Experian EU-U.S. Data Privacy Framework Privacy Notice
Effective Date: November 3, 2023
Experian Holdings, Inc. and its subsidiaries including Experian Marketing Solutions, LLC, Experian Information Solutions, Inc., Consumerinfo.com, Inc. and CSIdentity Corporation, Inc. (together, “Experian”), complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Experian has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov.
Experian is responsible for the processing of personal data it receives under the DPF and subsequent transfers to a third party acting as an agent on its behalf. Experian complies with the EU-U.S. DPF Principles for all onward transfers of personal data, including the onward transfer liability provisions.
The Federal Trade Commission has jurisdiction over Experian’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
For any complaints or concerns related to Experian’s processing of personal data, please contact Experian at firstname.lastname@example.org. For any complaints or concerns related to CSIdentity Corporation, Inc.’s processing of personal data, please contact CSID at email@example.com. If you have an unresolved complaint or concern related to our handling of non-human resources personal data that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. Please contact us if you would like us to direct you to your Data Protection Authority contacts.
Under certain conditions, more fully described on the DPF website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Collection and Use of Personal Data
We may collect the following types of personal data from you directly as follows:
- When you are a point of contact for a service provider or similar business partner, we may collect your name, title, email address, phone number, company name, company address and industry so we may communicate with you and generally maintain and administer our business relationship.
- In connection with CSIdentity Corporation, Inc.’s products and services, which includes Web Portal Access, Dark Web Monitoring Service, Social Media Monitoring Service and Identity Restoration Service, we collect personal information directly from you in order to provide these services to you. This personal information could include such identifiers as name, date of birth, contact details such as address or phone number, log-in details and password, credit/debit/retail card number, bank account number, national insurance/medical ID number, national identifier or social security number, driver’s license number or passport number. We may also occasionally collect Special Category Personal Information via the Dark Web Monitoring or Social Media Monitoring Services. These categories of personal information could include your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of: genetic data, biometric data for the purpose of uniquely identifying you, data concerning your health or data concerning your sex life or sexual orientation, or data which is otherwise a category of information for which explicit consent is required to allow us to process this information under applicable local law. We use this information to enable you to set a log-in to the web portal to access our other services, or to search our database to determine whether any of your personal information has been compromised, and send you alerts about this where matches are found, or to search your nominated social media profile and/or wall posts to identify privacy and/or reputational risks, and send you alerts about risks we identify, or to provide you with advice about how to manage identity risks and, if it informs part of your subscription, to take steps on your behalf and on your request.
We may collect the following types of personal data from you indirectly as follows:
- In connection with our Global Data Network (GDN) and International Developed Profiles, we may collect information about a queried business through public sources. Some business information we obtain may relate to individuals and include personal data such as names as they appear in the name of a sole proprietorship; the names, addresses, birthdates, nationalities and dates of appointment of directors; the names and ownership interests of shareholders; and the names, addresses, dates of appointment and dates of resignation of corporate secretaries. We use this information to create reports about queried businesses for our customers who purchase them.
- In connection with data storage services provided to our affiliate, Experian Consumer Services UK, we may host information related to their consumer services offerings.
- In connection with the CrossCore platform, we may process your name, billing address, shipping address, phone number, email, date of birth, credit card number, and transaction-related passwords and/or security codes. We use this information to provide customers with a multi-solution platform (including some Experian solutions like Fraudnet as well as other third-party solutions) for their own fraud detection and data storage purposes.
- In connection with Experian Data Quality, we may process email addresses, physical addresses, and phone numbers supplied by our customers. We compare this information against physical addresses, phone numbers and email addresses obtained from telephone directories, and other authorized data providers, to provide our customers with more accurate information about you to be used in their own marketing efforts.
- In connection with our Experian Developer Portal, we may collect personal data from you to facilitate login to our developer portal. The personal data will be collected upon registration and will include first name, last name, password, email address, company name and phone number. The data will be used to generate an identification token and password for login access to the portal.
- In connection with data hosting services provided to our affiliate Experian Decision Analytics UK, we may receive and host information such as first name, last name, email address and login information to facilitate a user authentication protocol.
When we obtain your personal data from public sources, we will only use that information for the specific reason for which it was provided to us.
Disclosures of Personal Data
We may share personal data we obtain about you from public sources with our customers and third party business partners for the provision of our services.
We may share your personal data with third parties who provide services on our behalf to help with our business activities. These services may include data storage services, contact center providers, customer service, and business operations. These companies are authorized to use your personal data only as necessary to provide these services to us.
If Experian is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or notice on our website, of any change in ownership, uses of your personal data, and choices you may have regarding your personal data.
In certain situations, Experian may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose your personal data as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. We may also disclose your personal data to any other third party as permitted by law.
Security, Retention and Data Integrity
Experian follows generally accepted standards and maintains physical, electronic, and procedural safeguards to protect the personal data submitted to us. Experian continually monitors access to its systems to detect unauthorized attempts to gain access to information. We may retain your information for as long as your account is active or as needed to provide services, comply with our legal obligations, resolve disputes, and enforce our agreements.
With regard to personal data Experian controls, upon request, we will provide you with information about whether we hold any of your personal data. You may access, correct, or request deletion of your personal data by contacting us at firstname.lastname@example.org. For access, corrections or deletions of your personal data pertaining to services provided by CSIdentity Corporation, Inc., please contact us at email@example.com. This right of access applies only to personal data about the individual making the request and is subject to other limitations as defined by law, or where the burden or expense of providing access would be disproportionate to the risks related to the privacy of the individual or where the rights of other individuals would be violated.
As a processor, Experian acknowledges that you have the right to access your personal data. Experian has no direct relationship with the individuals whose personal data it processes. An individual who seeks access, or seeks to correct, amend or delete inaccurate data should direct their query to Experian’s customer, the data controller. If you contact us with the name of an Experian customer to whom you provided your personal data, we will refer your request to the customer and support them in responding to your access request. If requested to remove data by the data controller, we will respond within a reasonable timeframe.
We provide choices and means for individuals to limit the use of their personal data. In addition to providing individuals with choices regarding our use of their information, we will remove an individual’s name and related information from our direct marketing information products if they request it. You may access, correct, or request deletion of your personal data by contacting us at firstname.lastname@example.org. For access, corrections or deletions of your personal data pertaining to services provided by CSIdentity Corporation, Inc., please contact us at email@example.com.
In certain circumstances, we may be required by law to retain your personal data or may need to retain your personal data to continue providing a service.
Changes to this Policy
We may update this Notice to reflect changes to our information practices. If we make any material change to this Notice, we will notify you by means of a notice on this website. We encourage you to periodically review this page for the latest information on our privacy practices.
If you have questions or concerns, you may contact Experian by:
Chief Privacy Officer
475 Anton Blvd.
Costa Mesa, CA 92626
If you have questions or concerns about CSIdentity Corporation, you may contact CSID at:
1501 S. Mopac Exp
Austin, TX 78746