Three Business customers

The following provides an overview of data protection clauses related to Three’s Business customers (other than Business Broadband, which can be found here). In all instances, customers should review their own contract with Three, however the below provides the standard clause included in Business contracts issued or upgraded on or after 11 November 2022. Previous versions of the Terms and Conditions for business customers, including previous data protection clauses, can be found on our website.

Data protection

Three and Customer agree that the Customer is an independent Data Controller in respect of any personal data that it processes in relation to its servants or agents. Where Customer provides personal data relating to users to Three, the personal data is transferred on a Controller to Controller basis. The transfer of usage data relating to users by Three to Customer, including itemised bills, is likewise transferred on a Controller to Controller basis.

Three and Customer agree that where Three processes the personal data of end users of telecommunications services it does so as a Controller, and shall process the personal data as set out in its privacy notice.

Three may check and share Customer’s details with fraud prevention agencies such as Action Fraud and CIFAS and will record (and pass to the fraud prevention agencies) details of any false or inaccurate information provided by Customer or where Three suspects fraud. Records held by fraud prevention agencies will also be used by Three and other organisations to help prevent fraud and money laundering, for example, when checking details on applications for credit or other facilities, managing credit, and credit-related accounts or facilities, recovering debt, checking details on proposals and claims for all types of insurance, and checking job applications and employees. Those fraud prevention agencies may disclose information to law enforcement agencies where requested and necessary for the investigation of crime. Three and other organisations may access and use (from a country other than the UK) the information recorded by fraud prevention agencies. The legal basis that Three rely on to process information for the above purpose is the performance of a contract between Customer and Three or in order for Three to take steps prior to entering into a contract with Customer or Three’s legitimate business interests in order for Three to manage the relationship with Customer.

Three’s Privacy Policy sets out how Three collects, shares, and uses Customer’s and user's information in more detail.

If Customer has any questions about this notice or the way in which information is collected, shared, or used, please contact Three’s Data Protection and Privacy Officer, by writing to Hutchison 3G UK Ltd, 450 Longwater Avenue, Green Park, Reading, Berkshire, RG2 6GF or by sending an email to

If Three change this notice, Three will post the amended version on Three’s website so Customer will always know how Three will collect, use, and disclose Customer and user's information.

Customer’s obligations

Customer shall:

  • comply with its lawful obligations under the applicable data protection laws and ensure there is a lawful basis to process any Personal Data relating to Users;
  • comply with its lawful obligation to inform users, of the transfer of their personal data to Three;
  • ensure it has sufficient policies in place, which users have been made aware of, regarding users’ permitted use of the Three services provided under this agreement; and
  • assist Three, where required, in providing such information as it may reasonably require to allow it to comply with rights of data subjects, (including information, subject access, rectification or erasure, restriction of processing, data portability, and the right to object to automated individual decision-making, including profiling).

Three’s obligations

Three shall:

  • process personal data provided under this agreement, in a way that is compatible with providing the Three services under this Agreement the;
  • implement appropriate technical and organisational measures to protect the personal data processed in order to give effect to this agreement;
  • depending on the Three services provided to Customer, Three may be required in order to provide the Three services, to process certain personal data on Customer’s behalf. Where Three is required to act as a processor, by Customer, Three shall only process personal data in accordance with the reasonable written instructions of Customer (this agreement shall constitute a written instruction by Customer to Three to carry out such processing of personal data, as is required in order to provide the Three services specified in this agreement) and in accordance with applicable data protection laws, including in particular:

- adopting appropriate technical and organisational measures against accidental disclosure, loss or destruction of personal data;

- informing Customer within 72 hours in the event of unauthorised disclosure, loss, or destruction of any personal data processed under this agreement (“Security Incident”) which comes to Three’s attention. Unless required by law or other obligation, Three agrees that it will not communicate with any third party including but not limited to the media, vendors, consumers, and affected individuals regarding any Security Incident without the consent and direction of Customer; 

- referring to Customer any requests, notices or other communication from data subjects, supervisory authorities or any 

- other law enforcement agency relating to personal data for Customer to resolve; 

- ensuring that Three personnel processing personal data under the Agreement are under an obligation of confidentiality; 

- at the cost of Customer, making available reasonable information necessary to demonstrate compliance with the data protection clauses of the Terms and Conditions, which shall include, once per calendar year on giving 28 days’ notice, the right for Customer to conduct a reasonable audit of Three to satisfy Customer that Three is in compliance with this section. Where any instances of non-compliance are confirmed, Customer’s sole remedy shall be to request Three to remediate such non-compliance within a reasonable timeframe.

  • where requested to do so in writing, and at the cost of Customer, making available such information and assistance as are reasonably necessary to Customer to comply with its obligations to:
- respond to requests for exercising the data subject’s rights;
- report personal data breaches; and 
- conduct data protection impact assessments and prior consultation with supervisory authorities.
  • transfer personal data to third party sub-contractors (including group companies) to whom disclosure is reasonably necessary in order for Three to provide the Three Services, including the transfer of personal data to such sub-contractors based outside the European Economic Area, only where adequate safeguards are put in place by Three or such sub-contractors to protect such personal data as required under applicable data protection laws. Customer hereby provides its general authorisation to such transfers; and
  • without prejudice to any other provision of this agreement relating to termination, on termination of this Agreement, on written instructions from Customer and at its cost, either deleting or returning all personal data processed as part of the agreement to Customer unless Three is subject to an overriding legal, regulatory, or other requirement to retain such personal data.

Both parties’ obligations

Both parties shall:

  • deal promptly and in good faith with all reasonable and relevant enquiries from the other party relating to its processing of personal data in connection with this Agreement;
  • if it receives any complaint, notice or communication from a supervisory authority which relates to the processing of personal data in connection with this agreement or a potential failure to comply with applicable data protection laws, promptly (and in any event within 24 hours) forward such complaint, notice or communication to the other party and provide the other party with reasonable cooperation and assistance in relation to the same, unless restricted by law from doing so.

Did you find this page useful?

Any feedback you have helps us make your experience better.