Privacy Notice

Version 2.1 Adopted: February 2023

This document describes how TDX Group Limited (“TDX”) holds and processes personal data for each of its business functions in the UK.

TDX operates a fully managed debt recovery service, designed for large creditor clients across financial services, retail, energy, water, telco and media sectors, plus local and central government; providing solutions which support them in managing debt collections, recoveries, debt sale and insolvency in order to optimise the recovery of money owed while improving their customer outcomes and experience.

TDX is a so-called “controller” of your personal data. This means that we make decisions about how and why we process your personal data and, because of this, we are responsible for making sure our use of your personal data is in accordance with data protection laws.

TDX Group Limited is regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct debt-collection.

TDX is part of the Equifax group of companies and other Equifax entities may also make available other privacy notices or information notices in relation to specific products or business functions. These will apply in conjunction with this Privacy Notice so please ensure that you review each document, as applicable.

For example, details of how Equifax processes personal data as part of its core credit referencing activities and other products and services, can be found in both the ‘Credit Reference Agency Information Notice’ (CRAIN) and the ‘Equifax Information Notice’ (EIN). Copies of which can be found here:

CRAIN - www.equifax.co.uk/crain

EIN - www.equifax.co.uk/ein

CONTENT OF THIS PRIVACY NOTICE:

  1. How can you contact us?

  2. What kinds of personal data do we use, and where do we get it from?

  3. What do we do with your personal data and why?

  4. Who do we share personal data with and why?

  5. Where in the world is your personal data processed?

  6. How do we safeguard your personal data?

  7. How long do we keep your personal data?

  8. What are your rights in relation to your personal data?

  9. Who can I complain to if I'm unhappy about the use of my personal data?

  10. Changes to this privacy notice.

1. HOW CAN YOU CONTACT US?

We can be contacted by any of the following methods:

Post: TDX Group Ltd, 5th Floor, EastWest, Tollhouse Hill, Nottingham, NG1 5FS
Website:  www.tdxgroup.com
Email: info@tdxgroup.com
Phone: 0115 953 1200

Additionally, TDX Group has a dedicated Data Protection Officer who can be contacted as follows: info@tdxgroup.com.

2. WHAT KIND OF PERSONAL DATA DO WE USE, AND WHERE DO WE GET IT FROM?

DEBT RECOVERIES MANAGEMENT

Category

Type of personal data

Where it's collected from

Debt Account

Information from creation of accounts for line of credit or other financial accounts. Examples of accounts may include utility bills, telecom bills, and others.

  • Name
  • Date of birth (DOB)
  • Address history
  • Outstanding debt balance
  • Payment history

Creditor clients

Credit Reference Agency

Information we obtain from Credit Reference Agencies to assist in the recoveries management process.

Examples may include: 

  • Contact Information (e.g telephone number and email address)
  • Current and previous address information
  • Scores and characteristics in relation to your:
    • Credit status: to understand how you have managed your credit payments in the past
    • Affordability: to understand if you can afford the repayments
    • Insolvency: to understand if you have ever been declared bankrupt, have an IVA or CCJ in place

See the Credit Reference Agency Information Notice (CRAIN) section 2(d) and 3 for full details.

Equifax Limited
Experian Limited
TransUnion Limited

Other Data Providers

Information we obtain from other data providers to assist in the recoveries management process. Examples may include:

  • Name
  • Date of birth (DOB)
  • Contact number
  • Email address
  • Address

GB Group plc

Direct Data Services (DDS) Limited

UK Insolvency Service

Accounts in Bankruptcy for Scotland

Belfast Gazette

The Stationary Office for Northern Ireland

The Insolvency Service under the Department for the Economy in Northern Ireland

 
INSOLVENCY MANAGEMENT

Category

Type of personal data

Where it's collected from

Debt account

Information we obtain from Insolvency Practitioners that is included in the IVAs, such as name, DOB, address, marital status, occupation, reasons for financial difficulty, debt balance, and payment history.

Insolvency Practitioner

Debt Account Verification

Information we obtain from clients related to the debt referenced in the IVA. Examples may include name, address history, outstanding debt balance, and payment history.

  • Name
  • Date of birth (DOB)
  • Address history
  • Outstanding debt balance
  • Payment history

Creditor clients

Other Data Providers

Information we obtain from other data providers to assist in the insolvency management process. Examples may include: name, DOB, gender, and address.

  • Name
  • Date of birth (DOB)
  • Address history
  • Outstanding debt balance
  • Payment history

UK Insolvency Service

 
DEBT SALE

Information type

Description

Source

Debt Account

Information from creation of accounts for line of credit or other financial accounts. Examples of accounts may include: utility bills, telecom bills, and others. Information collected includes account information such as name, DOB, address history, outstanding debt balance, and payment history.

Creditor clients

Credit Reference Agency

Information we obtain from Credit Reference Agencies to assist in the recoveries management process. See the Credit Reference Agency Information Notice (CRAIN) for full details.

Equifax Limited

Other Data Providers

Information we obtain from other data providers to assist in the insolvency management process. Examples may include name, DOB, gender, and address.

UK Insolvency Service

3. WHAT DO WE DO WITH YOUR PERSONAL DATA AND WHY?

We process your personal data for particular purposes in connection with:

  • Debt management and recovery;
  • Insolvency Management;
  • Debt sale;
  • Any other engagements you may have with us; and
  • The management and administration of our business.

We are required by law to always have a ‘lawful basis’ (meaning a reason or justification) for processing your personal data. There are a number of lawful basis set out in data protection law but we consider the following to be most relevant to our processing of your personal data:

  • The processing is necessary to comply with a legal obligation (“Legal Obligation”)
  • The processing is necessary for the purposes of legitimate interests pursued by us or third party, and these are not overridden by your interests or fundamental rights (“Legitimate Interest”)
  • The processing is on the basis of your consent (“Consent”)

The table below sets out the purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.

Purpose of Processing

Consent

Legal Obligation

Legitimate Interest

Debt Recoveries Management

 

TDX helps place and manage any debt owed, through a debt collection agency network.

 

TDX uses various data sets (explained in section 2) to understand a consumer's financial position and to support any future repayment plans.

   

Supporting debtor tracing and debt collections

Insolvency Management

 

TDX provides a service to creditor clients, managing all aspects of personal insolvencies, including bankruptcies and trust deeds, as well as individual voluntary arrangements (IVAs) including a full payment management service.

   

Supporting insolvency management

Debt Sale

 

TDX provides an asset sale brokerage service to help creditor clients use the right data, processes and oversight to help the sale of debt portfolios.

   

Supporting the commercial acquisition process of debt purchase

Data Loading, Matching and Linking

 

Data supplied to TDX is checked for integrity, validity, consistency, quality and age to help make sure it’s fit for purpose. These checks pick up things like irregular dates of birth, names, addresses, account start and default dates, and gaps in status history.

 

Data supplied to TDX is matched to existing databases to help make sure it’s assigned to the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. Where permitted, TDX uses the personal data individuals have provided to its clients, together with data from other sources to create and confirm identities, which are used to underpin the services TDX provide.

 

As TDX compiles data into its databases, links are created between different pieces of data. For example, individuals who appear financially associated with each other may be linked together, and addresses where someone has previously lived can be linked to each other and to that person’s current address.

   

We have a regulatory responsibility to ensure that data is accurate 

Data may be used to help support the development and testing of new products and technologies.

   

Using your Contact Information to respond to your enquiries and/or complaints

   

(it is in our mutual interest to respond)

Using any relevant personal data to establish and enforce our legal rights or to comply with a court order, law enforcement requirement (or other legally mandated request) or legal obligation

 

 

Using any relevant personal data required to hold or share your personal data in compliance with FCA regulations and permissions

 

 

Using any relevant personal data in relation to the managing the proposed or actual sale, restructuring or merging of any or all part(s)of our business

 

 

(we have legitimate interest in being able to sell or restructure our business and maintain continuity for us or a buyer)

Through our marketing and support activities, we may communicate with you where you have consented for us to do so using the information you provide to us through this website by sending you bulletins updates and invites which may be relevant and useful to you.

 

You have the opportunity to opt-in to and opt-out of these communications. Please see the section ‘WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA’ below.

 

(where consent is legally required)

   

We may also convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable (thereby creating anonymized data). Anonymized data is not personal data and we may use such data to conduct research and analysis, including to produce statistical research and reports. For example, to help us understand and improve our products and services.

4. WHO DOES TDX GROUP SHARE PERSONAL DATA WITH?

This section describes the types of recipient TDX Group share data with. We operate our own access control processes.  For example, before we share data with any another organisation, we check that organisation’s identity and, where applicable, to confirm where it is registered with regulators.

The details of organisations who TDX Group currently share personal with can be found here:

  • Credit Reference Agencies and other data providers: TDX Group shares debt account information with Credit References Agencies and other data providers to validate and append additional information related to an individual’s debt account.

  • Creditor Clients: TDX Group works with creditors in order to validate outstanding debt to ensure the debt amount owed is proper.

  • Insolvency Practitioners and Trustees: TDX Group receives requests from Insolvency Practitioners and Trustees to assist consumers in managing debt. Through your authorization, TDX Group works with these entities to help consumers eliminate debt.

  • Debt purchasers: TDX Group helps clients understand how to best manage debt portfolios and facilitates the sale of these portfolios.

  • Public bodies, law enforcement and regulators
    The police and other law enforcement agencies, as well as public bodies like local and central authorities and TDX Group’s regulators, can sometimes request us to supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax, investigating complaints or assessing how well a particular industry sector is working.
  • Processors: TDX Group uses other organisations to perform tasks on its behalf (for example, IT service providers and call centre providers).  Many of these services are provided by companies within the Equifax group of companies, of which TDX Group is a part.. Examples include:​
    • Debt Collection Agencies (DCAs): TDX Group works with other agencies in order to engage consumers and facilitate the repayment of debt. All these agencies operate and retain data within the UK.

TDX Group uses other trusted organisations to perform tasks on its behalf for the following services:

Service Category

Country(s) of Operation
(See section 6. for more information on TDX Group overseas processing)

IT  infrastructure and operations software support

UK & India

IT back office business process software support

India

IT back office helpdesk service support

India

IT service management support

US

Telephone support services

UK

Printing and mailing house services

UK

Marketing communication services

UK

Confidential Waste Services

UK

 
Many of these services are provided by companies within the Equifax group of companies: 

Equifax Group Company Details

Country(s) of Operation
(See section 6. for more information on TDX Group overseas processing)

Description of Service

Equifax Inc.

US

Administrative support, IT and Security back office software support, software development and cloud disaster recovery

 
In addition to the above, Equifax has service arrangements in place with auditors, consulting and professional service providers. A full list of these parties is available on request.

Individuals
People are entitled to obtain copies of the personal data TDX Group holds about them. You can find out how to do this in Section 8 below.

5. WHERE IS PERSONAL DATA STORED AND SENT?

TDX Group is based in the UK, and keep their main databases there. All information and personal data held by TDX Group is stored on encrypted services at a secure physical location (whether these be our own servers or those of cloud service providers that we use). TDX Group also has internal policies and controls in place to ensure that personal data is kept secure as well as to minimise the risk of any personal data being lost, misused, disclosed or accidently destroyed.

TDX Group also has operations elsewhere inside and outside the European Economic Area, and personal data may be accessed by or transferred to TDX Group companies or service providers. In both cases, the personal data use in those locations is protected by European data protection standards.

Details of the main processors TDX Group use and where they operate can be found above in Section 4.

While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when TDX Group does send personal data overseas we will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. To do this TDX Group:

  • ensures third parties have entered into contractual duty of confidentiality with TDX Group;

  • third parties are obliged to implement appropriate technical and organisational measures to ensure the security of personal data;

  • put in place a contract with the recipient containing mandatory terms approved by the European Commission  as providing a suitable level of protection for personal data. These are commonly referred to as Standard Contractual Clauses or ‘EU Model Clauses’.

6.HOW DO WE SAFEGUARD YOUR PERSONAL DATA ?

TDX is committed to protecting the security of your personal data and implementing appropriate technical and organisational measures taking into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of you, as an individual.

7. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We will only retain your personal data for a limited period of time and for no longer than is necessary for the purposes for which we are processing it.

For example, we will typically retain personal data in relation to consumer services customers, for so long as they receive those services and for a period of up to 6 years following closure of a debt account.

In some cases, it may be necessary for us to retain your personal data for different periods. The factors that direct how long we will retain personal data include the following:

  • any laws or regulations that we are required to follow;
  • whether we are in a legal or other type of dispute with each other or any third party
  • the type of infomration held about you; and
  • whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.

For more information regarding our retention periods, please contact us.

Archived data

TDX holds data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence or legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.

8. WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA?

Data protection law provides you with a number of rights in relation to your personal data (which are summarized below). You can exercise these rights by contacting – please see the section ‘HOW CAN YOU CONTACT US’ above.

Subject to the requirements of applicable laws and certain limitations or exemption, you have the right to:

  • access your personal data and be provided with certain information in relation to it, such as the purpose for which it is processed;

  • require us to correct any inaccuracies in your personal data without undue delay;
  • require us to erase your personal data (please be aware that the right of erasure under data protection law is not an absolute right as it only applies in relation to one or more specific circumstances);
  • require us to restrict the processing of your personal data;
  • receive the personal data which you have provided to us in a machine readable format, where we are processing it on the basis consent or to comply with a contract with you (please see the above tables) and such processing is automated; and
  • object to a decision that we make which is based solely on automated processing of your personal data.

WHAT CAN I DO IF I WANT TO SEE THE PERSONAL DATA HELD ABOUT ME? 

You are entitled to see the personal data TDX holds on you free of charge.  In instances where you request a copy of your information from us, if we are processing on behalf of a client we will identify the affected organisation(s) and will forward the request to them on your behalf.

To submit a subject access request on personal data we hold on you when we are the data controller, please contact us at DSAR@tdxgroup.com.

If you require a copy of your personal data in a format such as braille or audio, please use one of the contact channels detailed in Section 1 above to make your request.

WHAT CAN I DO IF MY PERSONAL DATA IS INACCURATE?

When TDX receives personal data, we perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, we can often only rely on our suppliers to provide accurate data.

If you think that any personal data TDX holds about you is wrong or incomplete, you have the right to challenge it. Please note, when acting as a data processor TDX won’t have the right to change the data without permission from the organisation that supplied it, so we will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy.

If you’d like to do this, please use one of the contact channels detailed in Section 1 above.

CAN I OBJECT TO TDX USE OF MY PERSONAL DATA AND HAVE IT DELETED?

  • DEBT RECOVERIES MANAGEMENT/DEBT SALE

This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be deleted, in connection with the above activities. To understand these rights and how they apply to the processing of personal data, it’s important to know that the TDX holds and process personal information for the above activities under the Legitimate Interests ground for processing (see Section 3 above for more information about this), and doesn’t rely on consent for this processing.

You have the right to submit an objection about the processing of your personal data to TDX where it is a data controller. If you want to do this, please use one of the contact channels detailed in Section 1 above.

Whilst you have complete freedom to contact TDX with your objection at any time, please note that under the General Data Protection Regulation (“GDPR”), your right to object doesn’t automatically lead to a requirement for processing to stop, or for personal data to be deleted, in all cases.

  • MARKETING ACTIVITIES

You also have the right at any time to unsubscribe from any direct marketing activity undertaken by TDX.

How to withdraw Marketing Consent(s)/Unsubscribe from Marketing Activity

You may withdraw your consent for your personal data to be used for further marketing activity at any time, either by selecting to unsubscribe directly within marketing communications you receive from TDX, or by contacting us using the details provided in Section 1.

DOES TDX MAKE DECISIONS ABOUT ME OR PROFILE ME?

  • Scores/Profiling

TDX uses automated scoring and profiling to better understand you as a consumer, your circumstances, and your financial position, including what might impact your ability to pay off debt.

Scoring and profiling is based on a multitude of factors including your payment history, location, any barriers to debt repayment, and reasons why your account is in default.

  • Debt Collecting Decisions

In relation to scoring and profiling, automated decisions will be made in consultation with our clients regarding how best to engage with you. These decisions inform which agency would be the best fit for you, if any, based on your current situation. We also consider the best method of communication with you, what type of contact should be made, and how frequently.

To submit a request for more information on our scoring and profiling or debt collection decisions, please contact us at DSAR@tdxgroup.com.

DO I HAVE A ‘PORTABILITY RIGHT’ IN CONNECTION WITH MY TDX DATA?

New data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it’s processed on certain grounds, such as consent. This is not a right that will apply to TDX data because this data is processed on the grounds of Legitimate Interests. To find out more about Legitimate Interests please go to Section 3 above.

CAN I RESTRICT WHAT TDX DOES WITH MY PERSONAL DATA?

In some circumstances, you can ask TDX to restrict how they use your personal data. Your rights are set out at Article 18 of the GDPR. You can find the contact details for TDX in section 1 above.

This is not an absolute right, and your personal data may still be processed where certain grounds exist. This is:

  • With your consent;
  • For the establishment, exercise, or defence of legal claims;
  • For the protection of the rights of another natural or legal person;
  • For reasons of important public interest.

Only one of these grounds needs to be demonstrated to continue data processing.

TDX  will consider and respond to requests we receive, including assessing the applicability of these exemptions.

9. WHO CAN I COMPLAIN TO IF I’M UNHAPPY ABOUT THE USE OF MY PERSONAL DATA?

TDX Group tries to ensure they deliver the best customer service levels but if you’re not happy you should contact us so they can investigate your concerns.

TDX Group contact details for consumer complaints:
Post: TDX Group Ltd, 5th Floor, EastWest, Tollhouse Hill, Nottingham, NG1 5FS
Web Address:  www.tdxgroup.com
Email: consumercomplaints@tdxgroup.com
Phone:  0115 953 1200


If you’re unhappy with how TDX Group has investigated your complaint, you have the right to refer it to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like TDX Group. You can contact them by:

  1. Phone on 0300 123 9123 (or from outside the UK on +44 20 7964 1000) or 0800 023 4567

  2. Email on complaint.info@financial-ombudsman.org.uk

  3. Writing to Financial Ombudsman Service, Exchange Tower London E14 9SR

  4. Going to their website at www.financial-ombudsman.org.uk

You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:

  1. Phone on 0303 123 1113

  2. Email at casework@ico.org.uk (you need to add a subject line of 'Report a Concern')

  3. Writing to them at First Contact Team, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

  4. Going to their  website at www.ico.org.uk

10. CHANGES TO THIS PRIVACY NOTICE

TDX may change this online privacy notice in the future.  If we make changes to this online privacy notice, it will post the revised privacy notice and its effective date on this Website.