Privacy Notice
About this Privacy Notice
This Privacy Notice tells you what personal data is processed by Three in relation to you, the purposes for which it is processed and the manner and duration of the processing. This information is provided in fulfilment of Three’s duty to process data in a manner which is fair, lawful and transparent, and to provide information relating to the processing at the time of collection of that data. You should read this Privacy Notice prior to providing any Personal Data to Three and refer to it at any time should you have queries regarding the use of your personal data.
Data Controller
Depending on whether you are a customer of Three Ireland (Hutchison) Limited, or Three Ireland Services (Hutchison) Limited (formerly O2), one or both of those companies is the “Data Controller” in respect of this data. This Privacy Notice applies to both companies, and collectively refers to them as “Three”.
You can contact Three in a number of ways, which are set out on the contact page of our website (https://www.three.ie/contact-us.html)
In accordance with Article 37 of the GDPR, Three has appointed a Data Protection Officer. If you wish to contact our Data Protection Officer in relation to the processing of your personal data by Three, you can do so by e-mailing: privacy@three.ie
About Data Protection
Three processes personal data in accordance with the requirements of Data Protection law. This law includes the Irish Data Protection Acts and the EU General Data Protection Regulation (“GDPR”).
Under Data Protection law, you are the “Data Subject” in respect of any personal data relating to you. “Personal Data” is any information which relates to an identifiable natural person. It does not include information relating to a company or other legal entity.
Three may engage third parties (other than its own employees) to provide services to it. Any of those third parties who process personal data on our behalf is a “Data Processor”.
“Processing” means any action performed on personal data, including collection, storage, copying, consulting, disclosure or destruction.
General Telecom Privacy Law in Ireland
In Ireland, your communications privacy is protected by telecom-specific laws. Under the ePrivacy Regulations 2011 (S.I. 336/2011), we must ensure, and keep, the secrecy of your communications. Any lawful interception of communications can only occur under strict conditions set by the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993, typically on foot of a valid authorisation/warrant. Separately, the Communications (Retention of Data) Act 2011 (as amended) may require us to retain certain traffic and location metadata for defined periods for law-enforcement purposes—not the content of your calls, texts, or browsing—after which it must be securely deleted. We apply technical and organisational safeguards to this data, and your GDPR rights (access, erasure, objection, etc.) continue to apply.
Processing of Your Data
We have extensive controls in place to maintain the security of our information and information systems. Client files are protected with safeguards according to the sensitivity of the relevant information. Appropriate controls (such as restricted access) are placed on our computer systems. Physical access to areas where Personal Data is gathered, processed or stored is limited to authorised employees.
As a condition of employment, Three employees are required to follow all applicable laws and regulations, including in relation to data protection law. Access to sensitive Personal Data is limited to those employees who need it to perform their roles. Unauthorised use or disclosure of confidential client information by a Three employee is prohibited and may result in disciplinary measures.
When you contact a Three employee about your Personal Information, you may be asked for some Personal Data to validate your identity. This type of safeguard is designed to ensure that only you, or someone authorised by you, has access to your file.
Processing of Children’s Data
Our Service is not intended for individuals under the age of 16 without the permission of their parents or guardians. We do not knowingly collect or solicit information from anyone under the age of 16. If you believe that we might have information from a child under 16, please contact us. Protecting the privacy of children is very important to us. For more information on how Three processes the personal data of children up to the age of 18, see our Children’s Privacy Notice here.
How Three Processes Your Data
Your name, address and date of birth
Purpose of Processing
To identify you so that we can administer your account.
Prepay customers are not required to provide this data but should note that if they provide it for sign-in purposes, it will be associated with their account records. Customers wishing to remain anonymous therefore will not be able to avail of sign-in services.
When you contact us with an enquiry about your account, we will ask you to answer questions regarding this and other account information, in order to verify your identity and protect your privacy.
Legal Basis of Processing
In order to perform our contract with you.
Duration of Processing
For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account.
Contact details including alternative telephone number(s) and email address
Purpose of Processing
To contact you in relation to your account.
Legal Basis of Processing
In order to perform our contract with you.
Duration of Processing
For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account.
Sign-in Information
Purpose of Processing
To identify you so that we can administer your account and deliver My3 self-serve access and 3Plus and 3Extra services, information such as name, email and home address, which you provide to us in order to register for self-serve or for our 3Plus and 3Extra services, including direct marketing where you consent to same. This information will be associated with your account record.
Legal Basis of Processing
Legitimate interest and, for direct marketing, consent.
Duration of Processing
For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account. Processing for direct marketing purposes will continue only for as long as you give your consent.
Bank and Credit Card information
Purpose of Processing
To process payment for services provided to you.
Legal Basis of Processing
In order to perform our contract with you.
Duration of Processing
For as long as you remain a customer, plus 13 months to allow for investigation of disputed transactions.
Billing information
Purpose of Processing
To calculate and issue charges for services provided to you.
Legal Basis of Processing
In order to perform our contract with you.
Duration of Processing
For current financial year, plus six years, as required under tax law.
Call Traffic Records
Certain data is generated by your activity on our network. This includes the time and duration of your phone calls, the number to or from which the calls were made, your geographical location on the network, and details of your device.
Purpose of Processing
For connection of calls, calculation of billing and interconnector charges, traffic management, fraud investigation, network troubleshooting.
For the mitigation of Nuisance Communications, including text and voice spam.
With your consent, for direct marketing and the provision of value added services.
This data is also retained and may be disclosed in accordance with the Communications (Retention of Data) Act, 2011, as amended.
Legal Basis of Processing
In order to perform our contract with you.
On consent.
To comply with a legal obligation.
Duration of Processing
For two years, as required by law.
Credit Referencing, Identity Checks, Payment Default and Fraud Prevention
On applying to open an account with you, we request information about your current and former addresses and your employment, for credit scoring purposes. For fraud prevention purposes, we also request copies of certain documents in order to verify your identity and address.
If a Bill Pay account customer, we will make searches about you at credit reference agencies who will supply us with credit information, as well as information from the Electoral Register, to help us to decide whether to accept your application or future applications, and to verify your identity. The agency will record details of our search and your application whether you are accepted or not.
We will use credit scoring systems when assessing your application. This information may be used for debt tracing.
If a Bill Pay customer, we will also disclose details of your agreement with us, the payments you make under it, account balances and information about any default, dispute, and debts to credit reference agencies. We will also disclose details of any change of address reported to us or of which we become aware.
Credit searches and the information supplied by us and held by credit reference agencies is used by us and other organisations to help make decisions about other credit applications by you or other members of your household with whom you are linked financially to trace debtors, recover debts, to prevent and detect fraud and to manage your account.
Where we deem it appropriate, we may also check and share your details with fraud prevention agencies who will record details of any false or inaccurate information provided by you or where we suspect fraud (whether a Bill Pay or Prepay Customer). Records held by fraud prevention agencies will also be used by other organisations to help them prevent fraud against you and other organisations who make decisions on motor, household, credit, life and other insurance proposals and insurance claims for you and members of your household and to help prevent money laundering where applicable. Those fraud prevention agencies may disclose information to law enforcement agencies where requested and necessary for the investigation of crime.
We may also use and share your details for the collection of any debts owed on your account. This may include the use of debt collection agencies to collect debts on our behalf or may include the assignment of debts to a third party company. The assignment of debts will involve the sale of your account information to a third party company – this information may include your name, address and contact data, year of birth, debts owed, payment history and other information necessary to help recover the debt.
We may also pass and share information to other communications service providers and network operators for the detection, identification and prevention of payment default, theft and fraud.
Purpose of Processing
Credit Referencing, Identity Checks, Payment Default and Fraud Prevention
Legal Basis of Processing
Legitimate Interest
Duration of Processing
Credit scoring information is held for three years. Fraud Information is held for four years. Copies of proofs of residence and identity are held for a maximum of six months.
Your Interactions with us
When you interact with our customer care channels, records of these interactions will be held by us in order to administer your account. Where you interact with us via social media, our Social Media policy will apply. Calls to our call centre will be recorded.
Purpose of Processing
To administer your account and provide customer care to you
Legal Basis of Processing
In order to perform our contract with you
Duration of Processing
For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account. Call recordings are held for a maximum of 13 months. Webchat transcripts are held for a maximum of 13 months.
CCTV
Our stores, data centres and headquarters buildings have CCTV in operation.
Stores also anonymously count the number of visitors by gender and age band (by decade).
Purpose of Processing
The security of our staff, premises and property.
Anonymous demographic data is used to help us learn about the demographic groups who visit our stores so that we can improve our service.
Legal Basis of Processing
Legitimate Interest
Duration of Processing
CCTV footage is routinely held for 30 days, unless preserved for a particular purpose.
Anonymous demographic data is not retained in a form that allows for the identification of individual visitors.
Special Category Data
Accessibility/support needs (e.g., hearing/vision accommodations)
Purpose of Processing
To tailor customer support and communications.
Legal Basis of Processing
Art. 6(1)(b)/(f) and Art. 9(2)(a) explicit consent.
Directive (EU) 2019/882 (European Accessibility Act) as transposed by S.I. 636/2023.
Duration of Processing
Minimum necessary, typically 12 months after cessation of contract.
Direct Marketing
- to develop our relationship with you, to develop and personalise Three Services and to present and deliver these to your Device.
- to keep you informed about Three’s services, developments, pricing tariffs, special offers, and any discounts or awards which we believe may be of personal interest to you, or which you may be entitled to.
- We’ll keep some personal information for a reasonable period after your contract with us has finished in case you decide to use our services again. We may contact you about Three services during this time if you haven’t opted out of receiving marketing communications from us.
We may process the above data or data relating to your usage of our services to carry out analysis of your information:
We may keep you up to date (including by automated means) directly to your Mobile or other contact number, by post, email, telephone, by electronic messaging such as mobile text, app push, digital, online and picture message, and voicemail subject to any preferences indicated by you.
If you do not wish to receive direct marketing information you should contact Customer Services by logging onto www.three.ie/my3, using our LiveChat Service at www.three.ie/contact-us/chat.html, from our Contact Us Form www.three.ie/contact-us/ or by using the “opt-out” means provided for in our marketing communications to you. Please note that where you opt out of all marketing from Three you will still receive service communications from Three (for example, billing communications).
Purpose of Processing
Marketing, including Direct Marketing
Legal Basis of Processing
Legitimate Interest
Duration of Processing
For as long as you remain a customer, or until you opt out.
Other Processing
- to carry out activities necessary to the running of our business, including system testing, network monitoring, staff training, quality control and any legal proceedings.
- to diagnose issues with your service, we may retrieve and store for a relevant period technical data from the Modem / CPE connecting your home / IOT network relating to the connection, the Modem / CPE, and the end user devices connected.
- to carry out any activities or disclosures to comply with any regulatory, government or legal requirement or on foot of a binding request (e.g. Court Order, Delivery of Public Warning System messages, or a regulatory request from a body such as ComReg or the Data Protection Commissioner).
- to handle your orders and keep you informed about their progress. Deliver the products and services you've purchased, including any additional services not covered in your original agreement. This may also involve contacting you with updates regarding changes to those products or services.
Use of Artificial Intelligence (AI)
We use artificial intelligence (AI) to analyse data, provide personalised customer service, monitor our network, and improve our services. These AI technologies help us to enhance customer experience, streamline our operations, analyse the impact of and personalise our marketing and detect fraudulent activities. The AI systems may process personal data, including but not limited to name, contact details, interaction history, device/network/service usage, and purchase history to achieve these purposes.
We design our systems with safeguards (testing, accuracy checks, and access controls) and carry out assessments before using high-impact AI. Where data helps us improve our AI, we apply minimisation and, where possible, anonymisation or aggregation; for optional uses (such as marketing personalisation) you can withdraw consent or object at any time via your privacy preferences.
Managing Your Information and Privacy Preferences
It is important that you keep your Personal Data with Three up to date. If you do not provide us with your current information, then we may not be able to provide our services, or elements thereof, to you; for example, if you don’t provide us with your current email we will not deliver you your bill by email, or you may not be able to access the My3 App.
You can access, view and change your privacy preferences, see your usage, manage your account, top up, and message us using the My3 App. ( https://www.three.ie/my3-app.html )
Anonymised Data Sharing
Three anonymises and aggregates your data on an ongoing basis. The data is 'de-identified' using established data processing techniques to a point where the data subject is no longer identifiable or capable of being 'Singled-Out'. Such anonymised data includes traffic, billing, and location data. The anonymised data may then be statistically analysed in an aggregate format by Three in order to generate data insights to carry out research on, or profile, use of our products and services. Three may share these insights with affiliates and third parties for review, planning, public policy and commercial purposes, subject to strict rules to safeguard the data from deanonymisation.
Disclosure of Your Data to Others
Group Companies
We may disclose your information to other members of our group of companies, and to our or their partners, associates, agents or subcontractors and to possible successors to our business.
Data Processors
Three uses service providers to assist in providing services to you, and some of these process your personal data on our behalf. These Data Processors provide a range of services to Three, including deliveries, cloud computing, data storage, document shredding, outsourced IT services, outsourced customer services, repairs of hardware, franchise store operators, security providers, consultants and professional advisors. Where we use Data Processors, we require them by contract to only process data in accordance with our instructions.
Data Aggregators and Direct Marketing Campaign Providers
We use specific marketing related data processors such as Data Aggregators to assist with targeted marketing and Direct Marketing Campaign Providers to assist us by sending direct marketing messages to you or targeting directed advertising towards, or away from, you.
We use Data Aggregators to assist us with conducting individual surveys, to gather survey feedback and to analyse and report on survey results.
We also use location based service solution providers, who may be provided with your location, where you have consented to your location being accessed for marketing purposes and are then able to trigger marketing messages to be sent by our Direct Marketing Campaign Providers to You depending on your general location.
National Directory Database (NDD) and Number Portability Database
Where you have agreed to be included in our directory enquiry list your information will automatically be included in the National Directory Database (NDD) hosted by an organisation designated by the Commission for Communications Regulation. The NDD includes marketing opt-out related preferences.
Where you request to port in from another operator your existing telephony number or internet access service, or where you chose to port out your existing telephone number or internet access service from Three to another operator, we are obliged to facilitate such a request and share such information as is required to action that request, to the organisation designated by the Commission for Communications Regulation responsible for co-ordinating porting requests.
Cookies
We use cookies and similar technologies (including SDKs in our apps) to make our services work, measure performance, and—if you agree—personalise content and advertising. You can change your cookie preferences at any time via our cookie settings tool and your browser/device settings. For details on the types of cookies we use, how long they last, and how to manage your choices, please see our Cookie Policy.
Legal Disclosure
Under the Communications (Retention of Data) Act, 2011, as amended, Three is obliged to preserve and disclose telecommunications data for the purpose of complying with a disclosure request for the prevention, detection, investigation or prosecution of a serious or revenue offence, for the safeguarding of the security of the State or for the saving of human life; in accordance with a court order.
Other Personal Data may be disclosed where required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid. In such cases, we will not disclose your data without first taking into account your fundamental right to Data Protection.
We may disclose Personal Data to Law enforcement agencies, government bodies, regulatory organisations, mediator/arbitrator, courts or other public authorities if we have to, or are authorised to by law. Similarly, we may disclose Personal Data to a third party or body where such disclosure is required to satisfy any applicable law, or other legal or regulatory requirement;
Connecting Calls
When you make a call, the calling line identity (CLI) of your Mobile (your mobile number) will be available to be displayed on the device of the person you call. If you do not wish your CLI to be displayed you should consult your device user guide or contact Three Customer Services.
When you make a call, it may be necessary to make certain meta data relating to that call available to other networks, including foreign networks when you are making an international call.
Your CLI and approximate location will be shared, and cannot be blocked through user choice, when communicating with the emergency services.
Roaming
Personal Data that is generated by you while roaming abroad, when making/receiving calls or using data services, is available to the foreign network operators you are roaming with, and will be subject to different data governance regimes and different local legal regimes than that which applies when using Three’s services in Ireland.
Partner Organisations
We may disclose, subject to choices you make, Personal Data to third parties for joint promotions with that third party. The third parties will be responsible for their own compliance with applicable privacy laws. These third party organisations, which we have carefully chosen, may contact you about their products and services (which may or may not include Three products and services).
When you purchase a third-party product or service using your Three account (such as Charge to Bill for mobile, or Marketplace), the contract is between you and the seller of that product or service. Three’s role is simply to add the charge to your bill as part of its agreement with the seller. By doing so, you agree that Three may share certain personal information with the seller to complete your transaction and ensure delivery of the product or service. Please review the seller's terms and conditions, as well as their privacy and cookie policies, to understand how they will use your personal information.
Transfer of Data to Third Countries
Some of the Data Processors we use are based outside the European Economic Area (the ‘EEA’) which consists of the European Union Member States together with Iceland, Liechtenstein and Norway. Where we transfer personal data outside the EEA, we rely on an EU adequacy decision where available, or the European Commission’s Standard Contractual Clauses plus technical/organisational measures, informed by transfer impact assessments.
Retention Periods
We are required under the Communications (Retention of Data) Act, 2011, as amended, to retain certain traffic related Personal Information for a minimum period of 12 months after the relevant data was processed. Otherwise, we retain your personal data for as long as necessary for the purposes for which it was collected and to provide you with our services, to secure the legitimate interests of our business or where otherwise required by law. Generally, unless otherwise stated herein, we will retain your data for the lifetime of your account with us and for a 2 year period thereafter in accordance with our information retention policy, a copy of which, with information relevant to You, is available on request.
Your Rights regarding Your Personal Data
You have certain rights relating to processing of your personal data by Three arising from Chapter 3 of the General Data Processing Regulation. These rights include:
Right to Information
You have the right to certain information relating to processing of your personal data by Three. This Privacy Notice, along with other relevant publicly available documents, provides this information.
Right of Access
You have the right to obtain a copy of personal data which we may hold about you. Depending on your customer type and duration of tenure as customer, and on whether you were a customer of Three or of O2, different information may be held by us, and there may be “gaps” our records due to changes to our purging processes over the years. Accordingly, we will provide you, as required by law, with all data which we hold relating to you, but we may no longer have a copy of the particular record or document you are seeking.
Right to Rectification
You have the right to have any inaccurate personal data corrected or updated.
Right to Erasure (“The Right to be Forgotten”)
You have the right to have your data deleted when it is no longer required by us for a lawful purpose. Three already automatically deletes this data.
In this way, Three complies with your “Right to be Forgotten” without you having to make a request to us. Where data still needs to be kept, e.g., for a legal obligation or for legitimate business purposes we will automatically delete it as soon as this retention period ends.
Right to Restriction of Processing
You have the right to have processing of data restricted;
- While we verify the accuracy of your data or correct it if necessary;
- If the processing is unlawful and you request restriction of the processing rather than erasure of the personal data;
- If we no longer need the personal data for the purposes of the processing, but you require us to retain it for the establishment, exercise or defence of legal claims; and
- While we consider an objection made by you under your Right to Object.
Right to Data Portability
You have the right to obtain a copy of certain personal data in a commonly used, machine readable format. This right is limited to data which;
- Was provided to us by you;
- Is processed by us on the basis of consent or a contract; and
- Is processed by automated means.
Three provides such information in Excel Spreadsheet format.
Right to Object
You have the right to object to the processing of your personal data which is done for the purposes of a legitimate interest or in the public interest or in exercise of official authority vested in Three as data controller. Where you object, Three shall demonstrate compelling legitimate grounds for the processing, or cease it.
You have the right to object to processing for direct marketing purposes. This right can be exercised by opting out of direct marketing using the means provided.
Right regarding Automated Decision Making
We use automated decision-making in limited scenarios, for example credit-risk assessment when you apply for a bill-pay plan. These decisions may affect whether we can offer you service or require a deposit. You have the right to obtain human review, express your point of view and contest a decision.
We do not use AI to take automated decisions that produce legal or similarly significant effects beyond these scenarios.
Exercise of your Personal Data Rights
To exercise your rights regarding your personal data please contact the office of the Three Data Protection Officer at privacy@three.ie
We may ask you to complete a form to help us identify the data you require. We may request that you provide additional information necessary to confirm your identity as the Data Subject. In the case of certain manifestly unfounded or excessive requests, we reserve the right to decline a request or to charge a reasonable administrative fee.
We will provide, if requested, your data to you within 30 days of receiving your request, except for requests which by reason of their complexity or number may take up to three months. In such cases we will notify you of any such delay within one month of receipt of the request, together with the reasons for the delay.
You should note that Three is bound to retain data for no longer than is necessary, and that certain data may therefore have been deleted by the time a request for access is made, in line with our retention rules outlined above.
The Right to Lodge a Complaint
If you are unsatisfied with any aspect of Three’s processing of your data, you have the right to lodge a complaint with a supervisory authority. The supervisory authority for Ireland is the Office of the Data Protection Commissioner ( https://www.dataprotection.ie/ )
Relevant Terms and Conditions
You should read this Privacy Notice in conjunction with the Terms for Three Services (https://www.three.ie/legal/terms.html).
Changes to our Privacy Documentation
This Data Protection Notice is kept under regular review and is therefore subject to change. Amended versions of this document shall be notified through publication in the Privacy Centre on the Three website (https://www.three.ie/legal/privacy.html). This document was last reviewed on the 15th of September 2025.