Privacy Notice

About this Privacy Statement

This Privacy Statement tells you what personal data is processed by Three in relation to you, the purposes for which it is processed and the manner and duration of the processing. This information is provided in fulfilment of Three’s duty to process data in a manner which is fair, lawful and transparent, and to provide information relating to the processing at the time of collection of that data. You should read this Privacy Statement prior to providing any personal to Three and refer to it at any time should you have queries regarding the use of your personal data.

 

Data Controller

Depending on whether you are a customer of Three Ireland (Hutchison) Limited, or Three Ireland Services (Hutchison) Limited (formerly O2), one or both of those companies is the “Data Controller” in respect of this data. This Privacy Notice applies to both companies, and collectively refers to them as “Three”.

You can contact Three in a number of ways, which are set out on the contact page of our website (https://www.three.ie/contact-us.html)

In accordance with Article 37 of the GDPR, Three has appointed a Data Protection Officer. If you wish to contact our Data Protection Officer in relation to the processing of your personal data by Three, you can do so by e-mailing: privacy@three.ie

 

About Data Protection

Three processes personal data in accordance with the requirements of Data Protection law. This law includes the Irish Data Protection Acts and the EU General Data Protection Regulation (“GDPR”).

Under Data Protection law, you are the “Data Subject” in respect of any personal data relating to you. “Personal Data” is any information which relates to an identifiable natural person. It does not include information relating to a company or other legal entity.

Three may engage third parties (other than its own employees) to provide services to it. Any of those third parties who process personal data on our behalf is a “Data Processor”.

“Processing” means any action performed on personal data, including collection, storage, copying, consulting, disclosure or destruction.

 

Processing of Your Data

We have extensive controls in place to maintain the security of our information and information systems. Client files are protected with safeguards according to the sensitivity of the relevant information. Appropriate controls (such as restricted access) are placed on our computer systems. Physical access to areas where Personal Data is gathered, processed or stored is limited to authorised employees.

As a condition of employment, Three employees are required to follow all applicable laws and regulations, including in relation to data protection law. Access to sensitive Personal Data is limited to those employees who need it to perform their roles. Unauthorised use or disclosure of confidential client information by a Three employee is prohibited and may result in disciplinary measures.

When you contact a Three employee about your Personal Information, you may be asked for some Personal Data to validate your identity. This type of safeguard is designed to ensure that only you, or someone authorised by you, has access to your file.

 

Processing of Children’s Data

Our Service is not intended for individuals under the age of 16 without the permission of their parents or guardians. We do not knowingly collect or solicit information from anyone under the age of 16. In the event that we learn that we have inadvertently collected personal information from a child under the age of 16, we will delete that information as quickly as possible. If you believe that we might have information from a child under 16, please contact us. Protecting the privacy of children is very important to us. Thus, if we obtain actual knowledge that a user is under 16 and does not have parental permission to use our services, we will take steps to remove that user's Personal Information from our databases. We require that anyone under the age of 16 obtain their parent or guardian's permission before submitting their information to us.

 

How Three Processes Your Data

Your name, address and date of birth
Purpose of Processing

To identify you so that we can administer your account.

Prepay customers are not required to provide this data but should note that if they provide it for sign-in purposes, it will be associated with their account records. Customers wishing to remain anonymous therefore will not be able to avail of sign-in services.

When you contact us with an enquiry about your account, we will ask you to answer questions regarding this and other account information, in order to verify your identity and protect your privacy.

Legal Basis of Processing

In order to perform our contract with you.

Duration of Processing

For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account.

Contact details including alternative telephone number(s) and email address
Purpose of Processing

To contact you in relation to your account.

Legal Basis of Processing

In order to perform our contract with you.

Duration of Processing

For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account.

Sign-in Information

Information such as name, email and home address, which you provide to us in order to register for self-serve or for our 3Plus and 3Extra services. This information will be associated with your account record.

Purpose of Processing

To identify you so that we can administer your account and deliver self-serve and 3Plus and 3Extra services, including direct marketing where you consent to same.

Legal Basis of Processing

Legitimate interest and, for direct marketing, consent.

Duration of Processing

For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account. Processing for direct marketing purposes will continue only for as long as you give your consent.

 

Bank and Credit Card information
Purpose of Processing

To process payment for services provided to you.

Legal Basis of Processing

In order to perform our contract with you.

Duration of Processing

For as long as you remain a customer, plus 13 months to allow for investigation of disputed transactions.

 

Billing information
Purpose of Processing

To calculate and issue charges for services provided to you.

Legal Basis of Processing

In order to perform our contract with you.

Duration of Processing

For current financial year, plus six years, as required under tax law.

 

Call Traffic Records

Certain data is generated by your activity on our network. This includes the time and duration of your phone calls, the number to or from which the calls were made, your geographical location on the network, and details of your device.

Purpose of Processing

For connection of calls, calculation of billing and interconnector charges, traffic management, fraud investigation, network troubleshooting.

With your consent, for direct marketing and the provision of value added services.

This data is also retained and may be disclosed in accordance with the Communications (Retention of Data) Act, 2011

Legal Basis of Processing

In order to perform our contract with you

On consent

To comply with a legal obligation

Duration of Processing

For two years, as required by law.

 

Credit Referencing, Identity Checks, Payment Default and Fraud Prevention

On applying to open an account with you, we request information about your current and former addresses and your employment, for credit scoring purposes. For fraud prevention purposes, we also request copies of certain documents in order to verify your identity and address.

If a Bill Pay account customer, we will make searches about you at credit reference agencies who will supply us with credit information, as well as information from the Electoral Register, to help us to decide whether to accept your application or future applications, and to verify your identity. The agency will record details of our search and your application whether you are accepted or not.

We will use credit scoring systems when assessing your application. This information may be used for debt tracing.

If a Bill Pay customer, we will also disclose details of your agreement with us, the payments you make under it, account balances and information about any default, dispute, and debts to credit reference agencies. We will also disclose details of any change of address reported to us or of which we become aware.

Credit searches and the information supplied by us and held by credit reference agencies is used by us and other organisations to help make decisions about other credit applications by you or other members of your household with whom you are linked financially to trace debtors, recover debts, to prevent and detect fraud and to manage your account.

Where we deem it appropriate, we may also check and share your details with fraud prevention agencies who will record details of any false or inaccurate information provided by you or where we suspect fraud (whether a Bill Pay or Prepay Customer). Records held by fraud prevention agencies will also be used by other organisations to help them prevent fraud against you and other organisations who make decisions on motor, household, credit, life and other insurance proposals and insurance claims for you and members of your household and to help prevent money laundering where applicable. Those fraud prevention agencies may disclose information to law enforcement agencies where requested and necessary for the investigation of crime.

We may also use and share your details for the collection of any debts owed on your account. This may include the use of debt collection agencies to collect debts on our behalf or may include the assignment of debts to a third party company. The assignment of debts will involve the sale of your account information to a third party company – this information may include your name, address and contact data, year of birth, debts owed, payment history and other information necessary to help recover the debt.

We may also pass and share information to other communications service providers and network operators for the detection, identification and prevention of payment default, theft and fraud.

 

Purpose of Processing

Credit Referencing, Identity Checks, Payment Default and Fraud Prevention

Legal Basis of Processing

Legitimate Interest

Duration of Processing

Credit scoring information is held for three years. Fraud Information is held for four Years. Copies of proofs of residence and identity are held for a maximum of six months.

 

Your Interactions with us

When you interact with our customer care channels, records of these interactions will be held by us in order to administer your account. Where you interact with us via social media, our Social Media policy will apply. Calls to our call centre will be recorded.

Purpose of Processing

To administer you account and provide customer care to you

Legal Basis of Processing

In order to perform our contract with you

Duration of Processing

For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account. Call recordings are held for a maximum of 13 months. Webchat transcripts are held for a maximum of 13 months.

CCTV

Our stores, data centres and headquarters buildings have CCTV in operation.

Purpose of Processing

The security of our staff, premises and property

Legal Basis of Processing

Legitimate Interest

Duration of Processing

CCTV footage is routinely held for 30 days, unless preserved for a particular purpose.

 

Website

We collect certain data from users and visitors to our website. For more details, see our Website Privacy Policy and Cookies Policy

Other Services

If you sign up to services such as 3Extra or 3Plus, we may process certain data relating to you for direct marketing purposes and in order to provide value added services to you. This processing is done only with your consent, and subject to the Privacy Policies of these services. If you sign up to these services and are a prepay customer, the details you provide will be associated with your account.

Purpose of Processing

To provide direct marketing and value added services to you.

Legal Basis of Processing

Consent

Duration of Processing

For as long as you remain a customer, or until you withdraw your consent by opting out.

Direct Marketing
  • to develop our relationship with you, to develop and personalise Three Services and to present and deliver these to your Device.
  • to keep you informed about Three’s services, developments, pricing tariffs, special offers, and any discounts or awards which we believe may be of personal interest to you, or which you may be entitled to.

We may process the above data or data relating to your usage of our services to carry out analysis of your information:

We may keep you up to date (including by automated means) directly to your Mobile or other contact number, by post, email, telephone, by electronic messaging such as mobile text, digital, online and picture message, and voicemail subject to any preferences indicated by you.

If you do not wish to receive direct marketing information you should contact Customer Services by logging onto www.three.ie/my3, using our LiveChat Service at www.three.ie/contact-us/chat.html, from our Contact Us Form www.three.ie/contact-us/ or by using the “opt-out” means provided for in our marketing communications to you. Please note that where you opt out of all marketing from Three you will still receive service communications from Three (for example, billing communications).

Purpose of Processing

Marketing, including Direct Marketing

Legal Basis of Processing

Legitimate Interest

Duration of Processing

For as long as you remain a customer, or until you opt out.

 

Other Processing
  • to carry out activities necessary to the running of our business, including system testing, network monitoring, staff training, quality control and any legal proceedings.
  • to carry out any activities or disclosures to comply with any regulatory, government or legal requirement or on foot of a binding request (e.g. Court Order or a regulatory request from a body such as ComReg or the Data Protection Commissioner)

We may process the above data or data relating to your usage of our services:

 

Managing Your Information and Privacy Preferences

It is important that you keep your Personal Data with Three up to date. If you do not provide us with your current information, then we may not be able to provide our services, or elements thereof, to you; for example, if you don’t provide us with your current email we will not deliver you your bill by email, or you may not be able to access the My3 App.

You can access, view and change your privacy preferences, see your usage, manage your account, top up, and message us using the My3 App. ( https://www.three.ie/my3-app.html )

 

Anonymised Data Sharing

Three anonymises and aggregates your data on an ongoing basis. The data is 'de-identified' using established data processing techniques to a point where the data subject is no longer identifiable or capable of being 'Singled-Out'. Such anonymised data includes traffic, billing, and location data. The anonymised data may then be statistically analysed in an aggregate format by Three in order to generate data insights to carry out research on, or profile, use of our products and services. Three may share these insights with affiliates and third parties for review, planning, public policy and commercial purposes, subject to strict rules to safeguard the data from deanonymisation.

 

Disclosure of Your Data to Others

Group Companies

We may disclose your information to other members of our group of companies, and to our or their partners, associates, agents or subcontractors and to possible successors to our business.

Data Processors

Three uses service providers to assist in providing services to you, and some of these process your personal data on our behalf. These Data Processors provide a range of services to Three, including deliveries, cloud computing, data storage, document shredding, outsourced IT services, outsourced customer services, repairs of hardware, franchise store operators, security providers, consultants and professional advisors. Where we use Data Processors, we require them by contract to only process data in accordance with our instructions.

Data Aggregators and Direct Marketing Campaign Providers

We use specific marketing related data processors such as Data Aggregators to assist with targeted marketing and Direct Marketing Campaign Providers to assist us by sending direct marketing messages to you or targeting directed advertising towards, or away from, you.

We also use location based service solution providers, who may be provided with your location, where you have consented to your location being accessed for marketing purposes and are then able to trigger marketing messages to be sent by our Direct Marketing Campaign Providers to You depending on your general location.

National Directory Database (NDD) and Number Portability Database

Where you have agreed to be included in our directory enquiry list your information will automatically be included in the National Directory Database (NDD) hosted by an organisation designated by the Commission for Communications Regulation. The NDD includes marketing opt-out related preferences.

Where you request to port in from another operator your existing telephony number, or where you chose to port out your existing telephone number from Three to another operator, we are obliged to facilitate such a request and share such information as is required to action that request, to the organisation designated by the Commission for Communications Regulation responsible for co-ordinating porting requests.

Legal Disclosure

Under the Communications (Retention of Data) Act, 2011, Three is obliged to disclose telecommunications data for the purpose of complying with a disclosure request for the prevention, detection, investigation or prosecution of a serious or revenue offence, for the safeguarding of the security of the State or for the saving of human life; in accordance with a court order; or as may be authorised by the Data Protection Commissioner.

Other Personal Data may be disclosed where required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid. In such cases, we will not disclose your data without first taking into account your fundamental right to Data Protection.

We may disclose Personal Data to Law enforcement agencies, government bodies, regulatory organisations, mediator/arbitrator, courts or other public authorities if we have to, or are authorised to by law. Similarly, we may disclose Personal Data to a third party or body where such disclosure is required to satisfy any applicable law, or other legal or regulatory requirement;

Connecting Calls

When you make a call, the calling line identity (CLI) of your Mobile (your mobile number) will be displayed on the Mobile of the person you call. If you do not wish your CLI to be displayed and/or transmitted you should consult your user guide or contact Customer Services. Your CLI and approximate location cannot be blocked when calling the emergency services, or when sending a text, picture, or video message.

When you make a call, it is necessary to make certain meta data relating to that call available to other networks, including foreign networks when you are roaming or making an international call.

Partner Organisations

We may disclose, subject to choices you make, Personal Data to third parties for joint promotions with that third party. The third parties will be responsible for their own compliance with applicable privacy laws. These third party organisations, which we have carefully chosen, may contact you about their products and services (which may or may not include Three products and services).

 

Transfer of Data to Third Countries

Some of the Data Processors we use are based outside the European Economic Area (the ‘EEA’) which consists of the European Union Member States together with Iceland, Liechtenstein and Norway. When we transfer to or allow access to personal data from such countries, we ensure that adequate contractual and technical safeguards to carry out these transfers in accordance with applicable data protection law are in place to protect your information.

 

Retention Periods

We are required under the Communications (Retention of Data) Act, 2011 to retain certain traffic related Personal Information for a period of 2 years after the relevant data was processed. Otherwise, we retain your personal data for as long as necessary for the purposes for which it was collected and to provide you with our services, to secure the legitimate interests of our business or where otherwise required by law. Generally, unless otherwise stated herein, we will retain your data for the lifetime of your account with us and for a 2 year period thereafter in accordance with our information retention policy, a copy of which, with information relevant to You, is available on request.

Your Rights regarding Your Personal Data

You have certain rights relating to processing of your personal data by Three arising from Chapter 3 of the General Data Processing Regulation. These rights include:

Right to Information

You have the right to certain information relating to processing of your personal data by Three. This Privacy Statement, along with other relevant publicly available documents, provides this information.

Right of Access

You have the right to obtain a copy of personal data which we may hold about you. Depending on your customer type and duration of tenure as customer, and on whether you were a customer of Three or of O2, different information may be held by us, and there may be “gaps” our records due to changes to our purging processes over the years. Accordingly, we will provide you, as required by law, with all data which we hold relating to you, but we may no longer have a copy of the particular record or document you are seeking.

Right to Rectification

You have the right to have any inaccurate personal data corrected or updated.

Right to Erasure (“The Right to be Forgotten”)

You have the right to have your data deleted when it is no longer required by us for a lawful purpose. Three already automatically deletes this data.

In this way, Three complies with your “Right to be Forgotten” without you having to make a request to us. Where data still needs to be kept, e.g., for a legal obligation or for legitimate business purposes we will automatically delete it as soon as this retention period ends.

Right to Restriction of Processing

You have the right to have processing of data restricted;

  • While we verify the accuracy of your data or correct it if necessary;
  • If the processing is unlawful and you request restriction of the processing rather than erasure of the personal data;
  • If we no longer need the personal data for the purposes of the processing, but you require us to retain it for the establishment, exercise or defence of legal claims; and
  • While we consider an objection made by you under your Right to Object.
Right to Data Portability

You have the right to obtain a copy of certain personal data in a commonly used, machine readable format. This right is limited to data which;

  • Was provided to us by you;
  • Is processed by us on the basis of consent or a contract; and
  • Is processed by automated means.

Three provides such information in Excel Spreadsheet format.

Right to Object

You have the right to object to the processing of your personal data which is done for the purposes of a legitimate interest or in the public interest or in exercise of official authority vested in Three as data controller. Where you object, Three shall demonstrate compelling legitimate grounds for the processing, or cease it.

You have the right to object to processing for direct marketing purposes. This right can be exercised by opting out of direct marketing using the means provided.

Right regarding Automated Decision Making

Certain decisions relating to credit scoring are based solely on the automatic processing of personal data which you provide to us as part of your application. Where such a decision is made in respect of your application, you will be notified of the outcome and given the opportunity to obtain human intervention by Three, to express your point of view and to contest the decision.

 

Exercise of your Personal Data Rights

To exercise your rights regarding your personal data please contact the office of the Three Data Protection Officer at privacy@three.ie

We may ask you to complete a form to help us identify the data you require. We may request that you provide additional information necessary to confirm your identity as the Data Subject. In the case of certain manifestly unfounded or excessive requests, we reserve the right to decline a request or to charge a reasonable administrative fee.

We will provide, if requested, your data to you within 30 days of receiving your request, except for requests which by reason of their complexity or number may take up to three months. In such cases we will notify you of any such delay within one month of receipt of the request, together with the reasons for the delay.

You should note that Three is bound to retain data for no longer than is necessary, and that certain data may therefore have been deleted by the time a request for access is made, in line with our retention rules outlined above.

 

The Right to Lodge a Complaint

If you are unsatisfied with any aspect of Three’s processing of your data, you have the right to lodge a complaint with a supervisory authority. The supervisory authority for Ireland is the Office of the Data Protection Commissioner. ( https://www.dataprotection.ie/ )

 

Relevant Terms and Conditions

You should read this Privacy Notice in conjunction with the Terms for Three Services (https://www.three.ie/legal/terms.html).

 

Changes to our Privacy Documentation

This Data Protection Notice is kept under regular review and is therefore subject to change. Amended versions of this document shall be notified through publication in the Privacy Centre on the Three website (https://www.three.ie/legal/privacy.html). This document was last reviewed on the 12th of April 2021.