Three Ireland (Hutchison) Limited Privacy Notice.

About this Privacy Notice

This Privacy Notice tells you what personal data is processed by Three in relation to you, the purposes for which it is processed and the manner and duration of the processing. This information is provided in fulfilment of Three’s duty to process data in a manner which is fair, lawful and transparent, and to provide information relating to the processing at the time of collection of that data. You should read this Privacy Notice prior to providing any personal to Three and refer to it at any time should you have queries regarding the use of your personal data.

About Data Protection

Three processes personal data in accordance with the requirements of Data Protection law. This law includes the Irish Data Protection Acts and the EU General Data Protection Regulation (“GDPR”).

Under Data Protection law, you are the “Data Subject” in respect of any personal data relating to you. “Personal Data” is any information which relates to an identifiable natural person. It does not include information relating to a company or other legal entity.

Depending on whether you are a customer of Three Ireland (Hutchison) Limited, or Three Ireland Services (Hutchison) Limited (formerly O2), one or both of those companies is the “Data Controller” in respect of this data. This Privacy Notice applies to both companies, and collectively refers them as “Three”.

Three may engage third parties (other than its own employees) to provide services to it. Any of those third parties who process personal data on our behalf is a “Data Processor”.

“Processing” means any action performed on personal data, including collection, storage, copying, consulting, disclosure or destruction.

“Legal Basis” Data Controllers may not process personal data except on one of a limited number of legal bases. One of these bases is consent. Where consent is the legal basis, Three is required to stop processing the data if you withdraw your consent. However, other legal bases are relied on by Three, meaning that we can continue to process your personal data for as long as that legal basis remains valid. For example, where we process your data in order to perform our contract with you, we are permitted to continue to process it for as long as you remain our customer and for a reasonable period thereafter.

Three has a Data Protection Officer, who is contactable at

The Data Protection Officer,
Three Ireland 28/29 Sir John Rogerson’s Quay,
Dublin 2

Alternatively, email

How We Process Your Data

  1. Your name, address and date of birth

Purpose of Processing

To identify you so that we can administer your account.

Legal Basis of Processing

In order to perform our contract with you.

Duration of Processing

For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account.

  1. Contact details including alternative telephone number(s) and email address

Purpose of Processing

To contact you in relation to your account.

Legal Basis of Processing

In order to perform our contract with you.

Duration of Processing

For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account.

  1. Bank and Credit Card information

Purpose of Processing

To process payment for services provided to you.

Legal Basis of Processing

In order to perform our contract with you.

Duration of Processing

For as long as you remain a customer, plus 13 months to allow for investigation of disputed transactions.

  1. Billing information

Purpose of Processing

To calculate and issue charges for services provided to you.

Legal Basis of Processing

In order to perform our contract with you.

Duration of Processing

For current financial year, plus six years, as required under tax law.

  1. Call Traffic Records

Certain data is generated by your activity on our network. This includes the time and duration of your phone calls, the number to or from which the calls were made, your geographical location on the network, and details of your device.

Purpose of Processing

  1. For connection of calls, calculation of billing and interconnector charges, traffic management, fraud investigation, network troubleshooting.
  2. With your consent, for direct marketing and the provision of value added services.
  3. This data is also retained and may be disclosed in accordance with the Communications (Retention of Data) Act, 2011

Legal Basis of Processing

  1. In order to perform our contract with you
  2. On consent
  3. To comply with a legal obligation

Duration of Processing

For two years, as required by law.

  1. Credit Referencing, Identity Checks, Payment Default and Fraud Prevention

On applying to open an account with you, we request information about your current and former addresses and your employment, for credit scoring purposes. For fraud prevention purposes, we also request copies of certain documents in order to verify your identity and address.

If a Bill Pay account customer, we will make searches about you at credit reference agencies who will supply us with credit information, as well as information from the Electoral Register, to help us to decide whether to accept your application or future applications, and to verify your identity. The agency will record details of our search and your application whether you are accepted or not.

We will use credit scoring systems when assessing your application. This information may be used for debt tracing.

If a Bill Pay customer, we will also disclose details of your agreement with us, the payments you make under it, account balances and information about any default, dispute, and debts to credit reference agencies. We will also disclose details of any change of address reported to us or of which we become aware.

Credit searches and the information supplied by us and held by credit reference agencies is used by us and other organisations to help make decisions about other credit applications by you or other members of your household with whom you are linked financially to trace debtors, recover debts, to prevent and detect fraud and to manage your account.

Where we deem it appropriate, we may also check and share your details with fraud prevention agencies who will record details of any false or inaccurate information provided by you or where we suspect fraud (whether a Bill Pay or Prepay Customer). Records held by fraud prevention agencies will also be used by other organisations to help them prevent fraud against you and other organisations who make decisions on motor, household, credit, life and other insurance proposals and insurance claims for you and members of your household and to help prevent money laundering where applicable. Those fraud prevention agencies may disclose information to law enforcement agencies where requested and necessary for the investigation of crime.

We may also use and share your details for the collection of any debts owed on your account. This may include the use of debt collection agencies to collect debts on our behalf or may include the assignment of debts to a third party company. The assignment of debts will involve the sale of your account information to a third party company – this information may include your name, address and contact data, year of birth, debts owed, payment history and other information necessary to help recover the debt.

We may also pass and share information to other communications service providers and network operators for the detection, identification and prevention of payment default, theft and fraud.

If a Bill Pay customer, if you allow your account to fall into arrears by not paying your bills in full and on time, information on your payment performance may be shared with other providers of landline, broadband and mobile services through the provision of the information to a database operated by the service providers called Credit Insights.

Other providers of services who also supply information on payment performance of their customers to the Credit Insights database may check this information when you apply for their services in the future to help them assess your creditworthiness.

The information shared with Credit Insights includes name, address, date of birth and account details and will be held on the database for 6 years from the date it was shared with Credit Insights.

Purpose of Processing

Credit Referencing, Identity Checks, Payment Default and Fraud Prevention

Legal Basis of Processing

Legitimate Interest

Duration of Processing

Credit scoring information is held for three years. Fraud Information is held for four Years. Copies of proofs of residence and identity are held for a maximum of six months Credit Insights data is held for six years.

  1. Your Interactions with us

When you interact with our customer care channels, records of these interactions will be held by us in order to administer your account. Where you interact with us via social media, our Social Media policy will apply. Calls to our call centre will be recorded.

Purpose of Processing

To administer your account and provide customer care to you

Legal Basis of Processing

In order to perform our contract with you

Duration of Processing

For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account. Call recordings are held for a maximum of 13 months. Webchat transcripts are held for a maximum of 13 months.

  1. CCTV

Our stores, data centres and headquarters buildings have CCTV in operation.

Purpose of Processing

The security of our staff, premises and property

Legal Basis of Processing

Legitimate Interest

Duration of Processing

CCTV footage is routinely held for 30 days, unless preserved for a particular purpose

  1. Website

We collect certain data from users and visitors to our website. For more details, see our Website Privacy Policy and Cookies Policy

  1. Other Services

If you sign up to services such as 3Extra or 3Plus, we may process certain data relating to you for direct marketing purposes and in order to provide value added services to you. This processing is done only with your consent, and subject to the Privacy Policies of these services. (Available here and here)

Purpose of Processing

To provide direct marketing and value added services to you.

Legal Basis of Processing


Duration of Processing

For as long as you remain a customer, or until you withdraw your consent by opting out.

  1. Direct Marketing

We may process the above data or data relating to your usage of our services to carry out analysis of your information:

  • to develop our relationship with you, to develop and personalise Three Services and to present and deliver these to your Device.
  • to keep you informed about Three’s services, developments, pricing tariffs, special offers, and any discounts or awards which we believe may be of personal interest to you, or which you may be entitled to.

We may keep you up to date (including by automated means) directly to your Mobile or other contact number, by post, email, telephone, by electronic messaging such as mobile text, digital, online and picture message, and voicemail subject to any preferences indicated by you.

If you do not wish to receive direct marketing information you should contact Customer Services by logging onto, using our LiveChat Service at, from our Contact Us Form or by using the “opt-out” means provided for in our marketing communications to you. Please note that where you opt out of all marketing from Three you will still receive service communications from Three (for example, billing communications).

Purpose of Processing

Marketing, including Direct Marketing

Legal Basis of Processing

Legitimate Interest

Duration of Processing

For as long as you remain a customer, or until you opt out.

  1. Premium Services

Where you wish to avail of a Premium Service via your mobile phone, the Premium Service Provider (PSP) will require your mobile phone number and confirmation of which Telecommunications Provider you are with in order to bill you for the service. PSPs generally obtain this information by either; a) Asking you to enter it into an online form or b) Asking you for your consent to obtain the number via a URL on your handset. This is a process whereby once you click on a URL it generates a request to Three to send that PSP your number and confirmation that Three are your telecommunications provider. The PSP is responsible for providing you with all information necessary to ensure this process is transparent, prior to you availing of their service.

  1. Other Processing

We may process the above data or data relating to your usage of our services:

  • to carry out activities necessary to the running of our business, including system testing, network monitoring, staff training, quality control and any legal proceedings.
  • to carry out any activities or disclosures to comply with any regulatory, government or legal requirement or on foot of a binding request (e.g. Court Order)

Where you have given us permission we will include your name, address and telephone number in our directory enquiry list and the National Directory Database (NDD) currently hosted by Eircom (as nominated by the Commission for Communications Regulation (ComReg)).

  1. Automated Decision-Making

Three does not make any decisions producing legal effects concerning you or similarly significantly affecting you which are based solely on automated processing, including profiling. In the event that Three introduces such Automated Decision-Making, we will include it in this Privacy Notice, and will implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention by Three, to express your point of view and to contest the decision.

Disclosure of Your Data to Others

Data Processors

Three uses service providers to assist in providing services to you, and some of these process your personal data on our behalf. These Data Processors provide a range of services to Three, including deliveries, cloud computing, data storage, document shredding, outsourced IT services, outsourced customer services, repairs of hardware, franchise store operators, security providers, consultants and professional advisors.

Where we use Data Processors, we require them by contract to only process data in accordance with our instructions.

Some of these Data Processors are based outside the European Economic Area (the ‘EEA’) which consists of the European Union Member States together with Iceland, Liechtenstein and Norway. When we transfer to or allow access to personal data from such countries, we adopt measures to carry out these transfers in accordance with applicable data protection law.

Legal Disclosure

Under the Communications (Retention of Data) Act, 2011, Three is obliged to disclose telecommunications data for the purpose of complying with a disclosure request for the prevention, detection, investigation or prosecution of a serious or revenue offence, for the safeguarding of the security of the State or for the saving of human life; in accordance with a court order; or as may be authorised by the Data Protection Commissioner.

Other Personal Data may be disclosed where required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid. In such cases, we will not disclose your data without first taking into account your fundamental right to Data Protection.

Connecting Calls

When you make a call, the calling line identity (CLI) of your Mobile (your mobile number) will be displayed on the Mobile of the person you call. If you do not wish your CLI to be displayed and/or transmitted you should consult your user guide or contact Customer Services. Your CLI cannot be blocked when calling the emergency services, or when sending a text, picture, or video message.

When you make a call, it is necessary to make certain meta data relating to that call available to other networks, including foreign networks when you are roaming or making an international call.

Account Security

Three endeavours to ensure that your personal data is kept safe and secure, as required under Data Protection law. However, If third parties, whether known to you or otherwise, have enough information about you, it may possible for them to successfully impersonate you. Three is not liable for any loss, direct or indirect, which you may incur as a result of a third party accessing your account by obtaining your passwords or other verifying information from yourself of other sources. Advice on what you can do to keep your data secure is available here.

Your Rights


You have the right to certain information relating to processing of your personal data by Three. This Privacy Statement, along with other relevant publicly available documents, provides this information.


You have the right to have any inaccurate personal data corrected or updated. Please contact customer care and they’ll be happy to help.


You have the right to have your data deleted when it is no longer required by us for a lawful purpose. Three already automatically deletes this data.

In this way, Three complies with your “Right to be Forgotten” without you having to make a request to us. Where data still needs to be kept, e.g. for a legal obligation or for legitimate business purposes we will automatically delete it as soon as this retention period ends.

Right to Object

You have the right to object to the processing of your personal data which is done for the purposes of a legitimate interest or in the public interest or in exercise of official authority vested in Three as data controller. Where you object, Three shall demonstrate compelling legitimate grounds for the processing, or cease it. To exercise this right, contact the Data Protection Officer.

You have the right to object to processing for direct marketing purposes. This right can be exercised by opting out of direct marketing using the means provided.


You have the right to have processing of data restricted

  • While we verify the accuracy of your data or correct it if necessary
  • If the processing is unlawful and you request restriction of the processing rather than erasure of the personal data.
  • We no longer need the personal data for the purposes of the processing, but you require us to retain it for the establishment, exercise or defence of legal claims
  • While we consider an objection made by you under your Right to Object.

To exercise this right, please contact the Data Protection Officer.


You have the right to obtain a copy of personal data which we may hold about you. Please email or contact the Data Protection Officer.


You have the right to obtain a copy of certain personal data in a commonly used, machine readable format. This right is limited to data which

  1. Was provided to us by you
  2. Is processed by us on the basis of consent or a contract
  3. Is processed by automated means

Three provides such information in Excel Spreadsheet format. To exercise your Right to Data Portability, please email or contact the Data Protection Officer.

Delivery of Access and Portability Rights

We may ask you to complete a form to help us identify the data you require. We may request that you provide proof of your identity and residence. In the case of certain manifestly unfounded or excessive requests, we reserve the right to decline a request or to charge a reasonable administrative fee.

We will provide your data to you within 30 days of receiving your request, except for requests which by reason of their complexity or number may take up to three months. In such cases we will notify you of any such delay within one month of receipt of the request, together with the reasons for the delay.

You should note that Three is bound to retain data for no longer than is necessary, and that certain data may therefore have been deleted by the time a request for access is made, in line with our retention rules outlined above.

The Right to Lodge a Complaint

If you are unsatisfied to with any aspect of Three’s processing of your data, you have the right to lodge a complaint with a supervisory authority. The supervisory authority for Ireland is the Office of the Data Protection Commissioner.