This document describes how Experian Business Information, (also called “Experian BI” in this document) uses and shares personal data we receive about your business that is used in our direct marketing businesses. We have also taken the opportunity to explain how some of this data is supplemented with other data for checking compliance with various legislation such as that dealing with Anti-Money Laundering (AML). It should be noted that Experian Business Information also has a business running a commercial Credit Reference Agency. Further information on this can be found in the CRA Information Notice (CRAIN). For the purposes of this document Experian BI refers to the marketing databases we hold and the marketing business we run for our clients. These are typically run under the brand names Experian pH and Experian Business Assist using the databases BusinessView and BusinessView Select.
Understanding what personal data we hold and how we use it is important as the data protection law governs the way this data can be used and what rights you have.
This document answers these questions:
You have the right to object to Experian BI using your personal data. Please see Section 11 to find out more.
Experian BI, Experian PH and Experian Business Assist are wholly owned business units of Experian Ltd. and can be contacted at:
|Experian Limited||Post: Experian, PO BOX 9000, Nottingham, NG80 7WF
Phone: 0844 481 0028
Experian BI obtains and uses information from a variety of sources. All this information is related to businesses. Linked to these businesses we do hold contact details for representatives such as decision makers (e.g. Head of IT, Branch Manager, etc.) as well as Proprietors, Company Directors and Shareholders which is personal data.
For the purposes of data protection, all information relating to non-registered businesses is defined as personal data. This includes sole traders and ordinary non-registered partnerships. This is because the business is not a legal entity and is run in the name of the owner(s).
Data on registered businesses is not personal data because it relates to a legal entity and not a natural, living person. However, the contact information of individuals within a legal entity is classified as personal data.
Below we have outlined the sources of our data:
|Data Category||Source||Type of data|
|Government||Companies House||This is the government database of business registrations and filing updates, which includes all registered business – Limited companies, Public Limited Companies and limited liability partnerships. Included within this information are the details of a business’s Directors, Shareholders, Secretaries and other Persons of Significant Control.|
|Open Government Licence (OGL)||This includes various datasets released by the government under the terms of the Open Government Licence for example, Food Standards Agency, Council data, Vehicle & Operator Data.|
|Publicly available websites||Businesses’ own published websites||Additional information published by a business such as opening hours, ecommerce data such as shopping basket facility and payment facilities. Also used to validate data from other sources.|
|Publicly published directories||Private companies who publish business directories online||Basic business details (name, address, multiple contacts) collected and verified by phone or online.|
|Specialist contact directories||Private companies who collect specific data on specific businesses or types of organisations||Basic business details (name, address, multiple contacts) collected and verified by a range of methods (generally by phone) on specific sectors e.g. IT, Fleet, public sector, retail.|
The type of data these provide are listed below, with examples from these general categories:
For non-registered businesses (sole traders and partnerships) all the above, if available, is personal data.
For registered businesses (e.g. limited companies) and public sector organisations only the contact details are personal data.
In addition to the data sources above we use the following data sources to verify a business for compliance purposes (see section 3). Note, the data listed in the table below is never used for marketing purposes. However, business credit scores, which are calculated using personal data of commercial County Court Judgements and Director’s history, may be used to screen out high risk prospects. This is done to protect the potential seller of goods from future bad debt and to protect any business that has a high risk of failure from taking on more financial commitments.
|Data Category||Source||Type of data|
|Credit Reference Agency data||Experian commercial credit bureau (for more information see section 14)||Public record information such as County Court Judgements. Information about how well a business pays its invoices and finance agreements|
|Private registers||Private organisations||e.g. Financial Conduct Authority list of authorised companies. Politically Exposed Persons (PEPs) and Sanction lists|
Gambling Commission, Charities Commission
Marketing – helping our clients contact the businesses that may be interested in their products/services
We supply the data we aggregate from several sources to our clients to help them market their relevant business to business (B2B) products and services to other businesses who may be interested in them. Typically, the data used is the name, address and contact details of organisations. This helps our clients with their direct marketing whether via mail or phone or email marketing campaigns. Sometimes Experian uses this data to market its own products and services. To be clear, the personal information that we use in this capacity is always linked to the businesses with which they are associated.
Additionally, we sometimes provide clients information about the business themselves such as industry, size, etc. This is delivered together with the results of models we have created for clients for them to help make more informed decisions about whom to contact and how to contact them for marketing purposes. If a business is already a customer of our client, we can help our clients understand more about the business they already know to more accurately focus their communications and marketing efforts.
Our clients are providers of business to business products and services and we do not authorise our B2B data to be used to market consumer products. We do allow marketing research companies to use this data for genuine market research as long as they are members of the Marketing Research Society (MRS) and follow the MRS Code of Conduct.
An important part of our business is ensuring that the data we sell is targeted as much as possible. This is in the interests of the client who wants value for money, through high success rates of their campaign and to reduce waste of time and resource spent sending unwanted marketing materials. It is also in the interests of the businesses receiving such marketing communications who only want to receive relevant communications about B2B products and services they might be interested in. This is achieved in various ways from simple self-selection using basic criteria such as geographic area, size of business and line of business to sophisticated modelling described below.
Modelling – helping our clients reduce the amount of contact with businesses by focusing effort on the right businesses
The information Experian gathers is used to create models to more effectively identify within the population of businesses those that have particular attributes.
Typically, the models we create are done so on behalf of clients who wish to identify and prioritise businesses that they wish to deal with or, conversely, to isolate businesses who are unlikely to have any need or desire for their product or service.
The models and values we generate are based on information that is attributable to the business and includes items such as:
Beyond these client specific models, we create more generic models that can be used by clients for targeting their desired markets. This includes scores that predict whether a business is likely to grow strongly in the future or likely to export.
It is important to note that Experian BI does not make any decision about how to use these models and scores. It is always the client who makes the decision on the purposes for which the models and scores that we create are used.
Database creation activities
Experian carry out certain processing activities internally which support the effectiveness of our databases. For example:
Client Data Cleansing and Enhancing
Experian BI gathers information as described above and keeps it up to date and in a standardised format. Clients sometimes ask us to compare the information they hold about their customers and prospects to our information. Where we identify they have out of date information, as long as it is not suppressed (such as records on Telephone Preference Service), we can update it for them.
Sometimes, clients would like to know more about the customers they already have and ask us to provide more information on their customers to enable them to target the messages they wish to send more effectively and use the most appropriate method of communicating to them.
Supporting Tracing and Collection of Debts
Experian BI provides data that allow our clients to trace businesses who’ve moved and are no longer responding to communications from our clients using the information they currently hold about them. Experian may have more recent contact details such an address, telephone number or email address for that business that can then be used. This can be to reunite businesses with money they are owed or to help our clients to recover money that is owed to them.
Statistical analysis, analytics and profiling – helping our clients with their strategic decision making
Experian uses the data gathered for statistical analysis and analytics purposes, for example, to create segmentations and profiles in connection with the assessment of business value and/or behaviours. This allows our clients to have a view of the UK economy and its component business parts to adopt or refine marketing strategies such as identifying the size of opportunity for new product development, or to assist in a client’s location planning perhaps for a new store.
For example, we have classified the postcodes in the UK, according to the mix of businesses in each post code, into specific groups such as “Local Retail”, “Office Blocks”, “Business Park”. This helps our clients identify the appropriate size and type of customer service or sales resource they require to approach businesses within the chosen postcodes.
Verifying Data - helping financial institutions prove they know their customers and prevent fraud
To help our clients meet their regulatory obligations we verify and update information on their customers to help them ensure that the due diligence required for Anti Money Laundering and other legal obligations they have, are met.
Typically, this happens when a person applies to an organisation for a product or service, the organisation might ask them to answer questions about themselves, and then check the answers against the data held by Experian to see if they’re correct. This helps confirm the person they are dealing with is not trying to commit identity theft or any other kind of fraud. In some cases, we will enhance this information with registered office information, legal status and other information that enables the client to classify and understand their customers in more depth.
One important aspect is to identify the Ultimate Beneficial Owners of businesses and Persons of Significant Control. The identification of such individuals is strictly carried out in response to a client request for this data as part of their legal requirements and is not provided for any marketing purposes.
A further use would be to link company Directors across businesses to ensure that any connected relationships are able to be identified.
Experian also has other lines of business not described in this document. Within the Business-to-Business (B2B) sector we are a credit reference provider and beyond B2B we offer many direct-to-consumer services. Experian provide separate information elsewhere for the services that fall outside of scope of this document. See Section 14.
Uses as required by or permitted by law
Your personal data may also be used for other purposes where required or permitted by law.
The UK’s data protection law allows the use of personal data where its purpose is legitimate and isn’t outweighed by the interests, fundamental rights or freedoms of data subjects.
The law calls this the Legitimate Interests condition for personal data processing.
The Legitimate Interests being pursued here are:
|Experian has a legitimate interest in running a successful data business which generates revenue by helping businesses both promote and be informed about relevant B2B products and services through highly targeted direct marketing campaigns||
Experian provide prioritised, appropriate, accurate business contact data to client businesses wishing to promote business relevant services and products through targeted direct marketing campaigns. This allows businesses to economically promote their products beyond their existing customer base, providing a viable route to market for new and existing businesses and their products.
|Providing B2B market analytics||
Experian analyse the potential market for a client’s business relevant product or service using statistical models. This underpins the client’s business strategy and investment decisions.
|Allowing B2B service providers to better understand their customers||By matching a client’s customer account data both to itself and to external business reference data Experian can provide a client with a complete view of its relationship with a business customer. This business customer can also be enhanced with business attribute data to allow the client to ensure each customer receives the most appropriate service offers.|
|Supporting Tracing and Collection Services||Providing services that support tracing and collections where there is a legitimate interest in the client conducting activity to find its customer and to recover the debt, or to reunite, or confirm an asset is connected with, the right person.|
Experian BI’s use of this personal data is subject to an extensive framework of safeguards that help make sure that people’s rights are protected. As well as ensuring any data used for marketing by clients is accurate, appropriate and fitting with the needs of the data subject and the client, safeguards include the information given to people about how their personal data will be used at collection and providing means for individuals to exercise their rights to obtain their personal data, have it corrected or restricted and object to it being processed. These safeguards help sustain a fair and appropriate balance between our activities and the interests, fundamental rights and freedoms of data subjects.
Our aim is to ensure that businesses receive communications about B2B products and services that they are likely to be interested in and that suppliers who can deliver those products and services are better placed to communicate with those individuals within those businesses. We believe this is very much in the interests of the individual business person as there are many indirect benefits of this processing:
The Privacy and Electronic Communications Regulations (PECR) which work alongside the GDPR and govern marketing activity using electronic means such as email, phone and text do not apply to the activities Experian BI performs. It will however apply to our clients who use the data we provide to them for marketing purposes by electronic means. Under PECR, email marketing to non-limited businesses requires consent which under the GDPR needs to be specific to the organisation that will send the email. Our suppliers are unable to gather this consent and so for this reason, at this time, we will not be supplying email addresses on non-limited businesses.
However, we will still be providing emails for contacts within corporate/registered businesses on the basis they are only used for marketing of B2B products and services and the DMA Code is followed which includes providing a clear unsubscribe option and then screening future campaigns against the unsubscribe list. A new ePrivacy Regulation is being worked on which will replace PECR and we will keep this area under review.
This section describes the types of recipient Experian BI shares data with. There are strict access control processes in place. For example, before we share data with any another organisation, we do due diligence appropriate for the organisation type and always ensure protections and data security terms are included in our contracts with these organisations.
Experian BI provides business contact and analytical data to businesses wishing to provide B2B products and services. Various checks are completed on new clients to ensure they will use the data for B2B purposes only and this is enforced through contractual terms.
Resellers, distributors and agents
Experian BI sometimes uses other organisations to help provide its services to clients and may provide personal data to them in connection with that purpose only.
Various checks are completed on new resellers, distributors and agents to ensure they will use the data for agreed purposes only and this is enforced through contractual terms.
Experian may use other organisations to perform tasks on our behalf (for example; data validation).
People are entitled to obtain copies of the personal data Experian BI hold about them. You can find out how to do this in Section 9 below.
Public bodies, law enforcement and regulators
The police and other law enforcement agencies, as well as public bodies like local and central authorities and our regulators, can sometimes request Experian to supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax, investigating complaints or assessing how well a particular industry sector is working.
Experian BI holds its main data bases within the UK in the Experian secure data centre. Some data is held in secure ‘cloud’ storage. Experian BI also has operations elsewhere inside and outside the European Economic Area, and personal data may be accessed from those locations too. In both cases, the personal data use in those locations is protected by European data protection standards.
Sometimes Experian BI will need to send or allow access to personal data from elsewhere in the world. This might be the case, for example, when a processor or client is based overseas or uses overseas data centres.
While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. Thus, when Experian does send personal data overseas it will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. For example, these safeguards might include:
Identification data like names and addresses are kept while there’s a continuing need to keep it. This need will be assessed on a regular basis, and data that’s no longer needed for the purposes it was collected for will be disposed of. However, much of this data is used to match and track the movements in business identities and therefore requires on-going retention. Often we receive historic data or aged client files and this retention period ensures we can accurately match data event though ownership, trading styles and locations may have changed over time.
If there has been a deletion request made to Experian BI, the data is deleted immediately from the file but stored for 6 years within a suppression file to enable us to ‘remember’ it has been deleted, ensuring that it isn’t re-inserted through data provided by one of our suppliers.
Other third party supplied data such as politically exposed persons (PEPs) & sanctions data will be stored for a period determined by criteria such as the agreed contractual terms.
Experian BI may hold data in an archived form for longer than the periods described above, for research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence of legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.
We don’t tell our clients which businesses should be offered a product or service, that is for the client to decide. However, we do provide data and analytics that help clients make decisions about which businesses it wishes to engage with and how to communicate to them. The models and data Experian provides are often a valuable tool in the client’s overall processes and criteria they use to make their decisions. A client’s own data, knowledge, processes and practices will also generally play a significant role in their business decisions - and their decisions will always remain for them to make which is something we make clear in our client contracts.
Experian does use the data we obtain to produce some scores that clients use, as described above. However, it is for the client to decide how to use this information.
Data access right
You have a right to find out what personal data Experian BI holds about you. There is detailed information on our website.
To get online information:
To make a request by post:
Customer Support Centre, Experian Ltd, PO BOX 9000, Nottingham, NG80 7WF
Data portability right
New data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts to receive their personal data in a portable format when it’s processed on certain grounds, such as consent. This right is designed to increase competition such as sharing insurance registration details to compare providers. However, this right is not very useful or relevant for basic marketing data and as per Section 4 above, this is not a right that will apply to personal data within business marketing data as Experian BI processes data on the grounds of legitimate interests.
When we receive personal data, we perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, we rely on the suppliers to provide accurate data.
If you think that any personal data we hold about you is wrong or incomplete, you have the right to challenge it. We can tell you who supplied the data to us so you can contact that supplier and have the data corrected at source. It is best to do this as that supplier might also supply other marketing service providers.
If you’d like to do this, you should contact us using the contact details in Section 1 above.
This section helps you understand how to use your data protection rights to object to your personal data being used for marketing purposes. The legislation makes it very clear that you have an absolute right to object at any time to the processing of your personal data for direct marketing purposes. Experian BI has always supported this as we want to be sure that we only hold data on businesses who are happy to be contacted by other businesses about relevant products and services and we believe you should be in control of your data.
Should you wish to object to Experian BI using your personal data for direct marketing to your business then please contact us using the details in Section 1 and we will gladly remove you from our marketing database. We will do this by adding your details to a suppression list, rather than actually deleting your details, so we can remember to not use them ever again. We can also refer you to the supplier of the data if you wish to suppress your details more widely. Please note that it might take up to 28 days for all recipients of the data to suppress your details and so it is possible you might receive some marketing communications during that period. You should also be aware that your data might be available from other suppliers. However, there are two other schemes that businesses and consumers can use to opt out of marketing communications from all suppliers:
It is a legal requirement that companies do not market to telephone numbers and addresses on these registers.
As described above in Section 11 you have an absolute right to object to your data being used for the purposes of direct marketing.
As described in Section 3 the data on your business which may include personal data will also be used to prevent fraud and comply with anti-money laundering and other legislation that is there for your protection or the protection of another natural or legal person. In this case, asking us to restrict how we use your personal data is not an absolute right. Your rights are set out at Article 18 of the GDPR. Experian will consider and respond to requests we receive to restrict processing for these purposes.
Please note that given the importance of records for the purposes of preventing fraud and complying with anti-money laundering and other legislation, it will usually be appropriate to continue processing this data, in particular to protect the rights of another natural or legal person (for example a lender) or because it’s an important public interest of the union or member state.
Experian BI is committed to deliver excellent customer service levels but if you’re not happy you should contact us so we can investigate your concerns.
Post: Experian, PO BOX 8000, Nottingham, NG80 7WF
You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:
If you’re unhappy with how we have investigated your complaint about our use of the data for marketing, you have the right to refer it to the Direct Marketing Commission (DMC). The DMC investigates and adjudicates on reported breaches of the Direct Marketing Association (DMA) Code by DMA members. Please visit their website for more details http://www.dmcommission.com/
If your complaint is about non-marketing use of your data and you are unhappy about how we have investigated your complaint, then if you meet the qualifying criteria (individual, a micro-enterprise, small charity or small trust) you have the right to refer it to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like Experian.
You can contact them by:
This document is designed to provide you with the information you need to understand how Experian Business Information uses your personal data for the purposes of our direct marketing business. This data is held in your capacity as a business owner, director or employee.
Credit Reference Agency
Experian may hold your data in your capacity as a consumer as it also has a business as a Credit Reference Agency (CRA). For further information about how a CRA works, please follow this link to the CRA Information Notice (CRAIN). The CRAIN is intended to provide a concise overview of the key points. More information about Experian and what it does with personal data is available at:
The Information Commissioner’s Office also publishes advice and information for consumers in its Credit Explained leaflet, available at https://ico.org.uk/media/for-the-public/documents/1282/credit-explained-dp-guidance.pdf.