This policy was last updated on 18 January 2023.
GB Group Plc ("GBG", "we", "us" or "our") take the protection and security of your personal data very seriously. This privacy notice sets out the personal information we collect and process about you through our products and services, the purposes of the processing and how you can exercise your privacy rights.
You may be reading this notice because of a link provided by one of our third party data suppliers, one of our customers, or you simply want more information on processing in relation to our products and services.
Where we collect personal information from you directly, for example, through our website or because you have applied for a job with us, please see our Website Privacy Notice.
Our customers and data suppliers will have a lawful reason for processing your data and may have a separate relationship with you. They are separately required to provide you with information (for example through their own privacy notice) about how they collect and process your data.
We have offices in 19 locations, and our registered head office is located within the United Kingdom at:
GB Group Plc
The Foundation
Herons Way
Chester Business Park
Chester
United Kingdom
CH4 9GB
Our Company Registration Number is: 02415211
If you have any questions about how we use your personal data, please contact our Data Protection Officer by email at DPO@gbgplc.com or call + 44 (0) 161 909 6713.
Our EEA representative is located in Spain at the following address
GBG
Edifici El Triangle 4a planta
Placa de Catalunya
1 08002 Barcelona
Spain
T: +34 (0) 935 451 156
We review this privacy notice on an annual basis, sooner if changes to regulation require it or we change the way we process personal data.
GBG is a global organisation who create technology. Typically, customers use our technology so they can verify the information that you give to them about yourself. We do this by matching third party reference data (which we receive from data suppliers) against the data you give about yourself to our customers. This still sounds complex, so an example is often the easiest way to explain…
More examples are included in the table below describing why we collect your personal data.
The personal information that we may collect about you broadly falls into the following categories:
Category |
Examples |
Basic information |
Name/Address |
Attribute |
Telephone/Email/Date of Birth |
Device |
IP, GEocode, DeviceID |
Financial |
Home Ownership, County Court Judgments, Insolvency |
Social |
Social Networks |
Image |
Photo on a passport or driving licence, self-taken photos |
Why we collect your personal data depends on the services we provide.
We will collect personal information where the processing is in our or our customer’s legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. These include legitimate business interests which provide a societal benefit, such as preventing fraud, crime prevention and detection and ensuring only individuals who should have access to services are able to do so.
In some of our Identity Products & Services we may also rely on your explicit consent as our lawful basis, where the processing includes special category data in the form of your biometric data. If you are not happy to provide your explicit consent, then please consult with the organisation that you are engaging with. They may provide an alternative means to verify your identity. Unfortunately, this is not something GBG can influence.
The table below identifies the legitimate interest that we rely on pursuant to the GDPR for each of our activities.
Activity/Purpose |
GBG's Lawful basis |
Location Intelligence: Address Capture & Verification |
Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to ensure you receive the goods/services you have ordered and prevent fraud by ensuring your data is accurate and up-to-date. |
Identity |
Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to prevent fraud by ensuring you are who you say you are, so you can access goods and services compliantly. Many of our customers must also meet a legal obligation when processing your personal data, such as ensuring you are old enough, or verifying your identity. Consent: The journey includes steps that will perform face match and liveness tests so your biometric data will be processed. This is special category data under the GDPR, and GBG will rely on explicit consent under Article 9(2)(a) to process such data. |
Fraud & Compliance Management |
Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, these services help to prevent fraud and allow our customer to meet their compliance obligations. |
Pursuant to our obligations under Article 30 GDPR, we maintain an up-to-date record of processing activities under our responsibility, which details for each of our processing activities the legitimate interest relied on as a lawful basis for processing the personal data.
You are entitled to more information on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal data. If you have questions about this or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided below.
As explained above under "What do we do", we receive personal data about you from our customers and data suppliers. We also send your personal data to our customers and data suppliers, where there is a lawful reason, to do so in order to provide our products and services.
GBG Customers
We offer our products services to public and private organisations worldwide. These include:
Sector |
Examples |
Financial Services |
Banks, insurance providers, debt management companies |
eCommerce |
Retail (online shopping), online commerce platforms |
Gaming |
Online gaming |
Consumer Directories |
Travel and leisure, media |
Public Sector |
Law enforcement, local government, education bodies |
Utilities |
Gas, electricity, water suppliers and switching/price comparison sites |
GBG Data Suppliers
We work with a number of trusted data suppliers. These include:
Data Supplier |
Further information |
Government / Public Authorities |
These bodies include authorities that provide driving licence information, passport information, citizen identification number, social security number, insolvency records (also in publicly available) or sanctions lists (also in publicly available). Examples of this include:
|
Regulated Financial Services Organisations / Firms |
These entities collect information about your financial status, but this data can also be used to help organisations like us verify your identity by confirming you are who you say you are, and where you live, or if you have lived at an address. Credit reference agencies (CRAs) play a key role in the UK’s financial ecosystem. There are 3 CRAs in the UK: Equifax, Experian and TransUnion. They each provide us/you with a copy of the “CRAIN”, Credit Reference Agency Information Notice. |
Other Regulated Organisations / Firms |
These entities provide personal data which can help to verify or contact you, for example you have made a choice whether or not your landline is included in the public telephone directory. In the UK, BT Wholesale Directory Services deliver this. It is known as “OSIS”, which is the abbreviation for Operator Services Information System. Data is collected from multiple providers to create this central database of publicly available phone numbers. |
Commercial Organisations |
These entities provide your contact details, such as name, address, telephone number or email address, which we can then use to meet the request you have made to one of our Customers. |
Customer Data |
These customer entities have informed individuals that data will be provided to GBG for additional purposes of generating risk scores or creating fraud and/or identity alerts, insights and reports. |
Publicly available, collected by a third party organisation or GBG |
These entities provide information about insolvency records, property information, sanction lists, PEPs information, social media / convention online information / deep web / dark web, income index or family situation. Examples of this include County Court Judgements (CCJs) from the Registry Trust. |
Non personal / address data |
These entities provide information about deceased records, geocodes, co-ordinates, postcodes or zipcodes. |
We may also disclose your personal data to the following categories of recipients:
Once the respective purpose ceases to apply, we will either delete or anonymise the personal information or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
As explained above in the section “What do we do”, GBG access personal data in 2 ways. When we access personal data via a web service, our data suppliers hold the database therefore GBG does not see or have any control over this, other than via our GBG Audit Trail which we explain below.
We also receive personal data which we host a copy of. At the point of collection, you will have been advised how long your personal data will be held for, which will be different to the retention period GBG state below.
A ‘data refresh’ is how often GBG get a copy of the personal data. The data supplier may provide GBG with a complete refresh, which is a new copy of the entire file. Some data suppliers only provide updates to a file (e.g. new records, updates to existing records or a request to delete records). GBG then apply these updates to a master file we hold. What this means is whilst GBG gets a new copy of the data, this database may contain much of the same data we have previously received. This explains why the data refresh is different to GBG’s data retention period.
Data Refresh |
GBG Data Retention Period |
Further Information |
|
GBG Audit Trail |
Daily |
12 months |
GBG retain a copy of your personal data for a period of twelve (12) months to enable GBG to respond when an individual wishes to exercise a data subject right. |
Full Electoral Roll |
Monthly |
From 1992 The retention period will increase each year, up to 80 years. This will then be maintained at 80 years. Customer access is restricted for 6 years, with the opportunity to view earlier data providing they have a justification. |
This data is governed by the Representation of the People Act, therefore can only be used by our public sector/law enforcement customers. |
Open Register |
Monthly |
From 2003 The retention period will increase each year, up to 80 years. This will then be maintained at 80 years. Customer access is restricted for 6 years, with the opportunity to view earlier data providing they have a justification. |
Also known as the Edited Electoral Roll. |
Insolvency Data |
Weekly |
6 years |
We receive data from 3 sources: England and Wales, Scotland and Northern Ireland. They each send GBG any new records, amended records or records they would like us to delete. We then apply this to a copy of the database we hold. |
Postcode Address File (PAF) |
Daily |
Variable GBG receives daily updates of PAF, which we hold for 2 weeks but we apply this to a copy of the database we hold where an address is retained for as Royal Mail keeps it on their master database (i.e. for as long as the property exists). |
PAF is address data provided by Royal Mail |
BT OSIS (UK Telephone Number Database) |
6 days a week |
Variable GBG receive updates of any new records, amended records or any records we need to delete and we hold these update files for 2 weeks. We apply the updates to a master database, so you will stay on this until BT ask us to remove you, which is typically when you cease having a landline telephone number. |
You may know this as the BT Phonebook. GBG must refer to it by its name as dictated by our licence. |
Commercial Data |
Weekly or Monthly |
2 Months |
GBG receive a full refresh of the data each month, but may receive a weekly update asking us to remove a record if an individual has exercised one of their data subject rights to our data supplier. |
GBG Data |
Daily |
12 Months |
GBG retain a copy of your personal data for a period of twelve (12) months. |
If you have questions about or need further information concerning how long we keep your personal data for, please contact us using the contact details provided below.
Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.
Our group companies, data suppliers, customers and third party providers and partners operate around the world. This means that when we collect your personal information we may process it in any of these countries.
However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this privacy notice.
Where appropriate, these include implementing the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Agreement for international data transfers between our group companies, which require all group companies to protect UK and EEA personal data in accordance with UK and European Union data protection law.
We have implemented similar appropriate safeguards with our data suppliers, customers and third party providers and partners.
As an individual, you have rights under the GDPR regarding the use of your personal data, these are:
Please keep in mind that some of these rights are subject to an internal assessment that one of the grounds under the GDPR is satisfied.
You can make a request to us directly by completing this form.
Alternatively, you can send these requests by post to:
Privacy & Data Compliance Team
GB Group Plc
The Foundation
Herons Way
Chester Business Park
Chester
CH4 9GB
United Kingdom
Or you can make a request in person or call +44 (0) 161 909 6713.
You are not required to pay any charge for exercising your rights. We have one calendar month to respond to you. If GBG are unable to comply with your request, we will provide you with an explanation.
We appreciate that at GBG we may not always get things right and it is regrettable for us as an organisation when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal data is used by GBG then please use this form, alternatively please write to us at:
Privacy & Data Compliance Team
GB Group Plc
The foundation
Herons Way
Chester Business Park
Chester
CH4 9GB
United Kingdom
GBG will investigate and aim to respond within 10 working days, this allows us time to investigate your complaint thoroughly.
Where you believe that GBG has not taken our responsibilities with your personal data seriously, you have the right to complain to a Supervisory Authority. In the UK, GBG's regulator is:
The Information Commissioner's office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone number: 0303 123 113 or 01625 545 745
Email: casework@ico.org.uk