Privacy Policy & Cookies

We strictly follow the Data Protection Act 1998 and are registered with the Information Commissioner (No: ZB048218). Happen Finance Ltd contact details are: 1 Thames Side, Windsor Berks SL4 1QN. Telephone: 020 3137 2417. Email:

1. You may freely browse our website without giving any personal information.

2. If you enter information on our website application process or any part of it, we will store and process any personal, business or financial information tendered, whether this is tendered by you, your company’s officers or obtained from credit information, third party business information, or anti-fraud agencies. If you register an interest in our loans and consent to being contacted, we will use the tendered contact information, so we can respond to you.

3. We monitor usage of our website including which pages are visited, for how long, and how often, and may use learnings from this to help us tailor the information we offer.

4. Where e-signatures are used, this information will be processed and stored on Citrix servers and on the cloud Citrix’ secure account at Amazon Web Servers.

5. The personal and business information collected will be stored electronically and be used to consider your application for a business loan or any other product or service; to detect and prevent fraud; to assist in the administration of your loan; to enable us to contact you by phone, SMS, email, post, or any other means of communication whether electronic or on paper; to refine existing products and develop further products and services; and with your express consent,to pass to third parties who may be interested in offering you a loan or other product or service; to keep our website updated; to ensure our website appears in the most effective format on your device; to keep you updated with our products and services. If any data we hold is incorrect, if you contact us, we will amend it.

6. With your express consent, we may share information with selected third parties who may be interested in offering you a loan or other product or service. We may also share your data with third parties who supply us with payment processing services, credit information, and fraud detection services in order to protect our business and reduce the risk of fraud and loan default. We may share your data internally (i.e.within Happen Finance Ltd) to provide you with information about offers and promotions about similar products and services; with law enforcement agencies; with legal representatives for the purpose of debt collection in the case of extreme default. If the ownership of the business changes, then we will place the same conditions on the protection of your data as would be the case had no change in ownership occurred.

7. We will retain transaction data for at least 6 years following the most recent transaction, or longer if the retention of such data is to comply with a law or financial or marketing regulation. If you have asked us not to use your data for marketing purposes, we will retain your data for other purposes. We will not charge you for a system access request. You should make this request to view the data we hold about you in writing.

8. If you wish to contact us to amend marketing preferences or for any other reason, please email, with the subject title ‘Data Protection’ or write to Happen Finance, 1 Thames Side, Windsor SL4 1QN

9. As internet security is not 100% secure, although we have policies and systems in place to protect your data, you are advised not to enter any sensitive data, e.g relating to your sexuality, political views, medical condition, or suspected criminal activities.

10. Links to other websites will appear on our website. Although every care is taken in selecting those links, you are advised to proceed with care when entering other websites. Happen Finance Ltd is not responsible for any external sites, their products, services, or data privacy arrangements. We are only responsible for the data we collect.

11. We record all incoming and outgoing phone calls for the purposes of training and fraud protection. We retain the call records for a period of 12 months after your loan has been repaid, or in the case of an inquiry that does not lead to a loan being granted, for a period of 12 months.

12. Individual’s Right to Access

Right to access
You have the right to request copies of the personal information we hold about you at any time.

Right to rectification
You have the right to request that we correct any inaccurate personal information we hold about you.

Right to erasure
You have the right to request that we delete your personal information from our records.

Please note that we will not be able to delete your personal information whilst we are still providing our services to you. We will be able to delete your personal information once you cancel the service or once the service is completed.

Right to restrict processing
You have the right to request that we restrict how we use your personal information.

Right to object
You have the right to object to the collection and use of your personal information at any time.

Right to data portability
You have the right to obtain a copy of your personal information in a legible and compatible format such as Excel or Word.

How can I exercise my rights in relation to my personal information
You can exercise all of your rights by contacting us on any of the above contact details.

How do I lodge a complaint about the use of my personal information
You can lodge a complaint with us directly by contacting us on one of the above contact details.

You also have the right to lodge a complaint directly with the Information Commissioner’s Office (ICO). The ICO is the regulator who makes sure that we use your personal information in a lawful way.

You can lodge a complaint with the ICO by following this link calling the ICO on 0303 123 1113.

13. A “cookie” is a small piece of information that is stored on the browser on your computer’s hard drive. Most websites use cookies to improve the way the website works and to pro provide information to website operators about the use of the website. We use cookies to allow y you to use and navigate our site, to collect information about how visitors use our site, and to enable us to improve the site. Most web browsers allow you to manage and block the use of cookies by changing your browser settings. If you choose not to accept cookies on our site this may affect the quality of your visit to our site.

14. IP Addresses & Login
We log information about visitors including your IP address, date and time visited, referring website, length of stay, etc. This information is purely used for visitor analytics only and we do not store personal data along side this information.

15. Cookies
We use cookies to store session information so that we can identify you for quotation purposes and for retrieval by you of your previous quotation data.
For further information about cookies, what they are, and how they work, please visit

16. Credit Reference Agency Information Notice (CRAIN)

You have the right to object to credit reference agencies using your personal data. Please see Section 11 to find out more.


There are three main credit reference agencies in the UK that deal with people’s personal data.

Each is regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency.


Post: TransUnion International UK Limited
One Park Lane,
West Yorkshire
Web Address:
Phone:0330 024 7574

Equifax Limited

Post: Equifax Ltd,
Customer Service Centre,
PO Box 10036,
Web Address:
Phone: 0333 321 4043 or 0800 014 2955

Experian Limited 

Post: Experian,
PO BOX 9000,
NG80 7WF
Web Address:
Phone: 0344 481 0800 or 0800 013 8888



Credit reference agencies receive personal data about you that’s part of, derived from, or used in credit activity. Different lenders and creditors will use different CRA services, and may not use all the services described here, so we recommend you also check your lender and creditor’s privacy policy(s) as well as this document.

Credit reporting and affordability checks

Each CRA uses the data it gathers to provide credit reporting services to its clients.

Organisations use credit reporting services to see the financial position of people and businesses. For example, a lender or creditor may check with a credit reference agency when an individual or business applies for credit and the lender or creditor needs to make a credit decision taking into account that person or business’s credit history.

Affordability checks help organisations understand whether people applying for credit or financial products (like loans) are likely to afford the repayments.

These activities help promote responsible lending, prevent people and businesses from getting into more debt than they can afford, and reduce the amount of unrecoverable debt and insolvencies.

Verifying data like identity, age, and residence, and preventing and detecting criminal activity, fraud, and money laundering

The CRAs also use bureau data to provide verification, crime prevention, and detection services to their clients, as well as fraud and anti-money-laundering services. For example:

  • When a person applies to an organisation for a product or service, the organisation might ask them to answer questions about themselves, and then check the answers against the data held by the CRAs to see if they’re correct. This helps confirm the person they are dealing with is not trying to commit identity theft or any other kind of fraud.
  • Where some products and services are only available to people of a certain age, organisations can check whether the person they’re dealing with is eligible by searching the CRAs databases.
  • If a person applies for credit the lender or creditor might check the personal data that person gives them against the personal data held by CRAs to try and prevent fraud.
  • Government and quasi-government bodies can use data held by CRAs to check whether people are entitled to certain benefits and to help recover unpaid taxes, overpaid benefits, and similar debts.

Account management

CRAs supply information including personal data to their clients for account management, which is the ongoing maintenance of the client organisation’s relationship with its customers. This could include activities designed to support:

  • data accuracy (such as data cleansing – where bureau data can be used to clean or update lender data. This might involve checks that data is in the right format or fields, or to correct spelling errors);
  • clients’ ongoing account management activities. (For example, data sharing with lenders and creditors so clients can make decisions relating to credit limit adjustments, transaction authorisations, and to identify and manage the accounts of customers at risk, in early stress, in arrears, or going through a debt collection process, or to confirm that assets are connected to the right person).

Tracing and debt recovery

CRAs provide services that allow organisations to use bureau data to trace people who’ve moved. Each CRA also offers a service that allows people to be reunited with assets (like old dormant savings account they’ve lost contact with)

CRAs may also use personal data to support debt recovery and debtor tracing. An example of a tracing activity could be when a person owes money and moves house without telling the creditor where they’ve gone. The creditor may need help finding that person to claim back what they’re owed. CRAs help find missing debtors by providing creditors with updated addresses and contact details.


CRAs can use some personal data to screen people out of marketing lists. For example, where a person’s financial history suggests they’re unlikely to be accepted for or afford a particular product, the relevant organisation can use that data to opt-out of sending them information about that product. This helps stop people from receiving irrelevant marketing and saves organisations the costs of inappropriate marketing and unsuccessful applications.

The data isn’t used to identify, select, and send marketing materials to potential new customers.

Statistical analysis, analytics, and profiling 

CRAs can use and allow the use of personal data for statistical analysis and analytics purposes, for example, to create scorecards, models and variables in connection with the assessment of credit, fraud, risk or to verify identities, to monitor and predict market trends, to allow use by lenders for refining lending and fraud strategies, and for analysis such as loss forecasting.

Database activities

CRAs carry out certain processing activities internally which support databases effectiveness and efficiencies.  For example:

  • Data loading: where data supplied to the CRAs is checked for integrity, validity, consistency, quality, and age to help make sure it’s fit for purpose. These checks pick up things like irregular dates of birth, names, addresses, account start and default dates, and gaps in status history.
  • Data matching: where data supplied to the CRAs is matched to their existing databases to help make sure it’s assigned to the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. CRAs use the personal data people give lenders together with data from other sources to create and confirm identities, which they use to underpin the services they provide.
  • Data linking: as CRAs compile data into their databases, they create links between different pieces of data. For example, people who appear financially associated with each other may be linked together, and addresses, where someone has previously lived, can be linked to each other and to that person’s current address.
  • Systems and product testing: data may be used to help support the development and testing of new products and technologies.

Each CRA has its own processes and standards for data loading, data matching, and other database processing activities.

Other uses with your permission

From time to time CRAs may use the personal data they hold or receive about you for other purposes where you’ve given your consent.

Uses as required by or permitted by law

Your personal data may also be used for other purposes where required or permitted by law.

Other activities

Each credit reference agency also has other lines of business not described in this document.  For example, each offers its own marketing services and direct-to-consumer services. Each CRA will provide separate information as appropriate for any services that fall outside of scope of this document.


A Fraud Prevention Agency (FPA) collects, maintains and shares, data on known and suspected fraudulent activity. All three credit reference agencies also act as FPAs.


How data may be used by fraud prevention agencies:  

FPAs may supply the data received from lenders and creditors about you, your financial associates, and your business (if you have one) to other organisations (please see Section 5 for more information on these organisations). This may be used by them and the CRAs to: –

Prevent crime, fraud, and money laundering by, for example; 

  • Checking details provided on applications for credit and credit-related or other products and services
  • Managing credit and credit-related accounts or products or services
  • Cross-checking details provided on proposals and claims for all types of insurance
  • Checking details on applications for jobs or as part of employment
  • Verify your identity if you or your financial associate applies for facilities including all types of insurance proposals and claims
  • Trace your whereabouts and recover debts that you owe
  • Conduct other checks to prevent or detect fraud
  • Undertake statistical analysis and system testing
  • Your personal data may also be used for other purposes where you’ve given consent or where required or permitted by law

Legitimate interests

The UK’s data protection law allows the use of personal data where its purpose is legitimate and isn’t outweighed by the interests, fundamental rights, or freedoms of data subjects.

The law calls this the Legitimate Interests condition for personal data processing.

The Legitimate Interests being pursued here are:


Each credit reference agency obtains and uses information from different sources, so they often hold different information and personal data from each other. However, most of the personal data they do hold falls into the categories outlined below from the sources described.


CRAs hold personal data that can be used to identify people, like their name, date of birth, and current and previous addresses.

They may also hold business data.

This personal data is included with all the other data sources.

For example, names, addresses, and dates of birth are attached to financial account data so it can be matched and associated with all the other data the CRA holds about the relevant person.

Data about UK postal addresses is also obtained from sources like Royal Mail.

CRAs also obtain copies of the electoral register containing the names and addresses of registered voters from local authorities across the UK in accordance with specific legislation.

CRAs also have access to public data sources on people and businesses, including from the Insolvency Service, Companies House, and commercial business directories.

Lender provided and creditor provided data

CRAs receive information that includes personal data from credit applications and about the financial accounts that people hold from the organisations that maintain those accounts. This includes personal data about bank accounts, credit card accounts, mortgage accounts, and other agreements that involve a credit arrangement like utilities and communications contracts (including mobile and internet).

The collected data includes the name of the organisation the account is held with, the date it was opened, the account number, the amount of debt outstanding (if any), any credit limits, and the repayment history on the account, including late and missing payments.

CRAs may also receive data about financial accounts like current accounts, credit cards, or loans and may receive payment information that businesses hold from the organisations who maintain those accounts.

Banks, building societies, lenders, and other financial services providers supply data including personal data about peoples’ financial accounts and repayments. Other credit providers, such as hire purchase companies, utility companies, mobile phone networks, retail and mail order, and insurance companies also provide this data when they agree to credit facilities with their customers.

These organisations may also provide Cifas markers when they suspect fraud. You can find out more about  Cifas markers in the Fraud prevention indicators section below.

Court judgments, decrees and administration orders

CRAs obtain data about court judgments that have been issued against people. This may include, for example, the name of the court, the nature of the judgment, how much money was owed, and whether the judgment has been satisfied.

The government makes court judgments and other decrees and orders are made publicly available through statutory public registers. These are maintained by Registry Trust Limited, which also supplies the data on the registers to the CRAs.

Bankruptcies, Individual Voluntary Arrangement (IVAs), debt relief orders and similar events

CRAs obtain data about insolvency-related events that happen to people and may also obtain this type of data about businesses. This includes data about bankruptcies, IVAs, and debt relief orders, and in Scotland, it includes sequestrations, trust deeds, and debt arrangement schemes. This data includes the start and end dates of the relevant insolvency or arrangement.

CRAs obtain this data from The Insolvency Service, the Accountant in Bankruptcy, The Stationary Office and Northern Ireland’s Department for the Economy – Insolvency Service, the London, Belfast and Edinburgh Gazettes.

Business bankruptcies data are obtained from the London, Belfast, and Edinburgh Gazettes.

Fraud prevention indicators

The CRAs are all Fraud Prevention Agencies (FPAs) and members of Cifas (, an organisation that collects and shares data about suspected fraud. When an organisation believes it’s detected fraud or attempted fraud, it may put a Cifas marker on the relevant person’s credit file to warn other lenders this identity may have been used fraudulently. This helps to prevent any further fraud and protect innocent consumers.

These fraud indicators are shared among Cifas members through the database held by Cifas.

Gone Away Information Network indicators

Some CRAs are members of the Gone Away Information Network (GAIN), a database of people with overdue outstanding debts who’ve moved without giving their lender a forwarding address. Data from GAIN, including the persons’ old addresses and any known new addresses, may be recorded on the relevant credit file.

CRAs obtain GAIN data from lenders, and additional address data is obtained from Royal Mail.

Search footprints 

When an organisation uses a CRA to make enquiries about a particular person, the CRA keeps a record of that enquiry which appears on the person’s credit file. This includes the name of the organisation, the date, and the reason they gave for making the enquiry.

CRAs generate search footprints when enquiries are made about a particular person. The organisation making the enquiry provides some of the data in the footprint (such as the reason for the enquiry).

Scores and ratings

CRAs may use the data they receive to produce scores and ratings including credit, affordability, risk, fraud and identity, screening, collections, and insolvency scores about people and businesses, and credit ratings about people. Organisations that obtain data from CRAs may use it together with other data to provide their own scores and ratings.

Credit scores and credit ratings are produced from data like the person’s credit commitments, whether they have made repayments on time, whether they’ve any history of insolvencies or court judgments, and how long they’ve lived at their current address. Each CRA has its own way of calculating credit scores, and most lenders have their own scoring systems too.

The CRAs produce their scores and ratings using the data available to them.

Similarly, other organisations create their own scores and ratings from data obtained from the CRAs as well as other sources.

Other supplied data

CRAs receive data from reputable commercial sources. This includes phone number data and politically exposed persons (PEPs) and sanctions data.

CRAs receive this data from reputable commercial sources as agreed from time to time.

Other derived data

The CRAs produce some other kinds of data themselves to manage their databases efficiently and ensure that all the relevant data about a person is on the correct credit file.

Address links: when a CRA detects that a person seems to have moved house, it may create and store a link between the old and new address.

Aliases: when a CRA believes that a person has changed their name, it may record the old name alongside the new one.

Financial associations and linked people: when a CRA believes two or more people are financially linked with each other (for example, because they have a joint account), it may record that fact.

Flags and triggers: through analysis of other data, CRAs can add indicators to credit files. These aim to summarise particular aspects of a person’s financial situation. For example, a Cifas flag protects those who’ve been flagged as subject to fraud and invites additional checks as a defence against further fraud risk.

The CRAs generate this data from the data sources available to them.

Data provided by the relevant people

People sometimes provide data directly to CRAs. For example, they can ask a CRA to add a supplementary statement to their credit file if they want to explain the reason for a particular entry on the file. The right to do this is explained in Section 10 below.

This data is provided directly by the relevant people.


This section describes the types of recipients each credit reference agency can share data with. Each CRA has its own access control processes in place. For example, before it shares data with any other organisation, to check that organisation’s identity and, where applicable, to confirm where it is registered with regulators.

In many cases where an organisation uses CRA services, there will be information accessible, for example, from the website or at the point of application or service, to explain that an organisation may check your data with a credit reference agency (for things like identity authentication and fraud checking). In some cases, some organisations have the ability to compel CRAs, by law, to disclose certain data for certain purposes.

Members of the credit reference agency data sharing arrangements

Each organisation that shares financial data with the CRAs is also entitled to receive similar kinds of financial data contributed by other organisations. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utility companies and mobile phone networks.

Fraud Prevention Agencies

If a CRA believes that fraud has been or might be committed, it may share data with fraud prevention agencies (FPAs). These FPAs collect, maintain, and share data on known and suspected fraudulent activity. Some CRAs also act as FPAs.

Resellers, distributors, and agents

CRAs sometimes use other organisations to help provide their services to clients and may provide personal data to them in connection with that purpose.

Other organisations

Some data, where permitted in accordance with industry rules or where it’s public information, can be shared with other organisations that have a legitimate use for it – ID verification services, for example.

Public bodies, law enforcement, and regulators

The police and other law enforcement agencies, as well as public bodies like local and central authorities and the CRAs’ regulators, can sometimes request the credit reference agencies to supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax, investigating complaints, or assessing how well a particular industry sector is working.


The CRAs may use other organisations to perform tasks on their own behalf (for example, IT service providers and call centre providers).


People are entitled to obtain copies of the personal data the CRAs hold about them. You can find out how to do this in Section 9 below.


The three CRAs are all based in the UK, and keep their main databases there. They may also have operations elsewhere inside and outside the European Economic Area, and personal data may be accessed from those locations too. In both cases, the personal data use in those locations is protected by European data protection standards.

Sometimes the CRAs will need to send or allow access to personal data from elsewhere in the world. This might be the case, for example, when a processor or client of the CRA is based overseas or uses overseas data centres.

While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when a CRA does send personal data overseas it will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. For example, these safeguards might include:

  • Sending the data to a country that’s been approved by the European authorities as having a suitably high standard of data protection law. Examples include the Isle of Man, Switzerland, and Canada.
  • Putting in place a contract with the recipient containing terms approved by the European authorities as providing a suitable level of protection.
  • Sending the data to an organisation that is a member of a scheme that’s been approved by the European authorities as providing a suitable level of protection. One example is the Privacy Shield scheme agreed between the European and US authorities. Another example is the Binding Corporate Rules.

If your data has been sent overseas like this, you can find out more about the safeguards used from the CRAs, whose contact details are in Section1 above.



Identification data like names and addresses are kept while there’s a continuing need to keep it. This need will be assessed on a regular basis, and data that are no longer needed for any purpose will be disposed of.

Financial accounts and repayment data

Data about live and settled accounts is kept on credit files for six years from the date they’re settled or closed. If the account is recorded as defaulted, the data is kept for six years from the date of the default.

Court judgments, decrees, and administration orders 

Generally, court judgments and other decrees and orders are kept on credit files for six years from the date of the judgment, decree or order. But, they can be removed if the debt is repaid within one calendar month of the original date or if the judgment is set aside or recalled by the courts.

Bankruptcies, IVAs, debt relief orders, and similar events

Data about bankruptcies, IVAs, and other insolvency-related events and arrangements are usually kept on credit files for six years from the date they begin. This period is extended if they last longer than six years. Some data, such as a bankruptcy restrictions order, can also remain on the credit file for longer than six years.

Although the start of these events is automatically reported to the CRAs, the end (such as a discharge from bankruptcy or completion of an IVA) might not be. This is why people are advised to contact the CRAs when this happens to make sure their credit files are updated accordingly.

Search footprints

The CRAs keep search footprints for different lengths of time. Experian and Equifax keep most search footprints for one year from the date of the search, although they keep debt collection searches for up to two years. TransUnion keeps search footprints for a total of 6 years.

Scores and ratings

CRAs may keep credit scores and credit ratings for as long as they keep a credit file about the relevant person.

Derived or created data

CRAs also create data, and links and matches between data. For example, CRAs keep address links and aliases for as long as they’re considered relevant for credit referencing purposes.

Links between people are kept on credit files for as long as the CRA believes those individuals continue to be financially connected. When two people stop being financially connected, either can write to the CRA and ask for the link to be removed. The CRA will then follow a process to check the people are no longer associated with each other.

Other data

Other third-party supplied data such as politically exposed persons (PEPs) and sanctions data and mortality data will be stored for a period determined by criteria such as the agreed contractual terms.

Archived data

CRAs may hold data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development, and other analysis such as loss forecasting), for audit purposes, and as appropriate for the establishment, exercise or defence or legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements, and industry standards.


Lending decisions

CRAs don’t tell a lender if it should offer you credit – this is for the lender to decide. Credit reference agencies provide data and analytics that help lenders make decisions about lending.  The scoring tools and data CRAs provide may profile you, and are often a valuable tool in the lender’s overall processes and with the criteria they use to make their decisions. A lender’s own data, knowledge, processes, and practices will also generally play a significant role in that lender’s business decisions – and lender decisions will always remain for lenders to make.

The same analytics from a CRA may lead to different decisions from different lenders, as they can place differing importance on some factors than others. That’s why you may receive a “yes” from one lender but a “no” from another.

The data CRAs provide is just one of the things that a lender might take into account when they make a lending decision. The lender might also take into account data provided by the person applying for credit, as well as any other data available to the lender from other sources. Each lender will have its own criteria for deciding whether or not to lend.

Scores and ratings

When requested, CRAs do use the data they obtain to produce credit, risk, fraud, identity, affordability, screening, collection and/or insolvency scores and credit ratings; these are explained in Section 4 above. CRAs don’t tell a lender if it should offer you credit – this is for the lender to decide. Each credit reference agency, and each lender, will have its own criteria for how to calculate a credit score, but the following factors will usually have an effect:

  • How long the person has lived at their address.
  • The number and type of credit agreements and how they use those credit products.
  • Whether the person has been late making payments.
  • Whether the person has had any court judgments made against them.
  • Whether the person has been bankrupt or had an IVA or other form of debt-related arrangement.

The CRAs may provide or make available further information on profiling where necessary from time to time.


Do I have a “Portability Right” in connection with my bureau data?

Data access right

You have a right to find out what personal data the credit reference agencies hold about you.

Each CRA provides more information about access rights on their websites.


To get online information:
To make a request by post:
TransUnion, Consumer Services, PO Box 491, LEEDS LS3 1WZ


To get online information:
To make a request by post:
Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS.


To get online information:
To make a request by post:
Customer Support Centre, Experian Ltd, PO BOX 9000, Nottingham, NG80 7WF

NOTE: The information in this document will be effective from the Adopted Date set out on the first page, except for the information in Section 9  (data portability right), and in Sections 11 and 12. These Sections provide information on new rights that will only come into effect from the 25th May 2018, which is the effective date of the General Data Protection Regulation (GDPR).

Data portability right

New data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it’s processed on certain grounds, such as consent. This is not a right that will apply to bureau data because this data is processed on the grounds of legitimate interests. To find out more about legitimate interests please go to Section 3 above.


When the CRAs receive personal data, they perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, the credit reference agencies rely on the suppliers to provide accurate data.

If you think that any personal data a CRA holds about you is wrong or incomplete, you have the right to challenge it. It’s worth knowing that the CRA won’t have the right to change the data without permission from the organisation that supplied it, so the credit reference agency will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy.

If the data does turn out to be wrong, the CRA will update its records accordingly. If the CRA still believes the data is correct after completing their checks, they’ll continue to hold and keep it – although you can ask them to add a note to your file indicating that you disagree or providing an explanation of the circumstances.

If you’d like to do this, you should contact the relevant CRA using their contact details in Section1 above.


This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be deleted, in connection with bureau data. To understand these rights and how they apply to the processing of bureau data, it’s important to know that the CRAs hold and process personal information in bureau data under the Legitimate Interests ground for processing (see section3 above for more information about this), and don’t rely on consent for this processing.

You have the right to lodge an objection about the processing of your personal data to a CRA. If you want to do this, you should contact the relevant CRA using the contact details set out in section1 above.

Whilst you have complete freedom to contact a CRA with your objection at any time, you should know that under the General Data Protection Regulation, your right to object doesn’t automatically lead to a requirement for processing to stop, or for personal data to be deleted, in all cases.

Please note that, because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes the personal data is needed for (like supporting responsible lending, and preventing over-indebtedness, fraud, and money laundering) it will be very rare that the CRAs do not have compelling, overriding grounds to carry on using the personal data following an objection. In many cases, it won’t be appropriate for the CRAs to restrict or to stop processing or delete bureau data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get the credit they otherwise wouldn’t be eligible for.


In some circumstances, you can ask credit reference agencies to restrict how they use your personal data. Your rights are set out at Article 18 of the GDPR. You can find the contact details for each CRA in section1 above.

This is not an absolute right, and your personal data may still be processed where certain grounds exist. This is:

  • With your consent;
  • For the establishment, exercise, or defence of legal claims;
  • For the protection of the rights of another natural or legal person;
  • For reasons of important public interest.

Only one of these grounds needs to be demonstrated to continue data processing.

The CRAs will consider and respond to requests they receive, including assessing the applicability of these exemptions.

Please note that given the importance of complete and accurate credit records, for purposes including responsible lending, it will usually be appropriate to continue processing credit report data – in particular, to protect the rights of another natural or legal person, or because it’s an important public interest of the union or member state.


Each credit reference agency tries to ensure they deliver the best customer service levels but if you’re not happy you should contact them so they can investigate your concerns.


Post: TransUnion, PO Box 491, LEEDS LS3 1WZ
Phone: 0330 024 7574

Equifax Limited

Post: Equifax Ltd,  PO Box 10036, Leicester LE3 4FS
Phone: 0333 321 4043 or 0800 014 2955

Experian Limited

Post: Experian, PO BOX 8000, Nottingham, NG80 7WF
Phone: 0344 481 0800 or 0800 013 8888

If you’re unhappy with how the CRA has investigated your complaint, you have the right to refer it to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like CRAs. You can contact them by:

  1. Phone on 0300 123 9 123 (or from outside the UK on +44 20 7964 1000)
  2. Email on
  3. Writing to Financial Ombudsman Service, Exchange Tower London E14 9SR
  4. Going to their website at

You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:

  1. Phone on 0303 123 1113
  2. Writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
  3. Going to their website at

The work credit reference agencies do is very complex, and this document is intended to provide only a concise overview of the key points. More information about each CRA and what it does with personal data is available at the following locations:

The Information Commissioner’s Office also publishes advice and information for consumers in its Credit Explained leaflet, available at