The following provides an overview of data protection clauses related to Three’s Business customers (other than Business Broadband, which can be found here). In all instances, customers should review their own contract with Three, however the below provides the standard clause included in Business contracts issued or upgraded on or after 11 November 2022. Previous versions of the Terms and Conditions for business customers, including previous data protection clauses, can be found on our website.
Three and Customer agree that the Customer is an independent Data Controller in respect of any personal data that it processes in relation to its servants or agents. Where Customer provides personal data relating to users to Three, the personal data is transferred on a Controller to Controller basis. The transfer of usage data relating to users by Three to Customer, including itemised bills, is likewise transferred on a Controller to Controller basis.
Three and Customer agree that where Three processes the personal data of end users of telecommunications services it does so as a Controller, and shall process the personal data as set out in its privacy notice.
Three may check and share Customer’s details with fraud prevention agencies such as Action Fraud and CIFAS and will record (and pass to the fraud prevention agencies) details of any false or inaccurate information provided by Customer or where Three suspects fraud. Records held by fraud prevention agencies will also be used by Three and other organisations to help prevent fraud and money laundering, for example, when checking details on applications for credit or other facilities, managing credit, and credit-related accounts or facilities, recovering debt, checking details on proposals and claims for all types of insurance, and checking job applications and employees. Those fraud prevention agencies may disclose information to law enforcement agencies where requested and necessary for the investigation of crime. Three and other organisations may access and use (from a country other than the UK) the information recorded by fraud prevention agencies. The legal basis that Three rely on to process information for the above purpose is the performance of a contract between Customer and Three or in order for Three to take steps prior to entering into a contract with Customer or Three’s legitimate business interests in order for Three to manage the relationship with Customer.
Three’s Privacy Policy sets out how Three collects, shares, and uses Customer’s and user's information in more detail.
If Customer has any questions about this notice or the way in which information is collected, shared, or used, please contact Three’s Data Protection and Privacy Officer, by writing to Hutchison 3G UK Ltd, 450 Longwater Avenue, Green Park, Reading, Berkshire, RG2 6GF or by sending an email to DPA.Officer@three.co.uk.
If Three change this notice, Three will post the amended version on Three’s website so Customer will always know how Three will collect, use, and disclose Customer and user's information.
Customer shall:
Three shall:
- adopting appropriate technical and organisational measures against accidental disclosure, loss or destruction of personal data;
- informing Customer within 72 hours in the event of unauthorised disclosure, loss, or destruction of any personal data processed under this agreement (“Security Incident”) which comes to Three’s attention. Unless required by law or other obligation, Three agrees that it will not communicate with any third party including but not limited to the media, vendors, consumers, and affected individuals regarding any Security Incident without the consent and direction of Customer;
- referring to Customer any requests, notices or other communication from data subjects, supervisory authorities or any
- other law enforcement agency relating to personal data for Customer to resolve;
- ensuring that Three personnel processing personal data under the Agreement are under an obligation of confidentiality;
- at the cost of Customer, making available reasonable information necessary to demonstrate compliance with the data protection clauses of the Terms and Conditions, which shall include, once per calendar year on giving 28 days’ notice, the right for Customer to conduct a reasonable audit of Three to satisfy Customer that Three is in compliance with this section. Where any instances of non-compliance are confirmed, Customer’s sole remedy shall be to request Three to remediate such non-compliance within a reasonable timeframe.
Both parties shall:
Any feedback you have helps us make your experience better.