Last updated: November 2025
You will know us as Equifax and Consents Online but our legal names are Equifax Limited (“Equifax”) and its group company Consents Online Limited (“Consents Online”) (collectively, “we”, “our” and “us”). We're committed to protecting the privacy of users (“you”) of our open banking services (“OB Services”).
This Equifax and Consents Online Open Banking Privacy Notice (“Notice”) describes how and why we process personal data about you when we provide our OB services, including to:
Both Consents Online and Equifax are independent data controllers “Controllers” of your personal data, which means that we each make decisions about how and why we process it. As Controllers, we’re responsible for making sure that it’s processed in accordance with data protection law.
You should read this Notice to understand what we are doing with your personal data in relation to the OB Services, the basis on which we undertake such use, who we share your data with and your rights in relation to your personal data. “Personal data” is any information that relates to a living identifiable person. Your name, address, contact details and financial data are all examples if they identify you. To “Process” means any activity relating to personal data, including its collection, storage, transfer or other use.
This Notice only concerns use of your personal data in relation to the OB services provided by Equifax together with Consents Online. Equifax will likely also process your personal data as part of its core credit referencing activities.
In relation to specific Equifax products or services, or other Equifax group companies, we make available other privacy notices via the Equifax Privacy Hub. These apply in conjunction with this Notice, so please ensure that you read every relevant notice. Our privacy notices include:
| Privacy Notice | Processing Activities |
|---|---|
Equifax Credit Reference and Related Services Privacy Notice |
This privacy notice explains how Equifax processes personal data as part of its core credit reference agency (CRA) activities. These processing activities often relate to personal data that has not been collected directly from the individual. |
This privacy notice explains how Equifax processes personal data relating to its myEquifax products and services (e.g. Credit Report and Score, WebDetect and Social Scan) and users of the Equifax website. These processing activities usually relate to personal data that has been collected directly from the individual or from the individual’s direct use of myEquifax products and services, as well as the Equifax website. |
|
This privacy notice, produced with Experian and Transunion (the other key CRAs), explains how personal data is processed for core credit referencing activities. This often relates to personal data that has not been collected directly from the individual. |
|
This privacy notice explains how Equifax’s group company, TDX Group Limited, processes personal data to support customers with debt management and recovery. |
|
Equifax and Consents Online Open Banking Privacy Notice |
This privacy notice explains how Equifax’s group company, Consents Online Limited, processes personal data to provide customers with access to consumer transaction data held within payment accounts. This is known as open banking. |
This privacy notice describes how and why Equifax processes personal data to administer our Workforce Solutions database and related services, for example to quickly and reliably approve applications for housing, jobs, credit and benefits. |
You can contact us by:
Equifax has a dedicated Data Protection Officer (DPO) who can be contacted by:
Depending on the OB services you require, we collect and/or receive the following types of information:
| CATEGORY OF DATA | TYPE OF PERSONAL DATA | WHERE COLLECTED |
|---|---|---|
Identifiers |
|
You directly (e.g. where prompted to provide it) |
Financial Account Information |
|
You directly (e.g. where prompted to provide it) or from the relevant financial provider which is providing access to your account (e.g. your bank) |
Analysed Information |
|
Generated by Equifax, Consents Online or our subcontractors |
Special Category Information |
|
The relevant financial provider providing access to your account (e.g. your bank) |
Contact Information |
|
You directly (e.g. where prompted to provide it) |
Online Information |
|
The device you use to access the OB Services, and information you provide directly to us where prompted to do so |
Credit Reference Information |
|
Information already held by Equifax and provided to Equifax by lenders or obtained from publicly available sources |
General Information |
|
You directly |
Equifax and Consents Online be engaged by lenders or other third parties that you authorise us to share your account Transaction Data with (“Approved Recipients”).
Consents Online is registered with the Financial Conduct Authority (FCA) as an Account Information Services Provider (AISP). Practically, this means that Consents Online will, with your permission:
use your name and financial account details to request access to your financial account;
collect and store your Transaction Data; and
provide your Transaction Data to Equifax so that Equifax can (i) analyse and categorise it to create consolidated 'Analysed Data', which it shall make available to your Approved Recipient(s) together with the Transaction Data; and (ii) make use of the Transaction Data as set out in this Notice.
Equifax or its appointed reseller will have an agreement in place with the Approved Recipient(s) to provide the above noted services via Consents Online and Equifax. It is therefore Equifax's role to facilitate the analysis and categorisation of your Transaction Data and make it available to the Approved Recipient(s), including via a reseller of our services, where applicable.
In addition, Equifax will use your Transaction Data to provide any other services you have requested to receive, to create anonymised analysis for research and market intelligence purposes, or to undertake any other processing set out in this Notice.
Special category personal data
According to data protection law, special category personal data refers to personal data that is considered particularly sensitive and therefore requires a higher level of protection. Some OB Services require the processing of Transaction Data that may relate to special category personal data, e.g. where benefits related Transaction Data may infer information about your health. Such processing is only ever with your consent and is for the strictly limited purpose of delivering the OB Service that you have requested.
We are required by data protection law to always have a ‘lawful basis’ (i.e. a reason or justification) for processing your personal data. There are a number of lawful bases set out in data protection law but we consider the following to be most relevant to our processing of your personal data for OB Services:
Consent
PLEASE BE AWARE: The regulations which specifically relate to OB Services (the Payment Services Regulations 2017) require that your consent be obtained for us to access your Transaction Data. This consent (the “PSR Consent”) is a contractual consent necessary to gain access to your Transaction Data but is not a data protection law consent, and it does not relate to how we use your Transaction Data for data protection law purposes. The processing of the personal data forming part of your Transaction Data (or any other personal data) is in accordance with the data protection lawful bases set out in the table below. Where we refer to consent within that table, this is a reference to a data protection law consent
Your PSR Consent will clearly define the type of access that you are granting and for how long. For example, access may be on a one-off basis only, which will allow us to see a one-off ‘snapshot’ of your account and Transaction Data. Alternatively, the PSR Consent may permit access on an ongoing basis, for example up to three months or until a specific date. Your PSR Consent will also specify the frequency of access to your Transaction Data (e.g. whether this is restricted to daily or weekly access). After your PSR Consent is no longer active, we will continue to process the snapshots of your Transaction Data that we have already obtained, but we will not be able to access and capture new snapshots of your account and Transaction Data.
Please note that where we have indicated that our use of your personal data is necessary for us to comply with legal obligations or for us to take steps, at your request, to enter into an arrangement with you (or perform it), and you choose not to provide the relevant personal data, we may not be able to enter into or continue our arrangement with you. Practically, this may mean that we cannot provide OB Services if you have not provided certain personal data necessary to verify your identity or gain access to your Transaction Data.
The table below sets out the purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.
| PURPOSE OF PROCESSING | CONTRACT | LEGAL OBLIGATION | LEGITIMATE INTEREST | CONSENT |
|---|---|---|---|---|
|
Using your Identifiers and Financial Account Information to help verify your identity and request access to your Transaction Data from your bank or other financial provider. This will include:
-
verifying the information you provide with the Credit Reference Information Equifax already holds about you;
-
disclosing the information to your nominated banking provider, so they can confirm your identity and grant access to your Transaction Data; and
-
conducting any additional verification checks, for example by sending a SMS text message with a passcode to enable you to gain access to your account and Transaction Data. |
✔ |
✔ We are required by law to ensure your identity prior to providing services |
✔ It is in our legitimate interests to take reasonable steps to help verify your identity |
|
Disclosing your Transaction Data to you and/or an Approved Recipient |
✔ |
✔ It is in the legitimate interests of Approved Recipients to receive your Transaction Data to assess their ability to provide products/services to you |
||
|
Analysing your Transaction Data to generate Analysed Data and form a picture of your financial circumstances to be shared with you or an Approved Recipient, including to:
|
✔ |
✔ It is in the legitimate interests of Approved Recipients to receive a breakdown / assessment of your Transaction Data to assess creditworthiness and affordability, and potential indicators of financial vulnerability, to help determine whether they can provide products/services to you. It is also in our legitimate interests to provide these services to Approved Recipients (our customers) |
||
|
Combining Transaction Data (and our analysis of it) with the Credit Reference Information Equifax holds about you, to provide a more complete picture of your financial circumstances, and making this ‘picture’ available to you or an Approved Recipient. We may also combine and anonymise your Transaction Data, our analysis of the Transaction Data, and the Credit Reference Information we hold about you to create an anonymised dataset that can be used for research and statistical purposes. Please see the CRAIN and the Equifax Credit Reference and Related Services Privacy Notice for more information about how Credit Reference Information is collated and processed. |
✔ |
✔
It is in the legitimate interests of Approved Recipients to receive an assessment of your financial circumstances (supported by your Transaction Data) in order to assess creditworthiness and affordability, to help determine whether they can provide products/services to you It is also in our legitimate interests to anonymise the data we hold about you to create an anonymised dataset to be used for research purposes and better improve our products and services |
||
Using your Special Category Information to provide the OB Service that you have requested, e.g. where analysis of your Transaction Data may infer information related to your health |
✔ |
|||
Using your Identifiers and/or Online Information to verify or enforce compliance with the policies and terms applicable to your use of the OB Services we provide |
✔ It is in our legitimate interests to ensure that our services are being used appropriately |
|||
Use of your information to detect and report suspected incidents of fraud, or for general crime prevention |
✔ Where we are compelled to process your data in compliance with law, for example those relating to fraud prevention |
✔ It is in our legitimate interests to prevent crime and instances of fraud. |
||
Using your Contact Information to respond to your enquiries and/or complaints |
✔ It is in our mutual interests to respond |
|||
Using your Contact Information to send you information relevant to any OB Services you receive from us |
✔ Where we are required to provide any information under contract |
✔ It is in our mutual interests that you be updated with relevant information |
||
Using Identifiers, Contact Information and/or Online Information to enable you to create accounts and log-in or otherwise gain access to the OB Services |
✔ Where we are required to provide such access under contract |
✔ It is in our mutual interests to provide you with a private log-in in order to access services |
||
Using any relevant personal data to establish and enforce our legal rights or to comply with a court order, law enforcement requirement (or other legally mandated request) or legal obligation |
✔ |
|||
Using any relevant personal data for our general record keeping, customer management or Website user management |
✔ Where we are required to maintain such records under contract |
✔ It is in our legitimate interests to store Open Banking service data and Website user data so that we can refer back to it |
||
Using any relevant personal data in relation to managing the proposed or actual sale, restructuring or merging of any or all part(s) of our business |
✔ |
✔ We have legitimate interests in being able to sell or restructure our business and maintain continuity for us or a buyer |
||
Equifax will use your Transaction Data for internal product development to help refine and develop our OB Services and transaction data categorisation mechanisms. |
✔ It is in our legitimate interests to ensure that our customers receive the best possible service, and it is in the interests of individuals for us to ensure that our services best reflect the financial circumstances of the individual |
|||
Equifax will anonymise the Transaction Data it receives so that it can conduct anonymised analysis and research, which it may make available to third parties. |
✔ It is in our legitimate interests to anonymise data so that we can analyse the markets in which we and our customers operate. |
We may also use your personal data to conduct research and analysis, including to produce anonymous statistical reports. Where appropriate, we will convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable (thereby creating anonymised data). Anonymised data is not personal data and can be used, for example, to help us understand and improve the analytics we undertake of individual Transaction Data. We may also share anonymised data or the research we produce from our analysis of anonymised data, with third parties.
Affiliates and Third Parties
We may share your information with:
Our affiliates, i.e. companies that control, are controlled by, or under common control with Equifax; and
selected third parties that Equifax and/or Consents Online work with.
These recipients within and outside our group may be processing your personal data on our behalf as a service provider (see below) or they may be processing it for their own purposes as a Controller in their own right.
We have summarised the categories of recipients with whom we are likely to share your personal data:
a)
Service Providers: We may share your personal data with entities that provide services to us, such as vendors and suppliers that provide technology, services, and/or content for the operation and maintenance of the OB Services we provide. Access to your personal data by these service providers is strictly limited to the information reasonably necessary for the service provider to perform its function. We take steps to help ensure that service providers keep your personal data confidential and comply with our privacy and security requirements.
b)
Agents: Consents Online appoints certain third parties as agents to act on its behalf and provide account information services to consumers. In practice this means that an agent might operate a portal through which you can give your authorisation for OB Services and/or access your Transaction Data. This portal will be made available by Consents Online through the relevant agent. A list of our agents can be found on the FCA’s website here.
c)
Disclosure for legal reasons or as necessary to protect Equifax and/or ConsentsOnline: We may release personal data to other parties: (1) to comply with valid legal requirements such as laws, regulations, search warrants or court orders; (2) in special cases, such as a physical threat to you or others, a threat to public security, or a threat to Equifax and/or Consents Online’s systems or networks; or (3) cases in which Equifax and/or Consents Online believes it is reasonably necessary to investigate or prevent suspected or actual harm, abuse, fraud, or illegal conduct.
d)
Changes in Equifax’s corporate structure: If all or any part of Equifax or Consents Online is sold, merged or otherwise transferred to another entity (including a transfer of assets), your personal data may be transferred as part of that transaction.
Approved Recipients
‘Approved Recipients’ are entities (e.g. lenders) approved by you to receive copies of your Transaction Data, the analysis we undertake of your Transaction Data and/or any Credit Reference Information they are entitled to receive.
Through the Consents Online open banking portal (the “Portal”), you can control access rights to your Transaction Data. You will be able to see the:
Through the Portal we also make your Transaction Data available to you for review.
Approved Recipients will process your personal data as independent Controllers, in accordance with their own privacy notice. Please ensure that you review their privacy notice to understand how and why your personal data is being used and what rights you have in relation to that use by the Approved Recipient.
Equifax Limited and Consents Online Limited are UK based companies and the majority of our processing of your personal data takes place in the UK. All information and personal data processed by Equifax and Consents Online is stored on encrypted servers at secure physical locations (whether these be our own servers or those of cloud service providers that we use; Google data centres based in the UK with backups in the EU). Equifax has internal policies and controls in place to keep personal data secure and minimise the risk of it being lost, misused, disclosed or accidentally destroyed.
Equifax and Consents Online are part of a global group of companies, therefore your personal data may be transferred to other group members outside of the UK and/or the European Economic Area (EEA). In addition, some of our service providers may have processing operations in other jurisdictions.
While data protection law in some jurisdictions may not provide the same level of protection to your personal data as is provided to it under UK data protection law, Equifax takes steps to ensure the appropriate protections are in place before knowingly transferring personal data outside of the UK/EEA. Details of Equifax’s main data processors and where they operate can be found in the Equifax Credit Reference and Related Services Privacy Notice (SECTION 5).
Where Equifax Limited is transferring personal data to Equifax Inc. and its U.S. subsidiary Kount Inc. (together "Equifax US"), Equifax US complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Please see the Equifax Inc. Privacy Statement (SECTION EU-U.S. and the UK Extension to the EU-U.S. Data Privacy Frameworks) for more detailed information about Equifax’s certification to the Data Privacy Framework (DPF) program and what this means. To learn more about the DPF program, and to view the Equifax certification, please visit the DPF’s website here .
Non-UK Users: Our OB Services are intended for users within the UK. If you use these services from outside the UK, please be aware that information you provide to us or that we obtain as a result of your use of these services, may be processed and transferred to the UK and be subject to the laws of the UK.
We will use your personal data to communicate information relevant to your use of the OB Services, to respond to any queries or complaints you may have and to provide updates in relation to the services you receive from us.
We do not use your personal data processed in relation to OB Services, nor do we use any Transaction Data we receive from your account provider, for any direct marketing purposes.
We are committed to protecting the security of your personal data. We implement appropriate technical and organisational measures, taking into account the nature, scope, context and purposes for processing, as well as the likelihood and severity of risks to your rights and freedoms.
When you use the Consents Online website (the "Website"), we use cookies and similar technologies (collectively “Cookies”).
Cookies are small text files saved to your device (computer, smartphone, tablet or any other device from which you access the internet) when you visit a website. These files do not contain personal data but they do contain an identifier that allows website owners to associate personal data with a particular device. Cookies can do lots of different jobs, such as remembering your language preferences and login details for future visits, and generally improving your user experience.
The Cookies in use on the Consents Online Website are 'strictly necessary for the Website to function properly, so we don't have to ask for your consent to use them. They are not used to identify you, and will only be used for the duration of your session.
For information about how Cookies are used on the Equifax website and the Equifax Online Help website, please see the Equifax Cookie Notice, where you will also find guidance about how to manage and delete Cookies by changing your internet browser settings (although this may prevent the Website from working properly).
We retain your personal data for strictly limited periods of time and for no longer than is necessary to fulfil the purposes for which we are processing it. For example, we typically retain personal data in relation to your use of the OB Services, for as long as you receive those services and for up to 6 years following cancellation of the services.
In limited and specific cases, it may be reasonably necessary for us to retain your personal data for a longer period.
The factors that direct how long we retain personal data for include the following:
laws or regulations we are required to follow;
whether we are in a legal or other type of dispute with each other or any third party;
the type of information held about you; and
whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.
For more information about our retention periods, please contact us.
In certain circumstances, data protection law provides you with a number of rights in relation to your personal data. You can exercise your rights by contacting us using the details provided above.
Your rights include:
The right of access. This is also known as a data subject access request (DSAR) and allows you to receive copies of your personal data and be provided with certain information in relation to it, such as the purpose for processing.
The right to rectification, which requires us to correct inaccuracies in your personal data. Please see SECTION 9.3 in the Equifax Credit Reference and Related Services Privacy Notice for more information.
The right to erasure. This is also known as the right to be forgotten, and allows you to request that we erase your personal data. This right only applies in certain circumstances.
The right to restrict processing, which requires us to restrict the processing of your personal data in certain circumstances;
The right to data portability. This allows you to receive the personal data that you have provided to us in a machine readable format, where we are processing it on the basis of consent or have entered into a contract with you and the processing is automated.
The right to object. In certain circumstances you can object to our processing of your personal data, such as for direct marketing purposes.
The right not to be subject to automated decision-making, which allows you to raise queries, concerns and request a human review in relation to any decision made solely on the automated processing of your personal data.
The right to lodge a complaint with the Information Commissioner’s Office (ICO). See SECTION 11 for more information.
Please see the Equifax Credit Reference and Related Services Privacy Notice for more detailed information about how Equifax specifically is processing your personal data, your rights and how you can exercise them.
Equifax may make changes to this Notice in the future. The revised notice and its effective date will be published on this Website.