Three Website Privacy Notice
About this Privacy Statement
This privacy notice explains the kinds of information we may obtain from or about you as a visitor to our websites and pages on social media or as a user of our mobile or other applications (collectively, our “website”); how we may use that information (together with information provided offline or via other means); and who we may share that information with.
Each time you access, browse and/or use our website you agree to the following terms. If you do not agree you must cease to use our website. We are not responsible for the content or privacy practices of other websites.
This website privacy notice relates solely to processing of information via this website.
Main Privacy Notice Reference
This Privacy Notice is subsidiary, and in addition, to the Three Privacy Statement, and other relevant Privacy Notices, available on the Privacy Centre section of the Three website (https://www.three.ie/legal/privacy/ ).
Depending on whether you are a customer of Three Ireland (Hutchison) Limited, or Three Ireland Services (Hutchison) Limited (formerly O2), one or both of those companies is the “Data Controller” in respect of this data. If you are not a customer of either of these companies then Three Ireland (Hutchinson) Limited is the "Data Controller" for the purposes of this Privacy Notice. This Privacy Notice applies to both companies, and collectively refers them as “Three”.
You can contact Three in a number of ways, which are set out on the contact page of our website (https://www.three.ie/contact-us.html)
In accordance with Article 37 of the GDPR, Three has appointed a Data Protection Officer. If you wish to contact our Data Protection Officer in relation to the processing of your personal data by Three, you can do so by e-mailing: firstname.lastname@example.org
About Data Protection
Three processes personal data in accordance with the requirements of Data Protection law. This law includes the Irish Data Protection Acts and the EU General Data Protection Regulation (“GDPR”).
Under Data Protection law, you are the “Data Subject” in respect of any personal data relating to you. “Personal Data” is any information which relates to an identifiable natural person. It does not include information relating to a company or other legal entity.
Three may engage third parties (other than its own employees) to provide services to it. Any of those third parties who process personal data on our behalf is a “Data Processor”.
“Processing” means any action performed on personal data, including collection, storage, copying, consulting, disclosure or destruction.
Processing of Your Data
We have extensive controls in place to maintain the security of our information and information systems. Client files are protected with safeguards according to the sensitivity of the relevant information. Appropriate controls (such as restricted access) are placed on our computer systems. Physical access to areas where Personal Data is gathered, processed or stored is limited to authorised employees.
As a condition of employment, Three employees are required to follow all applicable laws and regulations, including in relation to data protection law. Access to sensitive Personal Data is limited to those employees who need it to perform their roles. Unauthorised use or disclosure of confidential client information by a Three employee is prohibited and may result in disciplinary measures.
When you contact a Three employee about your Personal Information, you may be asked for some Personal Data to validate your identity. This type of safeguard is designed to ensure that only you, or someone authorised by you, has access to your file.
Processing of Children’s Data
Our Service is not intended for individuals under the age of 16 without the permission of their parents or guardians. We do not knowingly collect or solicit information from anyone under the age of 16. In the event that we learn that we have inadvertently collected personal information from a child under the age of 16, we will delete that information as quickly as possible. If you believe that we might have information from a child under 16, please contact us. Protecting the privacy of children is very important to us. Thus, if we obtain actual knowledge that a user is under 16 and does not have parental permission to use our services, we will take steps to remove that user's Personal Information from our databases. We require that anyone under the age of 16 obtain their parent or guardian's permission before submitting their information to us.
How Three Processes Your Data
We may collect and process the following data through our website (and combine this with data provided offline through your interactions with us):
- Any information provided by or about you through our website including competitions, comment boxes, forms, links, website usage or any other means.
- If any person contacts us via phone, email, post, surveys, through our website or otherwise, we may keep a record of that correspondence.
- Where you purchase any products or services from us, we collect your data in relation to that product or service as set out in this policy and our contract with you for that product or service.
- Three provides channels of social media communications in order to provide information regarding our services; respond to queries; and to deliver customer care to our customers. Three may retain any interactions with customers via any of its social media channels as part of your customer care history, along with your interactions with customer care via any other channel. Social media interactions with non-customers will be retained for a maximum period of 3 months for the relevant purposes set out below.
We will only collect personal information from or about you which is necessary to:
- process any applications for 3 Services made by you via this site;
- conduct a credit and fraud prevention check with a credit reference agency, if you apply for a monthly price plan account. The agency will supply us with information about you to help us verify your identity and decide whether to accept your application or future applications. The Agency will record details of our search and your application whether your application is successful or not. We will use a combination of credit scoring and/or automated decision making systems when assessing your application. This information will be available to other lenders;
- set up and administer your account;
- provide customer services and respond to and resolve any enquiries or complaints;
- provide any products, services or information requested by you;
- conduct analysis for traffic and billing management, and to support product development;
- contact you for market research purposes;
- conduct customer satisfaction surveys;
- personalise your experience on our website;
- provide and conduct competitions and similar offers;
- keep you up to date by post, telephone, email, and direct to your handset by text, picture, video and audio message or pop-up with information About Three, 3 services, and offers and promotions subject to any marketing preferences indicated by you. It's your choice and you’re in control - you can contact us at any time to update your preferences through My3, using the opt-out links on any email or SMS you receive or by writing to or calling customer services. Please note that where you opt out of all marketing from Three you will still receive service communications from Three (for example, billing communications); and
Anonymised Data Sharing
Three anonymises and aggregates your data on an ongoing basis. The data is 'de-identified' using established data processing techniques to a point where the data subject is no longer identifiable or capable of being 'Singled-Out'. Such anonymised data includes traffic, billing, and location data. The anonymised data may then be statistically analysed in an aggregate format by Three in order to generate data insights to carry out research on, or profile, use of our products and services. Three may share these insights with affiliates and third parties for review, planning, public policy and commercial purposes, subject to strict rules to safeguard the data from deanonymisation.
Disclosure of Your Data to Others
We may disclose your information to other members of our group of companies, and to our or their partners, associates, agents or subcontractors and to possible successors to our business.
Three uses service providers to assist in providing services to you, and some of these process your personal data on our behalf. These Data Processors provide a range of services to Three, including deliveries, cloud computing, data storage, document shredding, outsourced IT services, outsourced customer services, repairs of hardware, franchise store operators, security providers, consultants and professional advisors. Where we use Data Processors, we require them by contract to only process data in accordance with our instructions.
Data Aggregators and Direct Marketing Campaign Providers
We use specific marketing related data processors such as Data Aggregators to assist with targeted marketing and Direct Marketing Campaign Providers to assist us by sending direct marketing messages to you or targeting directed advertising towards, or away from, you.
We also use location based service solution providers, who may be provided with your location, where you have consented to your location being accessed for marketing purposes and are then able to trigger marketing messages to be sent by our Direct Marketing Campaign Providers to You depending on your general location.
Personal Data may be disclosed where required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid. In such cases, we will not disclose your data without first taking into account your fundamental right to Data Protection.
We may disclose Personal Data to Law enforcement agencies, government bodies, regulatory organisations, mediator/arbitrator, courts or other public authorities if we have to, or are authorised to by law. Similarly, we may disclose Personal Data to a third party or body where such disclosure is required to satisfy any applicable law, or other legal or regulatory requirement;
We may disclose, subject to choices you make, Personal Data to third parties for joint promotions with that third party. The third parties will be responsible for their own compliance with applicable privacy laws. These third party organisations, which we have carefully chosen, may contact you about their products and services (which may or may not include Three products and services).
Transfer of Data to Third Countries
Some of the Data Processors we use are based outside the European Economic Area (the ‘EEA’) which consists of the European Union Member States together with Iceland, Liechtenstein and Norway. When we transfer to or allow access to personal data from such countries, we ensure that adequate contractual and technical safeguards to carry out these transfers in accordance with applicable data protection law are in place to protect your information.
We retain your personal data for as long as necessary for the purposes for which it was collected and to provide you with our services, to secure the legitimate interests of our business or where otherwise required by law. Generally, unless otherwise stated herein, we will retain your data for a 2 year period thereafter in accordance with our information retention policy, a copy of which, with information relevant to You, is available on request.
Your Rights regarding Your Personal Data
You have certain rights relating to processing of your personal data by Three arising from Chapter 3 of the General Data Processing Regulation. These rights include:
Right to Information
You have the right to certain information relating to processing of your personal data by Three. This Privacy Statement, along with other relevant publicly available documents, provides this information.
Right of Access
You have the right to obtain a copy of personal data which we may hold about you. Depending on your customer type and duration of tenure as customer, and on whether you were a customer of Three or of O2, different information may be held by us, and there may be “gaps” our records due to changes to our purging processes over the years. Accordingly, we will provide you, as required by law, with all data which we hold relating to you, but we may no longer have a copy of the particular record or document you are seeking.
Right to Rectification
You have the right to have any inaccurate personal data corrected or updated.
Right to Erasure (“The Right to be Forgotten”)
You have the right to have your data deleted when it is no longer required by us for a lawful purpose. Three already automatically deletes this data.
In this way, Three complies with your “Right to be Forgotten” without you having to make a request to us. Where data still needs to be kept, e.g., for a legal obligation or for legitimate business purposes we will automatically delete it as soon as this retention period ends.
Right to Restriction of Processing
You have the right to have processing of data restricted;
- While we verify the accuracy of your data or correct it if necessary;
- If the processing is unlawful and you request restriction of the processing rather than erasure of the personal data;
- If we no longer need the personal data for the purposes of the processing, but you require us to retain it for the establishment, exercise or defence of legal claims; and
- While we consider an objection made by you under your Right to Object.
Right to Data Portability
You have the right to obtain a copy of certain personal data in a commonly used, machine readable format. This right is limited to data which;
- Was provided to us by you;
- Is processed by us on the basis of consent or a contract; and
- Is processed by automated means.
Three provides such information in Excel Spreadsheet format.
Right to Object
You have the right to object to the processing of your personal data which is done for the purposes of a legitimate interest or in the public interest or in exercise of official authority vested in Three as data controller. Where you object, Three shall demonstrate compelling legitimate grounds for the processing, or cease it.
You have the right to object to processing for direct marketing purposes. This right can be exercised by opting out of direct marketing using the means provided.
Right regarding Automated Decision Making
Certain decisions relating to credit scoring are based solely on the automatic processing of personal data which you provide to us as part of your application. Where such a decision is made in respect of your application, you will be notified of the outcome and given the opportunity to obtain human intervention by Three, to express your point of view and to contest the decision.
Exercise of your Personal Data Rights
To exercise your rights regarding your personal data please contact the office of the Three Data Protection Officer at email@example.com
We may ask you to complete a form to help us identify the data you require. We may request that you provide additional information necessary to confirm your identity as the Data Subject. In the case of certain manifestly unfounded or excessive requests, we reserve the right to decline a request or to charge a reasonable administrative fee.
We will provide, if requested, your data to you within 30 days of receiving your request, except for requests which by reason of their complexity or number may take up to three months. In such cases we will notify you of any such delay within one month of receipt of the request, together with the reasons for the delay.
You should note that Three is bound to retain data for no longer than is necessary, and that certain data may therefore have been deleted by the time a request for access is made, in line with our retention rules outlined above.
The Right to Lodge a Complaint
If you are unsatisfied with any aspect of Three’s processing of your data, you have the right to lodge a complaint with a supervisory authority. The supervisory authority for Ireland is the Office of the Data Protection Commissioner. ( https://www.dataprotection.ie/ )
Relevant Terms and Conditions
You should read this Privacy Notice in conjunction with the Terms for Three Services (https://www.three.ie/legal/terms.html).
Changes to our Privacy Documentation
This Data Protection Notice is kept under regular review and is therefore subject to change. Amended versions of this document shall be notified through publication in the Privacy Centre on the Three website (https://www.three.ie/legal/privacy.html). This document was last reviewed on the 12th of April 2021.