Privacy Notice

About this Privacy Notice

This Privacy Notice tells you what personal data is processed by Three in relation to you, the purposes for which it is processed and the manner and duration of the processing. This information is provided in fulfilment of Three’s duty to process data in a manner which is fair, lawful and transparent, and to provide information relating to the processing at the time of collection of that data. You should read this Privacy Notice prior to providing any personal to Three and refer to it at any time should you have queries regarding the use of your personal data.

 

Data Controller

Depending on whether you are a customer of Three Ireland (Hutchison) Limited, or Three Ireland Services (Hutchison) Limited (formerly O2), one or both of those companies is the “Data Controller” in respect of this data. This Privacy Notice applies to both companies, and collectively refers to them as “Three”.

You can contact Three in a number of ways, which are set out on the contact page of our website (https://www.three.ie/contact-us.html)

In accordance with Article 37 of the GDPR, Three has appointed a Data Protection Officer. If you wish to contact our Data Protection Officer in relation to the processing of your personal data by Three, you can do so by e-mailing: privacy@three.ie

 

About Data Protection

Three processes personal data in accordance with the requirements of Data Protection law. This law includes the Irish Data Protection Acts and the EU General Data Protection Regulation (“GDPR”).

Under Data Protection law, you are the “Data Subject” in respect of any personal data relating to you. “Personal Data” is any information which relates to an identifiable natural person. It does not include information relating to a company or other legal entity.

Three may engage third parties (other than its own employees) to provide services to it. Any of those third parties who process personal data on our behalf is a “Data Processor”.

“Processing” means any action performed on personal data, including collection, storage, copying, consulting, disclosure or destruction.

 

Processing of Your Data

We have extensive controls in place to maintain the security of our information and information systems. Client files are protected with safeguards according to the sensitivity of the relevant information. Appropriate controls (such as restricted access) are placed on our computer systems. Physical access to areas where Personal Data is gathered, processed or stored is limited to authorised employees.

As a condition of employment, Three employees are required to follow all applicable laws and regulations, including in relation to data protection law. Access to sensitive Personal Data is limited to those employees who need it to perform their roles. Unauthorised use or disclosure of confidential client information by a Three employee is prohibited and may result in disciplinary measures.

When you contact a Three employee about your Personal Information, you may be asked for some Personal Data to validate your identity. This type of safeguard is designed to ensure that only you, or someone authorised by you, has access to your file.

 

Processing of Children’s Data

Our Service is not intended for individuals under the age of 16 without the permission of their parents or guardians. We do not knowingly collect or solicit information from anyone under the age of 16. If you believe that we might have information from a child under 16, please contact us. Protecting the privacy of children is very important to us. For more information on how Three processes the personal data of children up to the age of 18, see our Children’s Privacy Notice here.

 

How Three Processes Your Data

Your name, address and date of birth
Purpose of Processing

To identify you so that we can administer your account.

Prepay customers are not required to provide this data but should note that if they provide it for sign-in purposes, it will be associated with their account records. Customers wishing to remain anonymous therefore will not be able to avail of sign-in services.

When you contact us with an enquiry about your account, we will ask you to answer questions regarding this and other account information, in order to verify your identity and protect your privacy.

Legal Basis of Processing

In order to perform our contract with you.

Duration of Processing

For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account.

Contact details including alternative telephone number(s) and email address
Purpose of Processing

To contact you in relation to your account.

Legal Basis of Processing

In order to perform our contract with you.

Duration of Processing

For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account.

Sign-in Information

Information such as name, email and home address, which you provide to us in order to register for self-serve or for our 3Plus and 3Extra services. This information will be associated with your account record.

Purpose of Processing

To identify you so that we can administer your account and deliver self-serve and 3Plus and 3Extra services, including direct marketing where you consent to same.

Legal Basis of Processing

Legitimate interest and, for direct marketing, consent.

Duration of Processing

For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account. Processing for direct marketing purposes will continue only for as long as you give your consent.

 

Bank and Credit Card information
Purpose of Processing

To process payment for services provided to you.

Legal Basis of Processing

In order to perform our contract with you.

Duration of Processing

For as long as you remain a customer, plus 13 months to allow for investigation of disputed transactions.

 

Billing information
Purpose of Processing

To calculate and issue charges for services provided to you.

Legal Basis of Processing

In order to perform our contract with you.

Duration of Processing

For current financial year, plus six years, as required under tax law.

 

Website Usage

If you use our website while logged in, and consent to accept “Performance Cookies” using our website’s cookies consent manager, a log will be kept of your activity on the site, including pages visited, products viewed, transactions initiated, etc. These will be used to better understand the effectiveness of our website and online shop and also to tailor our offerings to you based on your interest.

If you browse our site without logging in, or without consenting to Performance Cookies, no such record is generated.

Purpose of Processing

To better understand how our customers use our website and online shop in order to improve it. To tailor products and services to you and, if you consent to direct marketing, to tailor direct marketing to you. 

Legal Basis of Processing

Legitimate Interest.

Duration of Processing

For as long as you remain a customer.

 

Call Traffic Records

Certain data is generated by your activity on our network. This includes the time and duration of your phone calls, the number to or from which the calls were made, your geographical location on the network, and details of your device.

Purpose of Processing

For connection of calls, calculation of billing and interconnector charges, traffic management, fraud investigation, network troubleshooting.

With your consent, for direct marketing and the provision of value added services.

This data is also retained and may be disclosed in accordance with the Communications (Retention of Data) Act, 2011

Legal Basis of Processing

In order to perform our contract with you

On consent

To comply with a legal obligation

Duration of Processing

For one year, as required by law.

 

Credit Referencing, Identity Checks, Payment Default and Fraud Prevention

When you apply to open an account with us, we request information about your address and your employment, for credit scoring purposes. For fraud prevention purposes, we also request copies of certain documents in order to verify your identity and address.

We will use credit scoring systems when assessing your application. Credit scores are used by us to decide on what types of plans are best suited to your credit profile, to prevent and detect fraud and to manage your account.

We may also use and share your details for the collection of any debts owed on your account. This may include the use of debt collection agencies to collect debts on our behalf.

Purpose of Processing

Credit Referencing, Identity Checks, Payment Default and Fraud Prevention

Legal Basis of Processing

Legitimate Interest

Duration of Processing

Credit scoring information is held for three years. Fraud Information is held for four years. Copies of proofs of residence and identity are held for a maximum of six months.

Your Interactions with us

When you interact with our customer care channels, records of these interactions will be held by us in order to administer your account. Where you interact with us via social media, our Social Media policy will apply. Calls to our call centre will be recorded.

Transcripts of chats with Care agents via webchat will be subject to analytics to better understand common customer issues. Individual transcripts will occasionally be manually reviewed to investigate complaints or regulatory issues, for quality control and agent training purposes, and to gain insights to help improve our care and services.

Purpose of Processing

To administer your account and provide customer care to you

Legal Basis of Processing

In order to perform our contract with you

Duration of Processing

For as long as you remain a customer, plus two years for legitimate purposes arising out of the administration of your account. Call recordings are held for a maximum of 13 months. Webchat transcripts are held for a maximum of 13 months.

CCTV

Our stores, data centres and headquarters buildings have CCTV in operation.

Stores also anonymously count the number of visitors by gender and age band (by decade).

Purpose of Processing

The security of our staff, premises and property.

Anonymous demographic data is used to help us learn about the demographic groups who visit our stores so that we can improve our service.

Legal Basis of Processing

Legitimate Interest

Duration of Processing

CCTV footage is routinely held for 30 days, unless preserved for a particular purpose.

Anonymous demographic data is not retained in a form that allows for the identification of individual visitors.

Direct Marketing
  • to develop our relationship with you, to develop and personalise Three Services and to present and deliver these to your Device.
  • to keep you informed about Three’s services, developments, pricing tariffs, special offers, and any discounts or awards which we believe may be of personal interest to you, or which you may be entitled to.

We may process the above data or data relating to your usage of our services to carry out analysis of your information:

We may keep you up to date (including by automated means) directly to your Mobile or other contact number, by post, email, telephone, by electronic messaging such as mobile text, digital, online and picture message, and voicemail subject to any preferences indicated by you.

If you do not wish to receive direct marketing information you should contact Customer Services by logging onto www.three.ie/my3, using our LiveChat Service at www.three.ie/contact-us/chat.html, from our Contact Us Form www.three.ie/contact-us/ or by using the “opt-out” means provided for in our marketing communications to you. Please note that where you opt out of all marketing from Three you will still receive service communications from Three (for example, billing communications).

Purpose of Processing

Marketing, including Direct Marketing

Legal Basis of Processing

Legitimate Interest

Duration of Processing

For as long as you remain a customer, or until you opt out.

 

Other Processing
  • to carry out activities necessary to the running of our business, including system testing, network monitoring, staff training, quality control and any legal proceedings.
  • to carry out any activities or disclosures to comply with any regulatory, government or legal requirement or on foot of a binding request (e.g. Court Order or a regulatory request from a body such as ComReg or the Data Protection Commissioner)

We may process the above data or data relating to your usage of our services:

 

Managing Your Information and Privacy Preferences

It is important that you keep your Personal Data with Three up to date. If you do not provide us with your current information, then we may not be able to provide our services, or elements thereof, to you; for example, if you don’t provide us with your current email we will not deliver you your bill by email, or you may not be able to access the My3 App.

You can access, view and change your privacy preferences, see your usage, manage your account, top up, and message us using the My3 App. ( https://www.three.ie/my3-app.html )

 

Anonymised Data Sharing

Three anonymises and aggregates your data on an ongoing basis. The data is 'de-identified' using established data processing techniques to a point where the data subject is no longer identifiable or capable of being 'Singled-Out'. Such anonymised data includes traffic, billing, and location data. The anonymised data may then be statistically analysed in an aggregate format by Three in order to generate data insights to carry out research on, or profile, use of our products and services. Three may share these insights with affiliates and third parties for review, planning, public policy and commercial purposes, subject to strict rules to safeguard the data from deanonymisation.

 

Disclosure of Your Data to Others

Other Operators

In order to ensure ease of porting between mobile networks, a database is maintained jointly by all mobile telecommunications companies in Ireland. This database contains every mobile number active in Ireland and the network on which it is currently and has historically been registered. No other personal data is contained in the database. Operators access the database in order to fulfil customer requests to port their number between operator, and to route calls between networks. In some limited cases, where there is an immediate risk to the life or safety of a mobile user, the network status of the user is disclosed to An Garda Síochána to facilitate an emergency response.  

Group Companies

We may disclose your information to other members of our group of companies, and to our or their partners, associates, agents or subcontractors and to possible successors to our business.

Data Processors

Three uses service providers to assist in providing services to you, and some of these process your personal data on our behalf. These Data Processors provide a range of services to Three, including deliveries, cloud computing, data storage, document shredding, outsourced IT services, outsourced customer services, repairs of hardware, franchise store operators, security providers, consultants and professional advisors. Where we use Data Processors, we require them by contract to only process data in accordance with our instructions.

Data Aggregators and Direct Marketing Campaign Providers

We use specific marketing related data processors such as Data Aggregators to assist with targeted marketing and Direct Marketing Campaign Providers to assist us by sending direct marketing messages to you or targeting directed advertising towards, or away from, you.

We also use location based service solution providers, who may be provided with your location, where you have consented to your location being accessed for marketing purposes and are then able to trigger marketing messages to be sent by our Direct Marketing Campaign Providers to You depending on your general location.

National Directory Database (NDD) and Number Portability Database

Where you have agreed to be included in our directory enquiry list your information will automatically be included in the National Directory Database (NDD) hosted by an organisation designated by the Commission for Communications Regulation. The NDD includes marketing opt-out related preferences.

Where you request to port in from another operator your existing telephony number, or where you chose to port out your existing telephone number from Three to another operator, we are obliged to facilitate such a request and share such information as is required to action that request, to the organisation designated by the Commission for Communications Regulation responsible for co-ordinating porting requests.

Legal Disclosure

Under the Communications (Retention of Data) Act, 2011, Three is obliged to disclose telecommunications data for the purpose of complying with a disclosure request for the prevention, detection, investigation or prosecution of a serious or revenue offence, for the safeguarding of the security of the State or for the saving of human life; in accordance with a court order; or as may be authorised by the Data Protection Commissioner.

Other Personal Data may be disclosed where required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid. In such cases, we will not disclose your data without first taking into account your fundamental right to Data Protection.

We may disclose Personal Data to Law enforcement agencies, government bodies, regulatory organisations, mediator/arbitrator, courts or other public authorities if we have to, or are authorised to by law. Similarly, we may disclose Personal Data to a third party or body where such disclosure is required to satisfy any applicable law, or other legal or regulatory requirement;

Connecting Calls

When you make a call, the calling line identity (CLI) of your Mobile (your mobile number) will be displayed on the Mobile of the person you call. If you do not wish your CLI to be displayed and/or transmitted you should consult your user guide or contact Customer Services. Your CLI and approximate location cannot be blocked when calling the emergency services, or when sending a text, picture, or video message.

When you make a call, it is necessary to make certain meta data relating to that call available to other networks, including foreign networks when you are roaming or making an international call.

Partner Organisations

We may disclose, subject to choices you make, Personal Data to third parties for joint promotions with that third party. The third parties will be responsible for their own compliance with applicable privacy laws. These third party organisations, which we have carefully chosen, may contact you about their products and services (which may or may not include Three products and services).

 

Data Transfers

The vast majority of your personal data is stored by Three in Ireland. When Three processes your personal data, that processing occurs in most cases in Ireland.

However, when you make an international call, or use your mobile device while roaming to make a call, send a text, or access the Internet, it is necessary for Three to make certain meta data relating to that call available to other networks, including foreign networks. In these cases the storage, treatment and transfer of your personal data may be subject to regulation different from the regulation applicable in Ireland.

Additionally, Three engages external service providers, some of whom have access to Three customer data from locations outside of the European Economic Area (the ‘EEA’). The EEA consists of the European Union member states together with Iceland, Liechtenstein and Norway. All such providers are engaged only after a full data protection and security review have been completed to ensure that any service provided complies with data protection requirements.

Three requires third parties with whom personal data is shared to comply with the Company's policies. All such third parties are bound by our contracts with them to comply with GDPR requirements.

Where the third parties are based outside of the EEA, an assessment is carried out regardingthe laws and practices of that country relating to privacy and data protection.

In some cases, the country may have been approved by the European Commission as having an adequate level of data protection. These countries include the UK and Switzerland. These “adequacy decisions” are kept under review at an EU level. An updated list of countries benefitting from an adequacy decision is available here.

For all other countries, Three has specific safeguards in place to protect your data. Three enters into the 2021 versions of the Standard Contractual Clauses (SCCs) with all non-EEA based suppliers whose country is not subject to an adequacy decision. SCCs are contractual terms approved by the European Commission, which bind our suppliers to treat your personal data to standards equivalent to those required under the GDPR. 

In response to the heightened requirements created by recent EU Court decisions, these new SCCs contain enhanced transparency obligations and more detailed clauses on data subject rights, data breach notification and rules for onward transfers. They also create obligations on the “Data Importer” in respect of requests for access to data by public authorities in the destination countries. The SCCs also require a data importer to take into account any supplemental technical and organisational security measures and additional assessments may be required to mitigate risks before transferring any personal data across borders.

Three engages a number of data processors in India, including a customer contact centre, whose agents can access customer account details for customer care purposes. For a small sub-section of customer personal data, Three engages data processors in the United States of America. Three has entered into SCCs with these suppliers and has taken steps to ensure that only the minimum necessary scope of data is made available to them.

Three also has in place supplementary measures for our non-EEA transfers, including:

• Encryption of data

• Obligations in respect of requests for access to data by public authorities

• Additional GDPR and Security Training

• Notification of any changes in local law of which Three should be aware

• Restricted access to personal data

• Physical security of business premises

• Staff vetting

Three keeps its data transfers under constant review to ensure ongoing compliance. 

 

Retention Periods

We are required under the Communications (Retention of Data) Act, 2011 to retain certain traffic related Personal Information for a period of 1 year after the relevant data was processed. Certain financial information is also required to be retained under Tax law. Otherwise, we retain your personal data for as long as necessary for the purposes for which it was collected and to provide you with our services, to secure the legitimate interests of our business or where otherwise required by law. Generally, unless otherwise stated herein, we will retain your data for the lifetime of your account with us and for a 2 year period thereafter in accordance with our information retention policy.

Your Rights regarding Your Personal Data

You have certain rights relating to processing of your personal data by Three arising from Chapter 3 of the General Data Processing Regulation. These rights include:

Right to Information

You have the right to certain information relating to processing of your personal data by Three. This Privacy Statement, along with other relevant publicly available documents, provides this information.

Right of Access

You have the right to obtain a copy of personal data which we may hold about you. Depending on your customer type and duration of tenure as customer, and on whether you were a customer of Three or of O2, different information may be held by us, and there may be “gaps” our records due to changes to our purging processes over the years. Accordingly, we will provide you, as required by law, with all data which we hold relating to you, but we may no longer have a copy of the particular record or document you are seeking.

Right to Rectification

You have the right to have any inaccurate personal data corrected or updated.

Right to Erasure (“The Right to be Forgotten”)

You have the right to have your data deleted when it is no longer required by us for a lawful purpose. Three already automatically deletes this data.

In this way, Three complies with your “Right to be Forgotten” without you having to make a request to us. Where data still needs to be kept, e.g., for a legal obligation or for legitimate business purposes we will automatically delete it as soon as this retention period ends.

Right to Restriction of Processing

You have the right to have processing of data restricted;

  • While we verify the accuracy of your data or correct it if necessary;
  • If the processing is unlawful and you request restriction of the processing rather than erasure of the personal data;
  • If we no longer need the personal data for the purposes of the processing, but you require us to retain it for the establishment, exercise or defence of legal claims; and
  • While we consider an objection made by you under your Right to Object.
Right to Data Portability

You have the right to obtain a copy of certain personal data in a commonly used, machine readable format. This right is limited to data which;

  • Was provided to us by you;
  • Is processed by us on the basis of consent or a contract; and
  • Is processed by automated means.

Three provides such information in Excel Spreadsheet format.

Right to Object

You have the right to object to the processing of your personal data which is done for the purposes of a legitimate interest or in the public interest or in exercise of official authority vested in Three as data controller. Where you object, Three shall demonstrate compelling legitimate grounds for the processing, or cease it.

You have the right to object to processing for direct marketing purposes. This right can be exercised by opting out of direct marketing using the means provided.

Right regarding Automated Decision Making

Certain decisions relating to credit scoring are based solely on the automatic processing of personal data which you provide to us as part of your application. Where such a decision is made in respect of your application, you will be notified of the outcome and given the opportunity to obtain human intervention by Three, to express your point of view and to contest the decision.

 

Exercise of your Personal Data Rights

To exercise your rights regarding your personal data please contact the Three Data Protection Team at privacy@three.ie

We may ask you to complete a form to help us identify the data you require. We may request that you provide additional information necessary to confirm your identity as the Data Subject. In the case of certain manifestly unfounded or excessive requests, we reserve the right to decline a request or to charge a reasonable administrative fee.

We will provide, if requested, your data to you within 30 days of receiving your request, except for requests which by reason of their complexity or number may take up to three months. In such cases we will notify you of any such delay within one month of receipt of the request, together with the reasons for the delay.

You should note that Three is bound to retain data for no longer than is necessary, and that certain data may therefore have been deleted by the time a request for access is made, in line with our retention rules outlined above.

 

The Right to Lodge a Complaint

If you are unsatisfied with any aspect of Three’s processing of your data, you have the right to lodge a complaint with a supervisory authority. The supervisory authority for Ireland is the Office of the Data Protection Commissioner. ( https://www.dataprotection.ie/ )

 

Relevant Terms and Conditions

You should read this Privacy Notice in conjunction with the Terms for Three Services (https://www.three.ie/legal/terms.html).

 

Changes to our Privacy Documentation

This Data Protection Notice is kept under regular review and is therefore subject to change. Amended versions of this document shall be notified through publication in the Privacy Centre on the Three website (https://www.three.ie/legal/privacy.html). This document was last amended on the 30th May, 2023.