Privacy notice and your information

1. We are the data controller of your information (as defined in Section 5 below) collected through your use of the Three Services for the purpose of UK data protection law. We'll only use Your Information in accordance with this notice and applicable UK data protection and privacy laws. Please read all of this notice and feel free to contact us at the address in Section 9 below with any questions.

2. Whenever you provide us with personal information about yourself, you agree that it will be true, complete, and accurate. You must tell us if this information changes.

3. If you provide us with information about another individual or register a device in the name of another individual you must have their agreement to do so or be acting with legal authority.

4. If we reasonably believe that you have supplied us with false or inaccurate information, or if we suspect fraud, we may delay your connection or suspend your access to Three Services until an investigation has been completed to our satisfaction.

5. In order to supply you with Three Services under this agreement, we may process your information. By “your information” we mean personally identifiable information:

(a) That you give us or that we obtain about you as a result of any application or registration for, and use of, Three Services. It may include your name, current and previous address(es), date of birth, phone and fax numbers, gender, email address, employment and lifestyle information, bank and credit or debit card information, and information obtained from credit reference and fraud prevention agencies, marketing organisations and those who provide services to us, and may include information from other countries, and

(b) Acquired and processed about your use of Three Services while you're a customer of Three, including location data, your communications data, dynamic IP addresses, your phone number, the unique code identifying your phone and SIM or eSIM profile, and your account information, including contact history notes.

6. Some of your information may be classified as “sensitive” (such as visual or hearing impairments) and we'll ask your permission if we wish to use or share this information.

7. When you make a call, the calling line identity (“CLI”) of your phone (your Three phone number) will be displayed on the phone of the person you call. If you don't wish your CLI to be displayed and/or transmitted you should check your device user guide or contact Three Customer Services. Your CLI cannot be blocked when calling the emergency services, or when sending a text or MMS.

8. You must keep any passwords and PIN numbers relating to your Three account and Three Services safe and secure. You must not share them with anyone else. If you find or suspect that anyone else knows your passwords or PIN numbers, or can guess them, you must contact us immediately and ask us to change them. This is your responsibility.

9. If you have any questions about this notice or the way in which your information is processed, please contact our Data Protection and Privacy Officer, by writing to Hutchison 3G UK Ltd, 450 Longwater Avenue, Green Park, Reading, Berkshire, RG2 6GF or by sending an email to DPA.Officer@three.co.uk.

10. We may be required to process your information to comply with our legal requirements, to enable us to fulfil the terms of our contract with you or in preparation of us entering into a contract with you. If you do not provide the relevant information to us, we may not be able to provide the service to you.

11. We may receive personal data about you from credit reference agencies, fraud prevention agencies, marketing partners, the electoral register, and other commercial partners who may deliver services to us.

12. Your Information may be used by us, our employees, service providers and disclosed to third parties for the purposes set out below. For each of these purposes, we have set out the legal basis on which we use Your Information.

(a) Credit referencing, identity checks and fraud prevention
i. In order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies (“CRAs”) such as Call Credit, Experian, and Equifax. To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation, and financial history information and fraud prevention information. We will use this information to:

We will continue to exchange information about you with CRAs while you have a relationship with us and until any debts with us are settled. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs. When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

If you are making a joint application or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods, and your data protection rights with the CRAs are explained in more detail in the Credit Reference Agency Information Notice (“CRAIN”). The CRAIN is also accessible from each of the three CRAs – clicking on any of these three links will also take you to the same CRAIN document:

TransUnion;
Equifax;
Experian

We'll use a combination of credit scoring and/or automated decision-making systems when assessing your application.

The legal basis that we rely on to process your information for the above purpose is for performance of a contract between you and us or in order for us to take steps prior to entering into a contract with you or our legitimate business interests in order for us to manage our relationship with you.

ii. We'll also disclose details of your agreement with us, the payments you make under it, account balances, and information about any default, dispute, and debts to CRAs. We'll also disclose details of any change of address reported to us or which we become aware of. Credit searches and the information supplied by us and held by CRAs is used by us and other organisations to help make decisions about other credit applications by you or other members of your household with whom you're linked financially to trace debtors, recover debts, to prevent and detect fraud, and to manage your account. The legal basis that we rely on to process your information for the above purpose is our legitimate business interests in order for us to manage our relationship with you.

iii. We may also check and share your details with fraud prevention agencies such as Action Fraud and CIFAS and we'll record (and pass to the fraud prevention agencies) details of any false or inaccurate information provided by you or where we suspect fraud. Records held by fraud prevention agencies will also be used by us and other organisations to help prevent fraud and money laundering, for example, when checking details on applications for credit or other facilities, managing credit and credit-related accounts or facilities, recovering debt, checking details on proposals and claims for all types of insurance and checking job applications and employees. Those fraud prevention agencies may disclose information to law enforcement agencies where requested and necessary for the investigation of crime. We and other organisations may access and use (from a country other than the UK) the information recorded by fraud prevention agencies. The legal basis that we rely on to process your information for the above purpose is the performance of a contract between you and us or in order for us to take steps prior to entering into a contract with you or our legitimate business interests in order for us to manage our relationship with you.

iv. We may also use and share your details for the collection of any debts owed by you. This may include the use of debt collection agencies to collect debts on our behalf or may include the assignment of debts to a third-party company. The assignment of debts will involve the sale of your debt and account information to a third-party company - this information may include your name, address, and contact information, year of birth, debts owed, payment history, and other information necessary to help recover the debt. The legal basis that we rely on to process your information for the above purpose is legitimate interest in order to manage our relationship with you.

v. We may also pass and share information to other communications service providers, network operators and other appropriate parties for the detection and prevention of theft and fraud. The legal basis that we rely on to process Your Information for the above purpose is legitimate interest in order to manage our relationship with you.

(b) Account and Service Management
i. To process applications, registrations or orders made by you, to create and administer accounts, to calculate and charge for Three Services, to produce any necessary invoices or billing statements, and to provide to Three Customer Services, including for the management of any complaints or queries. The legal basis that we rely on to process your information for the above purpose is for performance of a contract between you and us or in order for us to take steps prior to entering into a contract with you.

ii. To supply any products, services, or information requested by you and/or which we may provide. The legal basis that we rely on to process your information for the above purpose is for performance of a contract between you and us or in order for us to take steps prior to entering into a contract with you.

iii. For traffic and billing management, which may involve the use of your information. We deploy a balance of technical, logical, and security controls to protect the processing of your information on the Three network. The legal basis that we rely on to process your information for the above purpose is legitimate interest and/or to enable us to improve and develop our business operations and services.

iv. To ensure the accuracy and performance of Three Services and to support product development. This may involve the use of your information in a live test environment. The legal basis that we rely on to process your information for the above purpose is legitimate interest and/or to enable us to improve and develop our business operations and services.

v. To update your device remotely “over the air” with software updates and to investigate and resolve any service-related queries made by you. The legal basis that we rely on to process your information for the above purpose is performance of our contract with you.

vi. To process data revealing the geographic location of your device in order to provide location-based services requested by you and which may be provided by Three or by third parties on behalf of Three, or where you request location-based services directly from third parties. We may share your Location Data with the emergency services if you call 999 or 112. This is to help the emergency services more accurately locate you in the event of an emergency where you may not know, or be able to communicate, your location. The legal basis that we rely on to process your information for the above purpose is for performance of contractual obligations between us and you.

vii. We may monitor and record calls and messages between you and Three Customer Services for training and quality purposes. The legal basis that we rely on to process your information for the above purpose is legitimate interest and/or to enable us to improve and develop our business operations and services.

viii. Please be aware that when you call Three Customer Services, your phone number will automatically be presented to Three Customer Services so that we're able to provide you with integrated customer services, and for security purposes. The legal basis that we rely on to process your information for the above purpose is legitimate interest and/or to enable us to improve and develop our business operations and services.

(c) Marketing and keeping you informed
i. To carry out analysis of your information, in order to develop our relationship with you, to develop and personalise Three Services and to present and deliver these to your Device. The legal basis that we rely on to process your information for the above purpose is our legitimate interests and/or your consent.

ii. To keep you informed about Three's services, developments, pricing tariffs, special offers, and any discounts or awards which we believe may be of personal interest to you, or which you may be entitled to.

We may keep you up to date directly to your device, and by post, phone, and by electronic messaging such as phone, text and MMS, email, voice, and audio, subject to any preferences indicated by you.

You can contact us at any time to ask us not to use your location or communications data for marketing purposes or if you would prefer not to receive direct marketing information, or simply to update your preferences by writing to or calling Three Customer Services, by sending an email to DPA.Officer@three.co.uk or by updating your marketing preferences directly from your Device or online using My3.

The legal basis that we rely on to process your information for the above purpose is our legitimate interests and/or your consent.

iii. To tell you about the products and special promotions of carefully selected partners (subject to your preferences) and allow you to receive advertising and marketing information from them but without passing control of your information to the third party concerned. We may also share anonymised or aggregated data with third parties for analysis and insight in relation to the use of the Three network and its services. You can opt out by sending an email to optout.bigdata@three.co.uk. The legal basis that we rely on to process your information for the above purpose is our legitimate interests and/or your consent.

iv. To carry out market research and surveys. The legal basis that we rely on to process your information for the above purpose is our legitimate interests and/or your consent.

v. To carry out activities necessary to the running of our business, including system testing, network monitoring, staff training, quality control, and any legal proceedings. The legal basis that we rely on to process your information for the above purpose is for our legitimate interests in order to conduct and manage our business; for the performance of our contract between you and us; or in connection with legal proceedings (I.e. the establishment, exercise or defence of legal claims).

vi. To carry out any activities or disclosures to comply with any regulatory, government, or legal requirement. The legal basis that we rely on to process your information is because the processing is necessary for compliance with a legal obligation.

vii. We may enter your name, address, and phone number in a publicly available directory enquiry service and directories operated by us or by a licensed third-party operator such as BT, subject to your preferences and only where you have given us permission. The legal basis that we rely on to process your information for the above purpose is your consent.

13. Your information may also be processed by:
(a) our business partners, suppliers and sub-contractors for the performance of any contact we enter into with you, for example we engage third parties to process applications, to carry out surveys, and to provide insurance for your device.

(b) other members of our Group.

(c) other professional advisers (including accountants and lawyers) that assist us in carrying out our business activities.

(d) police and other law enforcement agencies in connection with the prevention and detection of crime.

(e) other external agencies and organisations (including the National Crime Agency) for the purpose of preventing and detecting fraud (including fraudulent transactions), money laundering, and criminal activity; and

(f) third parties if we are under a duty to disclose or share your information in order to comply with any legal obligation or instructions of a regulatory body (including in connection with a court order), or in order to enforce or apply the terms of any agreements we have with or otherwise concerning you (including agreements between you and us) or to protect our rights, property, or safety of our customers, employees or other third parties.

(g) We may also disclose your information to other third parties, for example:

i. in the event that we sell or buy any business or assets we will disclose your information to the prospective seller or buyer of such business or assets.

ii. if we or substantially all of our assets are acquired by a third party (or are subject to a reorganisation within our group), your information held by us will be one of the transferred assets; and

iii. if we are under a duty to disclose or share your information in order to comply with any legal obligation, or in order to enforce or apply the agreements concerning you (including agreements between you and us).

14. The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment.

15. When you apply for a Pay Monthly plan, we will obtain information from one or more CRAs, which will be used in an automated decision process to determine whether we can enter a contract with you. If you wish for the decision to be reassessed by a person, you may do so by emailing credit.checking@three.co.uk or by writing to us at: Three Customer Services, Hutchison 3G UK Ltd, PO Box 333, Glasgow G2 9AG. You can also object to a decision being taken solely by automated processing (see heading Your Rights below).

16. Your personal information will be processed and held mainly on servers located in the United Kingdom (UK) or within the European Economic Area (EEA).

We may transfer your personal data to countries outside the European Economic Area. Where we do so, we’ll ensure that similar standards of protection are afforded to it. This can be done in several different ways, for example:

17. If you’d like any information about international transfers of personal data by us outside the European Economic Area, you can contact us, any time.  

18. We may retain your information for as long as is necessary for the purposes detailed in this notice and until charges for Three Services cannot be lawfully challenged and legal proceedings may no longer be pursued. Generally, we'll keep your communications data for up to one year. Your account information will be kept after your relationship with Three ends to comply with our legal and regulatory obligations.

19. You have certain rights with respect to your information. The rights may only apply in certain circumstances and are subject to certain exemptions. You can find out about the individual rights, when they apply, and how to exercise them on our website.

20. If we change this notice we'll post the amended version on our website so you always know how we'll collect, use, and disclose your information.