GBG Group plc (“GBG“, “we“, “us” or “our“) take the protection and security of your personal data very seriously. This privacy notice sets out the personal information we collect and process about you through our products and services, the purposes of the processing and how you can exercise your privacy rights.
You may be reading this notice because of a link provided by one of our third party data suppliers, one of our customers, or you simply want more information on processing in relation to our products and services.
Where we collect personal information from you directly, for example, through our website or because you have applied for a job with us, please see our Website Privacy Notice.
Our customers and data suppliers have a separate relationship with you, or will have a lawful reason for processing your data. They are separately required to provide you with information (for example through their own privacy notice) about how they collect and process your data.
We have offices in 19 locations, and our registered head office is located within the United Kingdom at:
GB Group Plc
Chester Business Park
Chester CH4 9GB
Our Company Registration Number is: 02415211
If you have any questions about how we use your personal data, please contact our Data Protection Officer by email at DPO@gbgplc.com or call + 44 (0) 1244 657277.
We review this privacy notice on an annual basis, sooner if changes to regulation require it or we change the way we process personal data.
This policy was last updated on 11 August 2020.
GBG is a global organisation who create technology. Typically, customers use our technology so they can verify the information that you give to them about yourself. We do this by matching third party reference data (which we receive from data suppliers) against the data you give about yourself to our customers. This still sounds complex, so an example is often the easiest way to explain…
- You are going to open a bank account
- In order to open the bank account, the bank (our customer) needs to verify you are who you say you are. This is for a number of reasons, such as for the bank to comply with anti-money laundering regulations or fraud purposes.
- The bank collects personal data from you and passes this to GBG’s technology to process (via our products and services).
- As part of this processing, we may match the data you provided against third party data (from our data suppliers), such as data belonging to Credit Reference Agencies or public sources, such as the voters register.
- We pass a result back to the bank (our customer) on whether we could match your input data against the third party data.
- Our customer then decides how they will respond to you, e.g. open your bank account, decline your request etc.
More examples are included in the table below describing why we collect your personal data.
The personal information that we may collect about you broadly falls into the following categories:
|Attribute||Telephone/Email/Date of Birth|
|Device||IP, Geocode, DeviceID|
|Financial||Home Ownership, County Court Judgments, Insolvency|
|Image||Photo on a passport or driving licence|
Why we collect your personal data depends on the services we provide.
|GBG Service||Description of services / why we collect this personal data|
|Location Intelligence||Address Capture & Verification – we can capture and verify your address globally. Our service aims to create the best, quickest experience when you order online, whilst ensuring the company you are engaging with have everything they need to fulfil your request. For example, it is much quicker for you to enter a postcode and be presented with a list of addresses to select from, as opposed to entering the full address. There is also the option where the company you are engaging with can verify if you have provided a valid email address or phone number so they can get in touch with you if needed. Some of our customers also take Geocodes, which is a unique identifier for your address, so the delivery company can easily find you to deliver the item you have ordered.
Data Cleansing – we are all busy people and it’s often difficult to remember and very time consuming to contact all the businesses we engage with if any of our details or preferences change. These organisations also have a legal requirement to keep your data up-to-date, which is where we come in. We can help them identify if your details are no longer valid, for example you may have moved address, and dependent upon what choices you have made (such as providing your new address to one of our data suppliers), we can even provide them with your new address. If someone in your household has died, if our customer asks, we can let them know, so you stop receiving contact/post which we know can be upsetting.
|Identity||Identity & Age Verification – we can capture and verify your identity globally, making it easier for you to transact online. What this includes depends on the organisation you are engaging with. For example, we can verify the authenticity of your identity documents or check if you are over a particular age if you want to access a service which has age restrictions. Our customers do this because many of them must meet regulatory requirements and prevent fraud, so we help them to meet their requirements, with you in mind, to make things as simple and easy as possible.
Employee Onboarding – if you are trying to get a job or volunteer, organisations must complete checks on you to ensure they meet their regulatory or moral obligations. For example, we can offer criminal record checks helping to ensure known criminals cannot interact with your child, or checking a delivery driver has a valid driving licence so they are safe to be on the road.
Identity Intelligence & Tracing – used is for law enforcement, asset reunification and debt collection to identify and locate individuals. Where a company has minimal or old information on you, there may be a need to contact you. To give you an example, our product has helped assist police in locating a domestic abuse victim who needed help. A woman made a 999 call as there was an incident at a domestic address. The police used GBG’s product to identify three possible addresses. Patrols attended each address and the operator was able to hear the officers knocking on the door, confirming they were in the right place. A man was arrested and the woman treated for her injuries.
|Fraud & Compliance Management
|We help our customers reduce fraud which benefits you by ensuring you get the best price, your identity is protected, and you receive goods and services you order. With each online order companies must make a decision whether to ship or decline it. To give you an example, Mary Christmas placed a large food order on the last shipping day before Christmas. Her name triggered fraud indicators: due to her name and timing, the retailer would have normally declined the order. However, the retailer used our service to determine that Mary Christmas was a legitimate customer. Mary Christmas’s goods were dispatched and she/her family got to enjoy a lovely Christmas lunch.|
GBG’s legal basis under the GDPR for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we will normally collect personal information where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. These include our legitimate business interests which provide a societal benefit, such as preventing fraud, crime prevention and detection and ensuring only individuals who should have access to services or perform in a particular role are able to do so.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided below.
As explained above under “What do we do”, we receive personal data about you from our customers and data suppliers. We also send your personal data to our customers and data suppliers in order to provide our products and services. Here we set out further details about our customers, suppliers and other categories of recipients.
We offer our products services to public and private organisations worldwide. These include:
|Financial Services||Banks, insurance providers|
|eCommerce||Retail (online shopping), online commerce platforms|
|Consumer Directories||Travel and leisure, media|
|Public Sector||Law enforcement, local government, education bodies|
|Utilities||Gas, electricity, water suppliers and switching/price comparison sites|
GBG Data Suppliers
|Data Supplier||Further information|
|Government / Public Authorities||These bodies include authorities that provide driving licence information, passport information, citizen identification number, social security number, criminal record information, insolvency records (also in publicly available) or sanctions lists (also in publicly available).
Examples of this include:
|Regulated Financial Services Organisations / Firms||These entities collect information about your financial status, but this data can also be used to help organisations like us verify your identity by confirming you are who you say you are, and where you live, or if you have lived at an address.
Credit reference agencies (CRAs) play a key role in the UK’s financial ecosystem. There are 3 CRAs in the UK: Equifax, Experian and TransUnion. They each provide us/you with a copy of the “CRAIN”, Credit Reference Agency Information Notice.
|Other Regulated Organisations / Firms||These entities provide personal data which can help to verify or contact you, for example you have made a choice whether or not your landline is included in the public telephone directory. In the UK, BT Wholesale Directory Services deliver this. It is known as “OSIS”, which is the abbreviation for Operator Services Information System. Data is collected from multiple providers to create this central database of publicly available phone numbers.|
|Commercial Organisations||These entities provide your contact details, such as name, address, telephone number or email address, which we can then use to meet the request you have made to one of our Customers.|
|Publicly available, collected by a third party organisation or GBG||These entities provide information about insolvency records, property information, sanction lists, PEPs information, social media / convention online information / deep web / dark web, income index or family situation. Examples of this include County Court Judgements (CCJs) from the Registry Trust.|
|Non personal / address data||These entities provide information about deceased records, geocodes, co-ordinates, postcodes or zipcodes.|
We may also disclose your personal data to the following categories of recipients:
- to our group companies, third party services providers and partners who provide data processing services to us, or who otherwise process personal information for purposes that are described in this privacy notice;
- to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
- to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger, acquisition, restructuring or insolvency of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this privacy notice.
We retain personal information we collect from our customers and data suppliers where we have an ongoing legitimate business need to do so (for example, to provide our customers with a service you have requested or for our customers to comply with applicable legal requirements, such as anti-money laundering).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
If you have questions about or need further information concerning how long we keep your personal data for, please contact us using the contact details provided below.
Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.
Our group companies, data suppliers, customers and third party service providers operate around the world. This means that when we collect your personal information we may process it in any of these countries.
However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this privacy notice.
These include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information between our group companies, which require all group companies to protect personal information they process from the EEA and UK in accordance with UK and European Union data protection law.
Our Standard Contractual Clauses can be provided on request. We have implemented similar appropriate safeguards with our data suppliers, customers and third party service providers and partners and further details can be provided upon request.
As an individual, you have rights under the GDPR regarding the use of your personal data, these are:
- The right to withdraw consent – you can withdraw consent at any time.
- The right to erasure – you can request that GBG remove your personal data from our systems.
- The right to restrict processing – you can request that GBG only process your personal data for the purposes you specify.
- The right to data portability – you can request that the personal data you have provided to GBG be ported to another organisation.
- The right to access your personal data – You have a right to know what personal data GBG hold on you and for what purpose we are processing your personal data. This is known as a Subject Access Request (SAR).
- The right to rectification – you have the right to ask us to rectify any information you believe is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- The right to object to processing – you have the right to object to processing if we are able to process your information because the processing is in our legitimate interests.
- The right to obtain information upon request on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal data.
Please keep in mind that some of these rights are subject to an internal assessment that one of the grounds under the GDPR is satisfied.
You can send these requests to firstname.lastname@example.org or by post to:
Privacy & Data Compliance Team
GB Group Plc
Chester Business Park
Chester CH4 9GB
Or you can make a request in person or call +44 (0) 1244 657277.
You are not required to pay any charge for exercising your rights. We have one calendar month to respond to you. If GBG are unable to comply with your request, we will provide you with an explanation.
We appreciate that at GBG we may not always get things right and it is regrettable for us as an organisation when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal data is used by GBG then please write to us at:
Privacy & Data Compliance Team
GB Group Plc
Chester Business Park
Chester CH4 9GB
Alternatively, you can email us at email@example.com.
GBG will investigate and aim to respond within 10 working days. This allows us time to investigate your complaint thoroughly.
Where you believe that GBG have not taken our responsibilities with your personal data seriously, you have the right to complain to the UK Supervisory Authority. Its details are:
Information Commissioner’s Office
Cheshire SK9 5AF
Telephone number: 0303 123 113 or +44 (0)1625 545 745