Why do credit raters have my data?

As far as I’ve understood the situation, there are credit rating agencies (Experian, Equifax, etc.) who have on file lots of information about my financial life. They then sell this information on to other financial institutions.

My question is - how is this even allowed? I understand that if you sign up to an account with Facebook, they have access to all the data you leave there while using their services. But it seems odd that in today’s world of GDPR that a company that I have never signed an agreement with is allowed to access lots of data point about me that I have no control over.

1 Like

In short it’s within the T&C’s of the banks when you sign up that they can send your data to CRA’s


Privacy policies and use of data form a fundamental part of the terms and conditions you agree to so by agreeing to them you are agreeing to transferring data to CRAs and FPAs

1 Like

I would imagine it falls under legitimate interest. Specifically in preventing the harm to both you and the businesses involved if you have issues with debt.
I should add that they are perhaps a bit strange in that whilst they hold the data and allow others to access it the controller of the data is whichever business posted it.

1 Like

It’s impossible for you to control every single piece of personally identifiable datum you produce daily.

You produce data simply by moving about in public. Interacting with any other person or organisation. Switching on your television or your microwave. Fundamentally, before you exist as a person on this planet, to long forever after you die, data about you is processed.

That’s just how your life is in the 21st Century I’m afraid. You cannot change that fundamental fact.

Why are you obsessing about just the CRAs? You can’t have a Monzo account without the bank passing your data to the CRAs, to the company which prints and sends you your debit card, to every bank which holds an account of someone you pay money, to every shop you purchase at, and every company which runs their card POS terminal, and their bank, and Visa and Mastercard and Amex, and Google which produces the map in the app showing you where the shop was, and Apple on whose device you run your account, and Amazon which hosts Monzo’s data, and Flux which tallies up your loyalty points, and on and on and on.

GDPR is the best tool you have to protect you, and it’s pretty damn good. An example of something spectacular the EU has done for its citizens. But it’s not meant for you to control other entities holding data which identifies you, it’s designed to protect you from them misusing it.


It does all seem a little shady doesn’t it, but mostly because it’s hidden away in legalese that few people read (I don’t!). If you are concerned about who has what, you can ask for your entire customer record from any of these organisations and they are legally bound to send you it all.

And most of the agreements were in place, and thus the data shared, before GDPR came along (I believe GDPR is a ‘fix forward’ solution, and need to be applied in retrospect, but could be wrong).

Before GDPR the UK had the Data Protection Act which was pretty good. GDPR applies to all data a company holds about you, and to every employee which handles it, so it can’t apply just from its introduction, it’s all–encompassing.


The answer is simply due to decades of laissez-faire governments and British public apathy towards privacy issues.

It is absurd when you strip it down to the basics. Lenders want to know as much as possible about potential clients so they hire these private investigators (aka. Credit ref agencies) who hold mountains of data on everyone, whether they are looking to borrow money or not. Because they’ve grabbed that data and they’ve done it for decades they are allowed to keep doing it and sell your data to whoever they decide. It’s nuts when you break it down to what it is.

In France they are forbidden from holding this sort of information about you. I think it’s a great example of how things can be and probably a good chunk of GDPR has been fostered from those sort of French (and German?) ethics.

I don’t know if we in the UK could ever put the rights of individuals to privacy and ownership of their own data over the rights of big corporations to not be bothered.

I’d say I lean to the left and even my first reaction would be “how would lenders be able to.credit score efficiently without credit reference agencies holding my data?” whereas a French version of me might ask why anyone other than me should ever glimpse my data without my knowledge and express consent.

I don’t want to get political but with the recent and upcoming events in UK politics, we are only going to be moving away from these “everyone deserves this” sort of ethics in future and more towards the “get what you’re given” that we’ve been used to for hundreds of years. I highly doubt we’ll ever see the day that we can decide whether we want Equifax or Experian or no one to be able to hold or see our data.

1 Like

Thanks for the responses - I actually learnt some things! :nerd_face:

I found that Monzo’s Privacy Notice was a good place to start. It’s actually quite readable, and I found a link to a relevant data privacy document by Experian.

Although it’s not as easy to read, what I essentially gather from this is that the CRAs gather and keep data on me for legitimate purposes such as preventing fraud and promoting responsible lending. However, there seems to be a rather large scope for other uses as well. It even outright says that they make use of my data for many other things not listed in the Information Notice (Section 2, “Other activities”).

It’s this sort of thing that bothers me. These agencies keep my data for legitimate functions that I think are comparable to other things I agree with as a member of society, such as criminal and medical records. But from my, admittedly, very limited reading of this, they also seem to profit massively from using my data for all kinds of other purposes. Hospitals and the police also keep data on me for legitimate functions, but I would object to the same institutions using my data for commercial purposes. How are the CRAs any different? My sense is that this is a form of theft hiding behind layers of convoluted language…

I think you understand the relationship between the bank and the CRA.

Where I think you’re going wrong is in thinking that ‘hospitals’ and ‘the police’ are just simply data silos which don’t do anything with your data.

That’s simply not true. These organisations have commercial agreements with other companies to store, process and interpret your personal data for them. All sorts of commercial companies get legitimate access to your data, for the benefit of you and society. GDPR is the enabling legislation which makes it all work.

As an example, have a read how the NHS shares your data with other users:

By focussing on CRAs, you’re fundamentally missing the point about how the world functions by processing your ‘personal data’.