiting www.whitehalllending.com (the “Website“). The Website is operated by Whitehall Capital, trading as “White Hall Lending Limited”, a company registered in England and Wales under company registration number 11662569 and its registered office address situated at Langley House, Park Road, London, England, N2 8EY. References in this Privacy Policy to “we”, “us”, “our” and “ourselves” are references to White Hall Lending Limited. References to “you” or “your” are references to any person reading this Privacy Policy.
We take the privacy of our Website users seriously and we are committed to protecting your privacy in compliance with European Union (EU) and United Kingdom (UK) data protection laws and regulations, including from the 25 May 2018, the General Data Protection Regulation (EU 2016/679) “Data Protection Laws”. This Privacy Policy explains what personal data (see below for details of what this means) is collected about you via the Website (including, without limitation, via any ‘web-chat’ facility that is accessible via the Website “Web-Chat“) and what we do with that personal data. Please see our Cookies Policy below for information of how the Website (including Web-Chat) uses cookies, and your choices regarding cookies use.
We encourage all of our customers to familiarise themselves with this Privacy Policy to understand our views and practices regarding your personal data collected via the Website and how we will treat it.
We reserve the right in our sole discretion to amend this Privacy Policy from time to time. In this event, we will post the revised policy on the Website and we will notify you of any material changes via a banner on the Website. This Privacy Policy (together with our website terms of use https://whitehalllending.com/website-terms-of-use/ and any other documents referred to on it) sets out the basis by which any personal data we collect about you via the Website (or you provide to us) will be processed by us. By visiting the Website you are accepting the practices set out in this Privacy Policy.
Where you interact with us other than through the Website (e.g. via the phone or where you make a loan application by post or through a broker), this Privacy Policy may be supplemented by separate privacy policies, notices or other privacy related information which will apply to personal data obtained by us (or on our behalf) other than through the Website. This additional privacy information will be made available to you at the relevant point at which we collect your personal data.
If you do not agree to your personal data being used in the manner described in this Privacy Policy then please do not provide this to us. However, please note that some functionality of the Website may be restricted/ unavailable where you do not provide us with any personal data we request.
We provide this Privacy Policy to make you aware of our practices in connection with your privacy and of the choices you can make about the way your personal data is collected via the Website and used.
We are committed to ensuring the security of your personal data.
Data Protection Laws place obligations on us to process your information fairly and lawfully and to keep it secure. For the purposes of Data Protection Laws, the controller of your personal data which is collected through the Website when users make an online enquiry is White Hall Lending Limited of 4 Hill Street, Mayfair, London, W1J 5NE.
Data Protection Laws require that we meet certain lawful grounds before we are allowed to use your personal data in the manner described in this Privacy Policy and that we explain these legal grounds to you. We take our responsibilities under Data Protection Laws seriously, including meeting these conditions. To use your personal data, we will rely on the following lawful grounds (more than one ground may be relevant to each example of our processing):
The Website provides users who are interested in our products/services with an opportunity to submit online enquiries to us. The personal data that you may provide to us through the Website is set out below:
The Website also uses cookies. Please see our Cookies Policy below for information about the cookies we use and your choices in relation to cookie use.
We will only use the personal data you provide to us as described in this Privacy Policy, including any supplemental privacy information, as set out above.
We will observe the rights granted to you under applicable Data Protection Laws and will ensure that queries relating to privacy issues are dealt with promptly and in a transparent manner. See below for details about how to contact us and how to exercise your right to obtain copies of your personal data from us under Data Protection Laws.
We will only collect and process your personal data where we have lawful grounds to do so.
We will update our records if you inform us that your details have changed. Please tell us (see contact details below) as soon as possible about this. We will update our records promptly once we are satisfied that the new information (such as your new address or contact detail) is accurate.
We will store and process your personal data on our computers. Please see the Data Security header below for details about how we keep your personal data secure, in line with our obligations under Data Protection Laws.
We will use your personal data collected (including from any third parties, where relevant and lawful) to:
Please note that our services / products may be available via other websites (e.g. broker or intermediary websites) and we may link to other websites through the Website. We are not in control of these websites. Their use of your personal data is governed by their privacy policies.
We therefore recommend that you check the policy of each website that you visit and make sure that you are comfortable with the terms of such policies before providing any personal data.
We may use third parties to provide services on our behalf which may include processing (but not using themselves for their own purposes) your personal data and this means we will disclose your personal data to them.
We will provide your personal data to the following categories of third parties:
Other than set out in this Privacy Policy (and supplemental privacy information, notices and/or statements where relevant), we will not otherwise disclose, sell or distribute your personal data we collect via the Website to any third party without your permission unless we are required to do so by law.
In addition to the disclosures described above, we may disclose your personal data to:
We take steps with a view to permanently deleting, destroying or anonymising your personal data (which means that we are no longer able to identify you from it) when it is no longer necessary for its purpose and we are not required by law to keep it.
How long we keep your personal data depends upon the purpose for which your personal data was collected was provided. Generally however:
We currently do not intend to transfer your personal data to third parties and organisations who hold data outside of the European Economic Area (EEA). However, some third party suppliers or service providers may have back up or disaster recovery data centres that are located in multiple jurisdictions outside the EEA (for example, in the United States). This may mean that in certain limited circumstances personal data is transferred to countries which do not provide the same level of protection for personal data as the EEA.
Where your personal data is being transferred outside the EEA, we will ensure that appropriate safeguards are in place, such as the use of the EU Commission approved model contract clauses to protect your information in accordance with Data Protection Laws.
You have a number of rights under Data Protection Laws in relation to the way we process your personal data. These are set out below. You may contact us using the details below to exercise any of these rights and we will respond to any request received from you within one month from the date of the request.
DESCRIPTION OF RIGHT | |
Right 1 | Individuals have the right to be informed about the collection and use of their personal data. |
Right 2 | A right to access personal data held by us about you. |
Right 3 | A right to require us to rectify any inaccurate personal data held by us about you. |
Right 4 | A right to require us to erase personal data held by us about you. This right will only apply where (for example): we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent (if we are using your personal data based on your consent); or where you object to the way we process your data (in line with Right 6 below). |
Right 5 | A right to restrict our processing of personal data held by us about you. This right will only apply where (for example): you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but you require the data for the purposes of dealing with legal claims. |
Right 6 | A right to receive personal data, which you have provided to us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation, at your request. |
Right 7 | A right to object to our processing of your personal data (including for the purposes of sending marketing materials to you). |
Right 8 | Rights related to automated decision making including profiling (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. |
If you would like to exercise the rights listed above, you can send a request:
In accordance with our obligations under Data Protection Laws, to prevent unauthorised access to or disclosure of your personal data (including card payments), maintain data accuracy, and ensure the appropriate use of your personal data, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the personal data we collect online.
However, you acknowledge that, unfortunately, the transmission of information via the internet, including the online enquiry forms you submit to us and/or any information provided Web-Chat (should we enable that functionality), is not completely secure. We cannot guarantee the security of your data transmitted to the Website: any transmission (i.e. your sending of the personal data to us) is at your own risk. Once we have received your personal data, we will use the steps detailed above to protect it.
You should be aware that there are inherent risks in transferring personal data over the Internet. For example, if you send us an e-mail from your private mailbox, we cannot guarantee the security of the content during its transmission to us. For that reason, please do not send to us an unsecured e-mail with confidential information such as your National Insurance or bank account number (if provided by us) or other identification parameters, or any sensitive personal data.
If you are not happy with the way in which your personal data is held or processed by us, or if you are not satisfied with our handling of any request by you in relation to your rights or any automated profiling that we carry out, our Data Protection Officer would be happy to help. You can contact our Data Protection Officer at Whitehall Capital, 4 Hill Street, Mayfair, London, W1J 5NE
Alternatively, you have the right to complain to the Information Commissioner’s Office (ICO) by calling 0303 123 1113. The ICO is the UK’s independent body set up to uphold information rights. You can find out more about the ICO on its website (www.ico.org.uk/).
Thank you for visiting www.whitehalllending.com (the “Website“). The Website is operated by Whitehall Capital, trading as “White Hall Lending Limited”, a company registered in England and Wales under company registration number 11662569 and its registered office address situated at Langley House, Park Road, London, England, N2 8EY. References in this Privacy Policy to “we”, “us”, “our” and “ourselves” are references to White Hall Lending Limited. References to “you” or “your” are references to any person reading this Privacy Policy.
This Cookies Policy explains what cookies are used by the Website and what we do with the information we obtain from those cookies. Please see our Privacy Policy above for information of how the Website collects your personal data.
We encourage all of our customers to familiarise themselves with this Cookies Policy to understand how the Website uses cookies and your choices in relation to cookies usage. We reserve the right in our sole discretion to amend this Cookies Policy from time to time. In this event, we will post the revised policy on the Website. We encourage you to periodically re-read this Cookies Policy so that you remain informed as to how the Website uses cookies. We may, where necessary, notify users of any modified version of this Cookies Policy that might materially affect the way in which the Website uses cookies. We may do so via a banner on the Website which users will see at their next visit.
This Cookies Policy sets out how the Website (including (without limitation) any ‘web-chat’ facility) uses cookies. A cookie is a text-only string of information that a website transfers to the cookie file of the browser on your computer’s hard disk so that the website can remember who you are. A cookie will typically contain the name of the domain from which the cookie has come, the “lifetime” of the cookie, and a value, usually a randomly generated unique number. Where we make reference to ‘cookies’, we also include reference to other similar technologies, for example digital and pixel tags, which operate in a similar manner to cookies.
A description of the types of cookies used by the Website and how we use them can be found below. We may update this description from time to time. As mentioned, steps will be taken to draw this to the user’s attention and to collect appropriate new consents at that time, where necessary.
When users use the Website they will be using a browser and this means that they can control, block or restrict cookies through their browser settings. Information on how to do this can be found within the Help section of the browser used. All cookies are browser specific. Therefore, if you use multiple browsers or devices to access websites, you will need to manage your cookie preferences across all of these elements. In addition when you first visit our Website you will see a cookies consent banner or pop-up which draws your attention to the fact that cookies are used and which links through to this Cookies Policy.
There are also several online resources that can provide more information on cookies and how they can be controlled within a variety of different web browsers. Please visit either http://www.aboutcookies.org or http://www.allaboutcookies.org for more information.
If you use a mobile device to access the Website, you will need to refer to your instruction manual or other help/settings resource in order to find out how to control cookies on the particular device.
Please note: if you restrict or delete cookies, you may experience a loss of functionality while accessing the Website and you will be treated as a first time visitor the next time you visit the website.
The Website uses session cookies (which expire once a user closes their web browser), session cookies are analysed by Google Analytics and give us information about the time you spent on the Website, which parts of the Website you visited and any click-through you followed in the Website. The Website may also use persistent cookies (these remain on a user’s computer or other device when they close their web browser – until such time as they expire or the user deletes them).
We have grouped the cookies used by the Website into the following categories, to make it easier for you to understand why we use them:
You might notice that some cookies on the website are not related to us (i.e. White Hall Lending Limited). This is because some of the pages on the Website contain embedded content from third party websites – such as video from YouTube, Twitter or LinkedIn for example. Because this content is from another website, we do not control the cookies which relate to this. If a user wants to change their cookie preferences to block these third party cookies, they should check the third party websites for information on how to manage their cookies.
We may also embed social sharing icons throughout the Website. These sharing options are designed to enable users to easily share the Website’s content with their friends using a variety of different social networks. These social sharing sites may set a cookie when a user is logged into their service. Please note that we do not control the dissemination of these cookies and users should consult the relevant third party website for information on how these cookies are used and how the user can control them.
There are three main credit reference agencies in the UK. Each is regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency. The full names and contact details for each are set out below.
Credit reference agency | Contact details |
Equifax Limited | Post: Equifax Limited, Customer Service Centre PO Box 10036, Leicester, LE3 4FS
Web address: https://www.equifax.co.uk/Contact- us/Contact_Us_Personal_Solutions.html
Email: UKDPO@equifax.com
Phone: 0333 321 4043 or 0800 014 2955 |
Experian Limited | Post: Experian, PO BOX 9000, Nottingham, NG80 7WP
Web address: https://www.experian.co.uk/consumer/contact- us/index.html
Phone: 0344 481 0800 or 0800 013 8888 |
TransUnion International UK Limited | Post: TransUnion, One Park Lane, Leeds, West Yorkshire, LS3 1EP
Web address: https://www.transunion.co.uk/consumer/consumer- enquiries
Email: consumer@transunion.co.uk
Phone: 0330 024 7574 |
In this information notice, these three companies are referred to as Equifax, Experian and TransUnion respectively. Together they are referred to as credit reference agencies.
Each credit reference agency is a controller of the credit reference data that it holds. This means that it has certain responsibilities under data protection law to make sure that the data is used fairly and lawfully.
Where a credit reference agency operates as part of a group of companies, it may share joint responsibility with the other members of that group when sharing data with them. You can contact the relevant credit reference agency using the details above if you want to enquire about any of those group companies or exercise any of your rights in respect of your personal data.
Credit reference agencies use credit reference data in products and services that they offer to their clients. The purposes for which those products and services are used are described below, but please note that different clients may use the products and services in different ways. Consumers should check the privacy policies of the organisations that they deal with for details about how they use any products and services provided by the credit reference agencies.
Each credit reference agency uses credit reference data to provide credit reporting services and affordability checks to its clients.
Credit reporting
Organisations use credit reporting services to see how people and businesses are managing payments in respect of their credit arrangements and how they have done so in the past. For example, if a person applies for a bank loan to buy a car, the bank may use credit reporting services to check whether that person has defaulted on any previous credit agreements. It will then use this information, together with information from other sources, to assess the risk of offering the loan.
Affordability checks
Organisations use affordability checks to help understand whether people or businesses applying for credit are likely to be able to afford the repayments. The information provided as part of the affordability checks may affect a person’s or business’s ability to obtain credit.
These activities help promote responsible lending, prevent people and businesses from getting into more debt than they can afford, and reduce the amount of unrecoverable debt and insolvencies.
The credit reference agencies use credit reference data to provide validation and verification services and other services to help prevent fraud, money laundering and other criminal activity.
Some examples of how credit reference agency clients use these services are as follows:
An indication of invalid or unverified information, fraud, money laundering or other criminal activity may affect the outcome of an application for (amongst other things) a product or service, a tenancy agreement or employment. If clients using the services identify potentially fraudulent activity they may also pass the applicant’s details to a fraud prevention agency such as Cifas and/or to the police.
Credit reference agencies use credit reference data to provide products and services for organisations to use for customer management purposes. Customer management is the ongoing maintenance of an organisation’s relationship with its customers. This could include activities designed to support:
Credit reference agencies use credit reference data to provide products and services that allow organisations to trace people. This is typically needed where a person has moved address or changed their telephone number and has not provided their new contact details. The credit reference agencies help organisations locate customers they have lost contact with by providing them with updated addresses and other contact details.
The products and services are used to support organisations’ debt recovery and debtor tracing activity. For example, if a person owes money to an organisation and moves to a new house without telling the organisation where they have moved to, the organisation may use these services to help find that person to recover the money that is owed to them.
These products and services are also used to find people in order to let them know about assets that they may have forgotten about or not be aware of, such as old dormant savings accounts or pension funds, or to find people to let them know about assets of a deceased person which they have an interest in, such as administrators or beneficiaries of a deceased person’s estate.
Please also see section 2(h) below which describes how some of the credit reference agencies provide tracing services for marketing purposes.
Credit reference agencies use credit reference data to provide products and services that allow landlords to verify some of the information provided by their prospective tenants, as well as confirming that they are who they say they are and that they are likely to be willing and able to pay their rent on time. Landlords can use this information to help decide whether to agree to the tenancy, or how much of a deposit they should ask for.
Credit reference agencies use credit reference data to provide products and services that allow organisations to verify some of the information provided by their staff and job candidates and confirm that they are who they say they are. They also enable employers to assess whether the staff member or candidate has a history of managing their own financial commitments well, or whether they are financially compromised. This can be used to help them decide whether the person would be or will continue to be a suitable member of staff.
Credit reference agencies use credit reference data to provide products and services for organisations to use to assess insurance risk. For example, an insurer may find that a person’s financial standing and history can be used to help predict how likely that person is to make a claim on an insurance policy, or how large that claim might be. This can help the insurer to decide (i) whether to provide insurance to a person, and (ii) how much the insurance premium should be, and (iii) whether to allow payment for insurance on a credit instalment basis.
Overview
Each credit reference agency offers its clients marketing services. Some of these marketing services use credit reference data and some do not. For details about the marketing services offered and the personal data used by the credit reference agencies, please see the following links:
Experian: https://www.experian.co.uk/privacy/consumer-information-portal
Equifax: https://www.equifax.co.uk/ein.html
TransUnion: https://www.transunion.co.uk/legal/privacy-centre?#pc-marketing-services
As well as other rights, consumers have the right to object to the processing of their credit reference data for direct marketing purposes, including any profiling that is related to direct marketing. Section 11 sets out more details on how this right can be exercised.
If a credit reference agency provides marketing services, then they may use an individual’s title, name (including aliases), address, date of birth, gender and address links information (see section 4 for more detail), as well as limited information relating to their financial standing.
Screening out
Credit reference agencies use credit reference data to provide screening services to their clients. This means that they identify people who clients may wish to screen out of marketing lists. Screening is used to help ensure that individuals do not receive irrelevant or inappropriate marketing information.
For example, a client may want to screen out from its marketing list someone who is deceased, or who is under 18, or does not reside at the address they hold, or who may not be interested in a product or service or is unlikely to be accepted for it.
Other marketing-related activities
In addition, credit reference agencies may use credit reference data to offer some or all of the following marketing services:
Credit reference agencies use, and allow their clients to use, credit reference data to carry out profiling of consumers through statistical analysis. This includes the creation, validation and use of scorecards, models, and attributes in connection with the assessment of risks relating to credit, fraud, affordability and debt collection. It is also used in verifying identities, to monitor and predict market trends and to enable clients to refine lending and fraud strategies, and loss forecasting.
These practices profile consumers to help determine the likelihood that a consumer with certain characteristics will act in a way that will produce certain outcomes; for example, to repay credit, to be able to afford credit, to claim on an insurance policy, to commit fraud, to respond to certain collection strategies or to become insolvent.
The credit reference agencies may also convert personal data into statistical or aggregated form so that individuals are not identified or identifiable (thereby creating anonymized data). Anonymized data is not personal data and the credit reference agencies may use such data to conduct research and analysis, including to produce statistical research and reports or for any other purposes.
Credit reference agencies use credit reference data to carry out certain processing activities to support their own business operations. This includes supporting the effectiveness, efficiency and security of their databases, products and services, both in the context of their credit reference activities and more widely. For example:
Each credit reference agency has its own processes and standards for data management activity.
The credit reference agencies use credit reference data to help develop new products, services and technologies and to test them. Typically, credit reference agencies will anonymise credit reference data before it is used for these purposes.
The credit reference agencies use and disclose credit reference data where required by law. For example, this can happen in response to a court order or a request from a regulator, or in order to comply with a request from a person (or by a third party acting on their behalf), to exercise their legal rights in respect of the credit reference data, such as by requesting a copy of it.
Data protection law requires the credit reference agencies to always have what is referred to as a “lawful basis” (i.e. a reason or justification) for processing personal data. There are a number of lawful bases available, but the majority of credit reference agencies’ activity is on the basis that:
For information about any other lawful basis relied on by each credit reference agency, please review their individual information notices (see section 14).
The credit reference agencies use credit reference data to pursue their legitimate interests, those of their clients and those of individuals. The following table explains these legitimate interests. The credit reference agencies have carried out assessments and have concluded that these interests are not overridden by the interests or fundamental rights and freedoms of individuals.
Interest | Explanation |
Promoting responsible lending and helping to prevent over-indebtedness | Responsible lending means that lenders only sell products that are affordable and suitable for the borrowers’ circumstances. This is in the interests of borrowers so that they do not become burdened with debt that they cannot afford to repay, and the stress associated with that. It is also in the interests of lenders in that it reduces bad debt and collections activity. Credit reference agencies facilitate responsible lending by providing services that allow lenders to access information about a person (and anyone with whom they have a financial association, such as a joint account), including how they are managing current debt, have managed debt in the past and whether they have sufficient income to repay the debt. |
Helping prevent and detect fraud, money laundering and validate and verify identity | Credit reference agencies provide identity, anti- fraud and anti-money laundering services to help clients meet legal and regulatory obligations. These services benefit individuals by facilitating prompt access to services through identity verification, and helping to protect them against fraud, and other criminal activity.
Prevention and detection of fraud, money laundering and other criminal activity is in the legitimate interest of the credit reference |
| agencies and their clients. It is also to the benefit of wider society and therefore in the public interest. |
Customer and data management activities for the benefit of consumers and businesses. | Credit reference agencies provide services which help businesses maintain the quality of the data they hold and to make informed decisions about how they engage with their customers.
It is in the legitimate interests of the credit reference agencies to offer these services to their clients but it is also in the legitimate interests of both the consumer and businesses by helping ensure that data held is accurate, comprehensive and up-to-date and that informed and responsible decisions can be made particularly in the context of lending decisions. |
Supporting tracing and debt recovery | Credit reference agencies provide services that support tracing and collections where the client has a legitimate interest in conducting activity to find its customers and to recover debt, or to reunite, or confirm that an asset relates to the right person. |
Enabling landlords to check the suitability of their prospective tenants | Credit reference agencies enable landlords to verify some of the information provided by their prospective tenants, as well as confirming that they are who they say they are and that they are likely to be willing and able to pay their rent on time. This helps the landlord to decide whether to agree to the tenancy, or how much of a deposit they should ask for; and it reduces the risk that the tenancy relationship will subsequently break down. It also helps tenants to avoid getting into legal difficulties where they have agreed to pay rent that they cannot afford. |
Enabling employers to check the suitability of their current and prospective staff | Credit reference agencies enable employers to verify some of the information provided by their staff and job candidates and confirm that they are who they say they are. They also enable employers to assess whether the staff member or candidate has a history of managing their own financial commitments well, or whether they are financially compromised. This can help reduce the risk of fraud and can help the employer to decide whether the person is or would be a suitable member of its staff. All of which is in the legitimate interest of those employers. |
Enabling insurers to calculate and price risk more accurately | Credit reference agencies enable insurers to consider certain kinds of credit reference data when they are assessing risk. This data can help the insurer decide whether to provide cover to a person, and how much the insurance premium should be. This enables them to better forecast their future liability and to price their insurance products more accurately and competitively. For consumers, it means that insurance policies are priced more fairly, with the lowest-risk individuals paying less for their insurance. |
Supporting compliance with legal and regulatory requirements | Credit reference agencies’ services may be used by their clients to help them comply with their own regulatory obligations, for example, complying with anti-money laundering obligations and regulations set by the FCA which require lenders to assess the creditworthiness of individuals who apply for loans. This is in the legitimate interest of clients. Further, these regulatory obligations are in place in the interests of wider society, so facilitating compliance with them indirectly benefits society as a whole, which is in the public interest. |
Promoting responsible, efficient and informed marketing activities for the benefit of consumers and businesses. | Credit reference agencies provide services to support organisations in ensuring that their marketing strategies are responsible, informed and efficient. This helps them to reduce waste (driving costs down and increasing competition) and avoid sending communications to individuals who are less likely to be interested in receiving them or who should not receive them. More information is available from each credit reference agency about the legitimate interests relied on for their marketing services activities by visiting:
Experian: https://www.experian.co.uk/privacy/consumer- information-portal
Equifax: https://www.equifax.co.uk/ein.html
TransUnion: https://www.transunion.co.uk/legal/privacy- centre?#pc-marketing-services |
Commercial interests | It is in each of the credit reference agencies’ legitimate interests to provide the services described above to its clients to generate sales revenues. |
The credit reference agencies’ use of credit reference data is subject to an extensive framework of safeguards that balance the legitimate interests set out above with the fundamental rights and freedoms of the people whose data the credit reference agencies use and share. The framework includes information given to people about how their personal data will be used and how they can exercise their rights to obtain their personal data, have it corrected, erased or restricted, object to it being processed, and complain if they are dissatisfied. It also includes extensive due diligence checks on clients, robust contractual arrangements and internal data management processes that the credit reference agencies have in place. These safeguards help sustain a fair and appropriate balance and to protect the rights and freedoms of individuals.
In some circumstances the credit reference agencies are required by law to use or share personal data in particular ways. This happens, for example, when a court, law enforcement agency or regulator makes a legally binding request or order for disclosure of personal data. It also happens when individual consumers exercise their rights, for example by requesting a copy of their own personal data from a credit reference agency.
Each credit reference agency obtains and uses personal data from different sources, so they often hold information that is different to some degree from that held by the others. However, most of the personal data they hold falls into the categories outlined below from the sources described.
Information type | Description | Source |
Identifiers | Credit reference agencies hold personal data that can be used to identify people, such as name, date of birth, and current and previous addresses.
They may also hold business data including name, address and details of shareholders and directors. | This data is part of some of the other data sources mentioned below in this table.
Data about UK postal addresses is obtained from commercial sources such as Royal Mail. |
Electoral register data | Credit reference agencies hold information from the electoral register (also known as the ‘Electoral Roll’). There are two versions of this. One is known as the open register (also known as the ‘Edited Electoral Roll’ or ‘EER’) and can be used for a variety of purposes including marketing. The other is the full register which the credit reference agencies can only use for limited purposes. | This data is supplied by local authorities across the UK and the Isle of Man. |
Credit account performance data | Credit reference agencies receive personal data about how people are managing to repay their credit commitments.
The data includes the name of the lending organisation, the date the account was opened, the account number, the amount of debt outstanding (if any), any credit available (including overdraft limits) and the repayment history on the account, including late and missing payments. | This data is provided from banks, building societies and other financial services providers such as credit card companies, home credit suppliers, credit unions and hire purchase companies. It is also provided by utilities companies, mobile phone networks, retail and mail order companies and insurance companies. |
Rental related data | Some credit reference agencies receive personal data about whether people are managing to pay their rent on time.
The data includes tenancy reference, start date, end date, rental amount, arrangement amount and outstanding balance. | This data is provided by social housing providers and private landlords. |
Bank account turnover data and application salary data | This data includes the name of the organisation providing current accounts, current account numbers, sort codes, the number of account holders, the transactions made on the current accounts (credits and in some cases debits), and a figure for credits on each current account.
Application salary data consists of the salary declared by a person when they are applying for credit. It also includes whether that figure is net or gross, and whether the salary has been verified (e.g. with copies of salary slips). This data also includes the date that an application was made. | This data is provided from organisations which offer people current accounts, such as banks and building societies. |
Judgment data | Credit reference agencies obtain data about court judgments and decrees. This may include, for example, the name of the court, the nature of the judgment, how much money was owed, and whether the judgment has been satisfied. | The government makes court judgments and other decrees and administrative orders publicly available through statutory public registers. These are maintained by Registry Trust Limited, which supplies the data on the registers to the credit reference agencies. |
Insolvency data | Credit reference agencies obtain data about insolvency-related events. This includes data about bankruptcies, administration orders, individual voluntary arrangements, debt relief orders, sequestrations, trust | This data is obtained from The Insolvency Service, the Accountant in Bankruptcy, The Stationary Office and Northern Ireland’s Department for the |
| deeds and debt arrangement schemes. This data includes the start and end dates of the relevant insolvency or arrangement. | Economy – Insolvency Service, the London, Belfast and Edinburgh Gazettes and Registry Trust Limited.
Business insolvency data is obtained from the London, Belfast and Edinburgh Gazettes. |
Fraud prevention indicators | This data consists of information which indicates that an individual has demonstrated behaviour that appears to be consistent with that of known fraudulent conduct. It also consists of information where an individual has been a victim of identity fraud, or feels that his or her personal data is vulnerable due to a breach. | This data is obtained from Cifas, a not for profit fraud prevention membership organisation. |
Search footprints | When an organisation uses a credit reference agency to make enquiries about a person, the credit reference agency keeps a record of that enquiry. This is known as a ‘search footprint’. This includes the name of the organisation, the date, and the purpose for which the enquiry was made, for example, employee vetting. | Credit reference agencies generate search footprints automatically when enquiries are made about a person. |
Scores | Credit reference agencies and their clients use credit reference data to produce scores including in relation to credit, affordability, fraud, identity, collections and insolvency. | The credit reference agencies use algorithms known as ‘scorecards’ to produce scores by running credit reference data through scorecards.
Similarly, other organisations create their own scores from data obtained from the credit reference agencies as well as other sources. |
Other third-party data | This data includes phone numbers and email addresses, data concerning politically exposed persons (PEPs) and people on sanctions lists as well as mortality data. | Credit reference agencies receive this data from reputable commercial sources under contracts agreed from time to time. |
Other data credit reference agencies create (not already referred to in this table) | The credit reference agencies derive certain data from the credit reference data. For example:
Summarised and aggregated data: credit reference agencies can summarise credit | The credit reference agencies generate this data from the data sources available to them. |
| reference data, for example by providing a count of the total number of accounts or judgments a person has, or the total amount of debt. They can also aggregate data about different consumers together, for example to provide an overview of the financial status of particular postcodes and other geographical areas.
Address links: when a credit reference agency detects that a person has moved to a new house, it may create and store a link between the old and new address.
Aliases: when a credit reference agency believes that a person has changed their name, it may record the old name alongside the new one.
Financial associations and linked people: when a credit reference agency believes that two or more people are financially linked with each other (for example, because they have a joint account), it may record that fact. Flags and triggers: the credit reference agencies may create flags and triggers that they use in their systems to highlight that certain credit reference data exists or to summarise that data. For example, if the credit reference agencies hold fraud data from the fraud organisation known as Cifas, they may create a flag indicating this fact. This flag would highlight to clients that the data is available and give them the opportunity to ask for more details. |
|
Data provided by individuals themselves | People sometimes provide data about themselves directly to credit reference agencies. For example, individuals have the right to ask credit reference agencies to add a short statement that will be displayed when an organisation sees credit reference data about them. This statement is known as a ‘notice of correction’ and can be used to allow the person to explain the reason for an entry. The right to do this is explained in section 10 below). | This data is provided directly by individuals themselves |
| If a person exercises any of their other legal rights, the credit reference agencies will retain data relating to these activities, for example, records will be kept of all actions and correspondence relating to managing complaints. |
|
This section describes the types of organisation credit reference agencies share data with. Before sharing data with any third party each credit reference agency will, where appropriate, complete its own due diligence checks to ensure that the organisation is a real business and has applicable regulatory authorisations in place.
Credit reference agencies supply their products and services to clients in various sectors, such as banks, building societies, other credit providers, utility companies, mobile phone companies, insurance companies, credit report providers, retailers, gaming organisations, tenant and employee vetting firms, professional services organisations (such as firms of solicitors and accountants), estate agents, landlords, marketing companies, charities and public bodies such as the police, central and local government and regulators.
Certain organisations that share financial data with the credit reference agencies are members of closed user groups which entitle them to receive similar kinds of financial data contributed by other organisations in the group. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utilities companies and mobile phone networks.
Credit reference agencies sometimes use other organisations to help provide their products and services to clients. To do this, they may provide credit reference data to them so that they can provide the services.
The credit reference agencies may use other external organisations and other members of their own groups of companies to perform tasks on their behalf (for example, IT service providers, call centre providers and security service providers). To do this, they may provide or make available credit reference data to them so that they can perform the tasks.
Each credit reference agency is a member of Cifas, a not-for-profit fraud prevention service. Where a credit reference agency believes that you may have been a victim of fraud, it may share that information with Cifas so that other Cifas members can access it. This enables them to perform additional checks when (for example) a credit application is made in your name. Please refer to the Cifas privacy notice at https://www.cifas.org.uk/fpn for more details.
Regulators can sometimes require credit reference agencies to supply them with personal data. This can be for a range of purposes such investigating complaints or assessing how well a particular industry sector is working.
People are entitled to obtain copies of the personal data the credit reference agencies hold about them. Details on how to do this are set out in section 9 below.
The three credit reference agencies are all based in the UK and keep their main databases there. They may also have operations and service providers elsewhere inside and outside the UK and the European Economic Area, and credit reference data may be accessed from those locations too. Regardless of where the credit reference data is processed, the credit reference agencies ensure that it is always, protected by applicable UK and European data protection standards.
While the UK and countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when a credit reference agency sends credit reference data overseas it makes sure suitable safeguards are in place in accordance with applicable UK and European data protection requirements, to protect the data. For example, these safeguards might include:
More information about the safeguards used by each credit reference agency can be obtained by contacting them at the contact details in section 1 above.
Each credit reference agency may retain credit reference data for different periods of time. Information about each credit reference agency’s retention periods can be found at the following locations:
These periods are subject to regular review and may change from time to time.
Credit reference agencies generally do not make decisions about consumers or tell organisations what decisions to make about consumers – this is for each organisation to decide. For example, credit reference agencies do not tell lenders whether to offer credit to consumers; they just provide services that help those lenders make decisions about consumers. An organisation’s own data, knowledge, processes and practices will also play a significant role in those decisions.
Credit reference agencies may provide similar services to their respective clients, but these services may lead to different decisions because (i) each credit reference agency may hold different information from the others, (ii) each client may place differing importance on some information compared to others, and (iii) each client may take into account information available to it from other sources. These are some of the reasons why a person may receive a “yes” from one lender but a “no” from another.
When requested, credit reference agencies use the data they obtain to produce credit, risk, fraud, identity, affordability, screening, collection and insolvency scores and ratings; these are explained in section 4 above.
Consumers have the right to find out what personal data the credit reference agencies hold about them. Each credit reference agency provides more information about access rights on their websites.
Credit reference agency | How to access your data |
Equifax | To get your credit report: https://www.equifax.co.uk/Products/credit/statutory-report.html
To get other information about how to access your personal data: https://www.equifax.co.uk/ein.html
To make a request by post: Equifax Limited, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS. |
Experian | To get your credit report: https://www.experian.co.uk/consumer/statutory-report.html
To get other information about how to access your personal data: https://www.experian.co.uk/consumer/contact-us/index.html
To make a request by post: Customer Support Centre, Experian Ltd, PO BOX 8000, Nottingham, NG80 7WP |
TransUnion | To get your credit report: https://www.transunionstatreport.co.uk/ |
| To get other information about how to access your personal data: https://www.transunion.co.uk/legal/privacy-centre?#your-data-rights
To make a request by post: TransUnion, Consumer Services Team, PO Box 491, Leeds, LS3 1WZ |
Data protection legislation also contains a right to data portability. Where it applies, the right to data portability gives consumers a right to receive their personal data in a standard format. However, this right only applies when personal data is processed on certain grounds, such as consent. This right does not apply to credit reference data because it is processed on the grounds of “legitimate interests”. To find out more about legitimate interests please go to section 3 above.
When the credit reference agencies receive personal data, they perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, the credit reference agencies rely on the suppliers to provide accurate data.
If a consumer thinks that any personal data a credit reference agency holds about them is wrong or incomplete, the consumer has the right to challenge it. The credit reference agency will need to take reasonable steps to check the data, such as asking the organisation that supplied it to check and confirm its accuracy.
If the data turns out to be wrong, the credit reference agency will update its records accordingly. If the credit reference agency still believes that the data is correct after completing their checks, they will continue to hold and use it. Where the data is part of the consumer’s credit report, they can ask the credit reference agency to add a supplementary statement of up to 200 words explaining their views about the information. This statement will be supplied to organisations who subsequently access the information that the consumer has disputed.
To do this, consumers should contact the relevant credit reference agency using the contact details in section 1 above.
This section helps consumers understand how to exercise their data protection rights to object to credit reference data being used by the credit reference agencies and how to ask for it to be deleted. To understand these rights and how they apply to the processing of credit reference data, it is important to know that the credit reference agencies hold and process personal information in credit reference data under the “legitimate interests” basis for processing (see section 3 above for more information about this), and do not rely on consent.
Consumers have the right to object to the processing of credit reference data by a credit reference agency. This can be done by contacting the relevant credit reference agency using the contact details in section 1 above.
Although consumers have complete freedom to contact a credit reference agency with objections at any time, under data protection law, a consumer’s right to object does not automatically lead to a requirement for processing to stop, or for personal data to be deleted.
Because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes for which the credit reference data is needed (such as supporting responsible lending, and preventing over-indebtedness, fraud and money laundering) it will be rare that the credit reference agencies do not have compelling, overriding grounds to carry on using the personal data following an objection. In many cases, it will not be appropriate for the credit reference agencies to restrict or to stop processing or delete credit reference data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise would not be eligible for.
However, as an exception from the general rule described above, all consumers have an absolute right to object to their personal data being used for direct marketing purposes. If you object to a credit reference agency using your personal data for those purposes, you can get them to stop by contacting them using the details in section 1.
In some circumstances, consumers can ask credit reference agencies to restrict how they use their credit reference data. Contact details for each credit reference agency are in section 1 above.
This is not an absolute right and processing will only be restricted if certain conditions are met (for example, if the processing is unlawful or the personal data is no longer required by the credit reference agencies for the purposes for which it was obtained).
Even where a restriction condition is met, a consumer’s personal data may still be processed (and shared) by the credit reference agencies where certain grounds exist. These are:
The credit reference agencies will consider and respond to requests they receive, and will assess whether any of the restriction conditions apply and, if they do, whether there are any grounds that permit the continued processing of the personal data.
Given the importance of complete and accurate credit reference data, for purposes including for example for responsible lending and preventing over-indebtedness, fraud and money laundering, it will usually be appropriate for the credit reference agencies to continue processing credit reference data on the basis of protecting the rights of another natural or legal person or for reasons of important public interest.
Each credit reference agency tries to ensure that it delivers the best outcomes for its clients and for consumers. If a consumer wants to make a complaint to a credit reference agency they can do so by contacting it at the following addresses.
Credit reference agency | Contact details |
Equifax | Post: Equifax Limited, PO Box 10036, Leicester LE3 4FS
Email: complaints@equifax.com
Phone: 0333 321 4043 or 0800 014 2955 |
Experian | Post: Experian, PO BOX 8000, Nottingham, NG80 7WP
Email: complaints@uk.experian.com
Phone: 0344 481 0800 or 0800 013 8888 |
TransUnion | Post: TransUnion, One Park Lane, Leeds, West Yorkshire LS3 1EP
Email: customer.relations@transunion.co.uk
Phone: 0330 024 7574 |
Each credit reference agency also has a data protection officer who can be contacted about matters relating to the protection of personal data at the relevant credit reference agency. The contact details for each credit reference agency’s data protection officer are:
If a consumer is not satisfied with how a credit reference agency has investigated a complaint, the consumer can refer their concerns to the Information Commissioner’s Office which is the body that regulates the handling of personal data in the UK. The contact details are:
Where the complaint relates to an activity which is regulated by the Financial Conduct Authority (such as credit reporting and affordability checks), consumers also have the right to refer the matter to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like credit reference agencies. The contact details are:
The work credit reference agencies do is very complex, and this document is intended to provide only a concise overview of the key points. More information about each credit reference agency and what it does with personal data is available at the following locations:
The Information Commissioner’s Office also publishes advice and information for consumers in its Credit Explained leaflet, available at https://ico.org.uk/media/for-thepublic/documents/1282/credit- explained-dp-guidance.pdf.
All our loans are unregulated. We do not provide regulated loans.
Copyright © Whitehall Lending. All rights reserved.