The following provides an overview of data protection clauses related to Three’s Business Broadband customers. In all instances, customers should review their own contracts with Three, however the below provides the standard clause included in Business Broadband contracts issued or upgraded on or after 23 September 2022. Previous versions of the Terms and Conditions for Business Broadband, including previous data protection clauses, can be found on our website.
Three and Customer agree that the Customer is an independent Data Controller in respect of any personal data that it processes in relation to its servants or agents. Where Customer provides personal data relating to users to Three, the personal data is transferred on a Controller to Controller basis. The transfer of usage data relating to users by Three to Customer, including itemised bills, is likewise transferred on a Controller to Controller basis.
Three and Customer agree that where Three processes the personal data of end users of telecommunications services it does so as a Controller, and shall process the personal data as set out in its privacy notice.
Three may check and share Customer’s details with fraud prevention agencies such as Action Fraud and CIFAS and will record (and pass to the fraud prevention agencies) details of any false or inaccurate information provided by Customer or where Three suspects fraud as further described in Three’s privacy notice.
Customer shall:
Three shall:
- adopting appropriate technical and organisational measures against accidental disclosure, loss or destruction of personal data;
- informing Customer within 72 hours in the event of unauthorised disclosure, loss or destruction of any personal data processed under this agreement (“security incident”) which comes to Three’s attention. Unless required by law or other obligation, Three agrees that it will not communicate with any third party including but not limited to the media, vendors, consumers, and affected individuals regarding any security incident without the consent and direction of Customer;
- referring to Customer any requests, notices or other communication from data subjects, supervisory authorities, or any other law enforcement agency relating to personal data for Customer to resolve;
- ensuring that Three personnel processing personal data under the agreement are under an obligation of confidentiality;
- at the cost of Customer, making available reasonable information necessary to demonstrate compliance with this Section 16, which shall include, once per calendar year on giving 28 days’ notice, the right for Customer to conduct a reasonable audit of Three to satisfy Customer that Three is in compliance with this Section 16. Where any instances of non-compliance are confirmed, Customer’s sole remedy shall be to request Three to remediate such non-compliance within a reasonable timeframe.
Both parties shall:
Any feedback you have helps us make your experience better.