Three Business Broadband

The following provides an overview of data protection clauses related to Three’s Business Broadband customers. In all instances, customers should review their own contracts with Three, however the below provides the standard clause included in Business Broadband contracts issued or upgraded on or after 23 September 2022. Previous versions of the Terms and Conditions for Business Broadband, including previous data protection clauses, can be found on our website.

Data protection

Three and Customer agree that the Customer is an independent Data Controller in respect of any personal data that it processes in relation to its servants or agents. Where Customer provides personal data relating to users to Three, the personal data is transferred on a Controller to Controller basis. The transfer of usage data relating to users by Three to Customer, including itemised bills, is likewise transferred on a Controller to Controller basis.

Three and Customer agree that where Three processes the personal data of end users of telecommunications services it does so as a Controller, and shall process the personal data as set out in its privacy notice.

Three may check and share Customer’s details with fraud prevention agencies such as Action Fraud and CIFAS and will record (and pass to the fraud prevention agencies) details of any false or inaccurate information provided by Customer or where Three suspects fraud as further described in Three’s privacy notice.

Customer’s obligations

Customer shall:

  • comply with its lawful obligations under the applicable data protection laws and ensure there is a lawful basis to process any personal data relating to users;
  • comply with its lawful obligation to inform users, of the transfer of their personal data to Three;
  • ensure it has sufficient policies in place, which users have been made aware of, regarding users’ permitted use of the Three Services provided under this agreement; and
  • assist Three, where required, in providing such information as it may reasonably require to allow it to comply with rights of data subjects (including information, subject access, rectification or erasure, restriction of processing, data portability and the right to object to automated individual decision-making, including profiling).

Three’s obligations

Three shall:

  • process personal data provided under this agreement, in a way that is compatible with providing the Three Services under this agreement;
  • implement appropriate technical and organisational measures to protect the personal data processed in order to give effect to this agreement;
  • depending on the Three Services provided to Customer, Three may be required in order to provide the Three Services, to process certain personal data on Customer’s behalf. Where Three is required to act as a Processor, by Customer, Three shall only process personal data in accordance with the reasonable written instructions of Customer (this agreement shall constitute a written instruction by Customer to Three to carry out such processing of personal data as is required in order to provide the Three Services specified in this agreement) and in accordance with applicable data protection laws, including in particular:

- adopting appropriate technical and organisational measures against accidental disclosure, loss or destruction of personal data;

- informing Customer within 72 hours in the event of unauthorised disclosure, loss or destruction of any personal data processed under this agreement (“security incident”) which comes to Three’s attention. Unless required by law or other obligation, Three agrees that it will not communicate with any third party including but not limited to the media, vendors, consumers, and affected individuals regarding any security incident without the consent and direction of Customer; 

- referring to Customer any requests, notices or other communication from data subjects, supervisory authorities, or any other law enforcement agency relating to personal data for Customer to resolve; 

- ensuring that Three personnel processing personal data under the agreement are under an obligation of confidentiality; 

- at the cost of Customer, making available reasonable information necessary to demonstrate compliance with this Section 16, which shall include, once per calendar year on giving 28 days’ notice, the right for Customer to conduct a reasonable audit of Three to satisfy Customer that Three is in compliance with this Section 16. Where any instances of non-compliance are confirmed, Customer’s sole remedy shall be to request Three to remediate such non-compliance within a reasonable timeframe.

  • where requested to do so in writing, and at the cost of Customer, making available such information and assistance as are reasonably necessary to Customer to comply with its obligations to:
- respond to requests for exercising the data subject’s rights;
- report personal data breaches; and 
- conduct data protection impact assessments and prior consultation with supervisory authorities.
  • transfer personal data to third party sub-contractors (including Group companies) to whom disclosure is reasonably necessary in order for Three to provide the Three services, including the transfer of personal data to such sub-contractors based outside the European Economic Area, only where adequate safeguards are put in place by Three or such sub-contractors to protect such personal data as required under applicable data protection laws. Customer hereby provides its general authorisation to such transfers; and
  • without prejudice to any other provision of this agreement relating to termination, on termination of this agreement, on written instructions from Customer and at its cost, either deleting or returning all personal data processed as part of the agreement to Customer unless Three is subject to an overriding legal, regulatory or other requirement to retain such personal data.

Both parties’ obligations

Both parties shall:

  • deal promptly and in good faith with all reasonable and relevant enquiries from the other party relating to its processing of personal data in connection with this agreement;
  • if it receives any complaint, notice, or communication from a supervisory authority which relates to the processing of personal data in connection with this agreement or a potential failure to comply with applicable data protection laws, promptly (and in any event within 24 hours) forward such complaint, notice, or communication to the other party and provide the other party with reasonable cooperation and assistance in relation to the same, unless restricted by law from doing so.

Did you find this page useful?

Any feedback you have helps us make your experience better.