Data Processing Grounds

Under data protection law, every organisation processing personal data for its own purposes must have a lawful ground for processing any personal data relating to an individual.

Experian processes your personal data under a lawful ground known as the 'Legitimate Interests condition'.


We can rely on the Legitimate Interests condition to lawfully process data where the processing of your personal data is necessary in our legitimate interests or those of another organisation. In relation to the processing of personal data as part of our marketing services, our clients have a legitimate interest in finding new customers or making sure they deliver the best products and services to existing customers through their marketing activities. The processing of your personal data is also necessary in our legitimate interests as it enables us to conduct and manage our business and to help our clients market more effectively.

For example, we have an interest in making sure marketing is relevant for you, so we process your personal data so our clients can send you marketing for products, offers and services that are relevant to you and tailored to your likely interests.

Before we rely on the legitimate interests condition to process your personal data, we are required to carry out a thorough balancing test (the ‘Legitimate Interests Balance’) to ensure that, we balance any potential impact on you (both positive and negative), and your rights under data protection laws against the legitimate interests being served. Our legitimate business interests do not, nor should they, override your interests - we will not use your personal data for activities where the balancing test determines that our interests are overridden by the potential impact that the processing might have on you.

The controls necessary to ensure we balance our interests, the interest of our clients and your rights, extend into all constituent parts of the marketing ecosystem:

Our Personal data suppliers

By working closely with our data suppliers, we ensure individuals are provided with information about the processing of their personal data which will take place within Experian’s environment. This information will be provided in the privacy policies/collection notices of the supplier and through links to the material provided in these information pages by Experian.

We expect high standards of compliance with data protection requirements from our suppliers and monitor accordingly.

Experian’s Marketing Services

We apply high standards of overall data protection.  As an organisation regulated by the Financial Conduct Authority (FCA) it is vital we do so to protect consumers against detriment. Among many other things, this involves Experian continuing to manage our data assets in accordance with the data protection principles, keeping comprehensive internal records of all our processing, and giving full effect to data subject rights. 

Specifically, in relation to our marketing services, and to ensure as much transparency as possible, Experian makes these consumer information pages available, providing information about our processing of personal data within the marketing ecosystem. 

Our Clients

We expect our clients to operate strong data protection in relation to their marketing activities, ensuring it is easy for data subjects to indicate they do not wish to receive further marketing from an organisation, and dealing swiftly and effectively with any such requests.

Tight controls are maintained over the types of organisations that can access our marketing services to ensure you are only contacted by brands and organisations we believe will be of interest to you. For example, we have a robust and consistent set of guidelines on the provision of products/services to specific industries which we consider could have an inappropriate or intrusive impact on individuals if our marketing products and services were used by these organisations to contact individuals.

Experian will not deal with organisations with a poor record of compliance, either at the level of the individual organisation or problem sectors.

Where clients have a direct and existing relationship with data subjects (i.e. where they are existing customers), we will expect clients to provide the right information to data subjects about the processing of personal data which will be undertaken in respect of any relevant marketing activity, and establish the basis on which the processing will be lawful under GDPR.

So overall, under the legitimate interest balance, a data subject who has volunteered his or her personal data into the marketing ecosystem can therefore expect the following from Experian:

We will tell you what we intend to do with your data, through notification within our data suppliers’ privacy policies when your data is collected and through our information pages. We will then process your data under a Legitimate Interest, that is balanced in line with your data subject rights.