You have a number of rights under data protection laws but they do not apply in all circumstances. If you wish to exercise any of them we will explain at the time of your request whether they apply or not.

  • The right to be informed – we have to be very clear with you about the processing that we do with your personal information. This includes why your personal information is being processed, on what legal basis, to whom and where it may be sent, for how long it may be kept, and what your rights are. You also need to be told who the “data controller” is. A data controller is the individual or the legal person who controls and is responsible for the keeping and use of your personal information. All of this information is contained in our leaflet entitled, ‘How we use personal information’. The information that you give us can come directly from you or indirectly via someone else (such as a broker or other intermediary).
  • The right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed. If we have disclosed your personal information to other organisations, we must inform them if we make any corrections or additions, where possible.
  • The right to object to processing of your personal information where it is based on legitimate interests, for marketing (including profiling relevant to marketing) or where it is processed for the purposes of statistics. Your right to object may be relevant if you wish to find out more about what legitimate interests we rely on or about what profiling we do in relation to our marketing communications and other activities, for instance. Legitimate interests and details of profiling are set out in our ‘How we use personal information’ leaflet. There is an important difference between the right to object to profiling relevant to marketing in cases where that profiling activity does not have a legal effect on you or otherwise significantly affect you, and the separate right under data protection laws in relation to profiling including automated decision making which has a legal effect or can otherwise significantly affect you (see below).
  • The right to restrict processing of your personal information. This right may apply where you think your personal information is inaccurate (until the accuracy is verified), or where you have objected to the processing (where it was necessary for legitimate interests) and we are considering whether our organisation’s legitimate interests override your own. This right may also apply where the processing is unlawful and where you oppose erasure and request restriction instead; or where we no longer need the personal information for the purposes of the processing for which we were holding it but where you require us to continue to hold it for legal reasons.
  • The right to have your personal information erased (also known as the “right to be forgotten”). This enables you to request the deletion of your personal information where there is no compelling reason for its continued processing. The right to have your personal information erased only applies in particular circumstances. It may be relevant where the personal information is no longer necessary in relation to the purpose for which it was originally collected and processed. It may also apply if the processing is based on consent which you then withdraw; when you object to the processing and there is no overriding legitimate interest for continuing to process your data; if the personal information is unlawfully processed; or if the personal information has to be erased to comply with a legal obligation. In some circumstances we may not be able to comply with a request for erasure, such as where we have to retain the personal information for legal reasons.
  • The right to request access to the personal information held about you, to obtain confirmation that it is being processed, and to obtain certain information about how we process it. This may assist you if you wish to find out what personal information we have about you in order to help you decide if you can exercise other rights mentioned above and below.
  • The right to data portability. This allows individuals to obtain and reuse their personal information for their own purposes across different services. It enables you to move, copy or transfer your personal information from one environment to another in a safe and secure way while ensuring it can still be used. This right is only relevant where your personal information is being processed based on your consent or for performance of a contract and is carried out by automated means. This right is different from the right of access (see above) and the types of information you can obtain under these two rights may be different. You are not able to obtain through the data portability right all of the personal information that you can obtain through the right of access.
  • Rights in relation to automated decision making which has a legal effect or otherwise significantly affects you. In certain circumstances, this right allows you to access certain safeguards against the risk that a potentially damaging decision is taken solely without human intervention or review. This right is different from the more general right to object to profiling (see above) because that other right is not tied to a circumstance where there is a legal effect on you or where the processing otherwise significantly affects you. Data protection laws prohibit this particular type of automated decision making except where it is necessary for entering into or performing a contract; is authorised by law; or where you have explicitly consented to it. In those cases, you have the right to obtain a review and an explanation of the decision and you may be able to challenge that decision.

If you wish to exercise any of these rights against a Credit Reference Agency, or a broker or other intermediary who is data controller in its own right, you should contact them separately.


You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.


We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.


Please let us know if you are unhappy with how we have used your personal information. You also have the right to complain to the Information Commissioner’s Office: