Consumer privacy policy Business privacy policy
Who we are
BT is one of the UK’s leading telecommunications and network providers and a leading provider of global communications services and solutions. This Policy applies to all companies in the BT group that provide services to businesses and explains what personal information BT collect, use, share and otherwise process (as a data controller), about you. Where we say “BT group” we mean all our brands, including EE In the UK.
The company that is the controller of your personal information, that is, that decides the purposes for which it is processed and how, will generally be the company that you deal with as named in any terms and conditions or messages sent to you. The company that does the great majority of our trading in the UK is British Telecommunications plc. The other companies in the BT group who are the potential controllers of your personal information under this Policy are set out here .
In some circumstances, more than one controller may be responsible for processing your personal information, such as when personal information is shared with other BT group companies as set out in this Policy. If you are unsure who the controller is for the processing of your personal information, please contact us using the details set out in the how to contact us and further details section.
This privacy notice has been written in line with our obligations under the General Data Protection Regulation (GDPR), UK GDPR and the Data Protection Act 2018 as they apply in the UK. Depending on where you are based there may be local law requirements within and outside the UK which apply instead.
Additionally in the UK, there may be instances where BT plc and EE Ltd are jointly responsible for deciding what personal information is collected, used and stored about our UK business customers. This happens where we work together to give you the best customer experience and to be more efficient across our businesses to:
- Provide assistance through our customer service teams;
- Understand how business customers interact with us; and
- Understand what products and services business customers purchase and how they use our products and services
Whats covered by this policy
This Policy applies to personal information we hold about you:
- where the BT group of companies (“we” or “us”) supplies your business or organisation (“Business Customers”) with products and services, or where you enquire about products and services. This includes where you trade with us in your individual capacity as a sole trader. Such products and services may include, for example, phones, mobiles, broadband, Customer contact solutions (e.g. Cloud contact centre), Digital workplace, security, or infrastructure solutions
- where you obtain products and services from one of our Business Customers as their customer
- where we resell third-party products or services to you
- where you work for or provide services to a Business Customer, and
- where you work for or provide services to a business or organisation which we do business with, for example, where we engage your business as a supplier.
This Policy explains what personal information we collect about you, how we use it and when we may share your personal information. It also describes your data protection rights, including a right to object to some of the processing which we carry out. More information about your rights, and how to exercise them, is set out in the “Your rights to see your personal information and limit our use of it?” section. Please note this Policy doesn’t apply to the information we hold about companies or organisations (except for sole traders).
What’s not covered by this policy
This Policy doesn’t apply to:
- Consumer customers of BT, EE or Plusnet in the UK, please see:
o EE’s privacy policy, or
- BT employees
- Shareholders in BT – please see our Shareholder privacy policy
- processing of data by Openreach Limited – please see the Openreach privacy policy.
- Where you are a Business customer on a BT led contract for EE mobile services - please see BT’s privacy policy
This Policy also does not apply to BT acting as a data processor (or sub-processor), where we process data on the instructions of another data controller. That processing will be covered by a contract between us and that other person or company.
For information about how we use cookies on our websites, please refer to the relevant cookie policy on the site you are visiting.
We review our Policy regularly. It was last updated in July 2024.
What personal information we collect
We may collect, use and otherwise process the following categories of personal information:
Registration, account and contact information When you enquire about our products and services; register for or purchase them; register for an online account with us; enter a promotion or competition; download and register on one of our apps; or seek to sell products or services to us.
| This may include:
In some cases, we may need information on your gender. If you tell us you have a disability or otherwise need support, we’ll note this, but only if you give your permission or if we have to for legal or regulatory reasons. |
Information when you buy our products and services | In the UK, this may include:
|
Information about your use of our products and services
| This may include:
|
In the UK, content information
|
|
Device Information
| This may include:
|
Records of communications between us
| This may include:
|
Information from other organisations Such as data brokers, our partners (e.g. business directories), and publicly available sources like the electoral roll | This may include:
|
Information you provide when participating in customer surveys or research studies
| This may include:
|
Information about your interactions with our channels and accounts on social media sites and in third party communities and forum
| This may include:
|
Event information To enable us to organise and manage the event
| This may include:
|
Information from our building
|
|
Sources of personal information we collect
We may collect personal information:
Directly from you:
- For example, when you register as a user of one of our sites, express interest in our products or services, approach us to solicit interest in one of yours, or send us an enquiry, or where you visit one of our buildings.
From other sources:
- You may be receiving our services from one of our customers or from your employer, in which case your service provider or employer may pass personal information about you to enable us to provide service to you.
- We work closely with third parties providing services to us, and we may also receive personal information about you from them.
- From other business contacts, for example by a referral or if you are invited to participate in activities on our sites or to attend an event.
- From publicly available sources.
- From other communication providers, for example, to include your information in directory services.
- From others such as data brokers and credit reference agencies, as described in this Policy.
How we use personal information, and our legal grounds for doing so
We use your personal information for a variety of purposes related to the products and services that we provide to you or procure from you. We have set out an explanation of this below.
Where required by local law in relation to any particular type of data, BT will rely on consent for data collection, cross border transfers and sharing data with third parties as applicable.
Provision of the services
For the purposes set out below, generally, the legal basis that we rely on is that the processing is necessary to take steps at your request before entering into a contract or to perform a contract or to comply with our legal obligations. Otherwise, the legal basis is that it is in our legitimate interests to process the personal information because we have a legitimate interest in providing our products and services, contacting our customers with important notices or updates, responding to our customer queries and complaints, running, improving, and preventing harm to our business, enforcing contracts, and operating as an efficient and effective business.
Purpose | Lawful basis for processing |
Relevant categories of personal information |
Provision of products and services We use personal information to provide you with our products and services, send you product or service-information messages (e.g. confirm your order and tell you about any changes that might affect your service), manage your account and respond to your queries and complaints (including troubleshooting). In relation to our suppliers, we use personal information to receive and monitor anything you supply to us and administer our contract. We may also share your personal information with providers of products and services where we resell their products or services to you, or to another communications provider if you’re buying some services from them and us. Where you use our mobile network, we use your personal information to enable you to send and receive Rich Communication Services (“RCS”) messages from a compatible Apple device. We will share your personal information with our partner, Google, who provides the RCS service to you. See Google’s privacy notice for more information about how they handle your data. You can opt out of RCS messages at any time by going to the Messages setting in your device. |
|
|
Billing We use personal information in order to bill our services.
|
|
|
Exercise and enforce rights We may use personal information to exercise and enforce the rights granted to us under the conditions of the products and services, such as to collect debt. If a bill payer doesn’t pay bills when due, we might ask a debt-recovery agency to collect what is owed. Or we may choose to sell the debt to another organisation to allow us to receive the amount due. In either case we’ll give them information such as account and contact details, including the amount of the debt. |
|
|
Traffic data We monitor traffic over our network to provide our services without disruption. This usually does not involve the processing of personal information as we are unable to identify an individual. |
|
|
Directories In the UK, if you are a subscriber where this service is offered and you want your details included in our directory services such as our Phone Book, we’ll publish your details and we’ll share that information with other providers of directory services. Your information may also be shared with regulated third-party service providers that may use our database for credit reference checks, identity verification and fraud prevention services. |
|
|
Improving and developing our products and services
For the purposes below, we rely on legitimate interests including improving and developing our products and services, preventing harm to our business, and creating efficiencies in our business. For some types of processing, we may rely on your consent (where given) where legally required.
Purpose |
Lawful basis for processing |
Relevant categories of personal information |
Analysing, improving, personalising and evaluating our products and services We may use your personal information for the purposes of analysing, improving, personalising and evaluating our products and services, and your use of them, as well as to develop new products and services.
|
|
|
Aggregating and anonymising information In some cases we use personal information to create aggregated and anonymised information that we then use to:
You cannot be identified from this information. This helps us to provide good quality products and services, tell you about anything affecting products and services you get from or supply to us, and manage, protect and improve our network and our business. We’ll also provide other organisations with aggregated and anonymised reports. |
|
|
To run credit and fraud prevention checks on Business Customers and suppliers
For the purposes below, the legal basis that we rely on is that it is our legitimate interests to process the personal information in order to prevent harm to our business and to operate as an efficient and effective business.
Before we provide you with a product or service (including upgrades or renewals), or sometimes when you use our products and services, we’ll use the personal information you have given us together with information we have collected from credit reference agencies (such as Experian or Equifax in the UK) to carry out credit and fraud checks.
If we or a credit reference agency decide that you are a credit, fraud or money laundering risk, we may refuse to provide the services or financing you have asked for, or we may stop providing existing services to you.
If you give us false or inaccurate information which we identify as fraudulent, we’ll pass that on to fraud prevention agencies. We might also share it with law enforcement agencies, as may the agencies we have shared the information with.
You can find more information on how credit reference agencies use your personal information by reading their privacy notices. Here are the links for the main Credit Reference Agencies:
When credit reference agencies receive a search from us, a 'footprint' goes on your file which other organisations might see when they carry out a credit check.
The credit reference and fraud prevention agencies will keep a record of any fraud or money laundering risk and this may result in other organisations refusing to provide services, financing or employment to you. If you have any questions about this, please contact us using the details below.
Fraud prevention agencies can hold your personal information for different periods of time, and if you are considered to pose a fraud or money laundering risk, your information can be held by us and the organisations we share it with for up to six years.
As part of running credit and fraud prevention checks using your personal information, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making, if you have any questions about this please contact us using the details below.
Purpose |
Lawful basis for processing |
Relevant categories of personal information |
Fraud prevention and anti-money laundering We use personal information to confirm your identity, manage our credit risk, and detect and prevent fraud and money laundering.
|
|
|
Sharing information with third parties for our credit reference and fraud prevention purposes We use personal information given to us by you, credit reference agencies, trade associations (security alerts), and fraud prevention agencies. Credit reference and fraud prevention agencies will keep a record of enquiries from us, information that we provide on credit-worthiness and any fraud or money laundering risk. Other organisations might see this, which may result in them refusing to provide services, financing or employment to you. |
|
|
To prevent, detect and investigate crime and fraud (and other illegal activities)
In the cases below, we rely on necessity to comply with our legal obligations, and on our legitimate interests to protect our business interests and rights, or that of our customers and users, establish, exercise, or defend legal claims, and, by sharing your personal information with third parties, pursue available remedies or limit damage that we may sustain. We may also rely on your consent, where required, to provide information to third parties, such as other communication providers, for the purposes of maintaining the security and preventing the misuse of networks and services.
Purpose |
Lawful basis for processing |
Relevant categories of personal information |
Investigate and prevent criminal activities We may need to use personal information to detect, investigate and prevent criminal activities (see above for fraud prevention and below for misuse of our networks and services). In the UK and Ireland, if you call the emergency services, we’ll give them information about you and where you are so they can help. We do this because it is necessary to protect you, or another person, and because it is in our interests to help the emergency services in providing help to you.
|
|
|
Misuse of networks and services We monitor traffic over our network, trace nuisance or malicious calls, and track malware and cyber attacks. Where permitted by applicable laws, we may also share your personal information with others who have a legitimate interest in preventing and detecting crime, such as other communication providers and banks. |
|
|
Law enforcement and sharing information with public authorities In limited circumstances, we may also share your personal information with other public authorities (including law enforcement bodies), even if we do not have to, for example in the interests of preventing and detecting serious crime, (e.g. in case of reporting fraud/scam) or protecting national security). However, we would need to be satisfied that a request for personal information is lawful and proportionate. And we would need appropriate assurances about security and how the information is used and how long it is kept. |
|
|
Marketing and Personalised Advertising
The processing of personal information is necessary for our legitimate interests to further our commercial interests by marketing and advertising our products and services to existing customers and for the purposes of acquiring new customers and promoting the BT brand (except where consent is required).
In certain jurisdictions, for certain types of processing, such as where we send to certain types of customers direct marketing communications by email, text message or SMS, we rely on your consent (where given).
Purpose |
Lawful basis for processing |
Relevant categories of personal information |
Marketing and advertising We may use customers’ and prospective customers’ personal information for the purpose of marketing and selecting advertising of the products and services we offer that we believe you might want to hear about, including products and services from our partners which we think may interest you. We use the personal information we have about you to personalise these messages wherever we can as we believe it is important to make them relevant to you. |
|
|
Third-party marketing and advertising purposes We use third-party providers to assist us in our marketing efforts. We may therefore obtain personal information from third-party providers or provide them with personal information in order to allow them to provide their services to us. Set out below is a list of the purposes for this information sharing: Behavioural analysis
Creating profiles and segments
Advertising on platforms, including social media
We will collect information through online platforms such as: Placement targeting
Phone call conversion tracking
We may use your personal information for the purposes specified above which may involve an algorithm automatically selecting advertising which is intended to be of interest to you, however we do not make fully automated decisions that may have a legal or significant effect on you, without either your explicit consent, or where otherwise permitted by applicable law. See also the section on AdTech providers below. |
|
When you submit information on our website and have accepted cookies, we’ll also share your details in hashed form with our online platforms partners to match and compare sales records, optimise campaigns and target other users with similar profiles to yours. They can only match your details to help us if you already have an account with them. See our cookie policy to learn more. When we use the advertising tools of these online platforms, we are both responsible for your information and sometimes act jointly in making decisions about your data while using these tools. You can ask these companies directly about their use of your data. See their privacy notices for more details. Sometimes we use supplier tools to find likely matches of customers on our database (at an aggregated level) with those of our trusted publisher partners. Sharing the results from this process allows our partners to identify customers we may have in common so we can show more relevant advertising when you’re using their platforms, sites or apps. These partners may also use their own techniques to identify additional customers of theirs who share similar characteristics to any group we are targeting to help extend the reach of our personalised advertising.
|
To fulfil legal obligations
In some cases, we will need to use your personal Information to fulfil a legal obligation.
- We might have to release personal information about you to meet our legal and regulatory obligations, including to data protection authorities. For example, if you are in the UK and Ireland, and you call the emergency services using our services, we are required to give them information about where you are.
- Under investigatory powers legislation, we might have to share personal information about you with government and law-enforcement agencies, such as the police, to help detect and stop crime, prosecute offenders, and protect national security. You can read more about our approach to investigatory powers on our website
- We might have to process call data records to comply with local electronic communications legislation.
For regulatory reasons
If you are in the UK and Ireland, we’ll also use your call records and IP address to find the best way of routing your communications through the various parts of our network, equipment and systems as required by our regulator and to provide the service.
Automated decision making
For our UK customers, we use technology to make decisions automatically and to build profiles about you. This technology uses logic that analyses your preferences and how you use our products and services, which helps us to improve your customer experience, making it more relevant for you and allowing you to get the most out of our products and services. This means you’ll regularly receive from us personalised content whether in our marketing emails or when you browse our website.
You have the right to object to our use of automated decision making in some circumstances. Please remember that if you object to certain types of automated decision making, it may affect our ability to provide you with the optimum level of customer service and our ability to provide you with certain products and services.
Sharing your personal information
We may share personal information with others as follows. Where required by local law in relation to any particular type of data, BT will rely on consent for sharing data with third parties.
The BT group
We may share your personal information with other companies within the BT group for the purposes described in this Policy and where there is a legal basis to do so.
We will ensure that the personal information shared will be consistent with any permissions you have given (e.g. whether or not you wish to receive marketing communications) and any other controls you exercise with regard to our processing of your personal information (e.g. where you have chosen to opt-out of certain processing).
In relation to how we protect this personal information when we transfer it to another country, please see the section below on International transfers.
Other third party service providers
We use other providers to carry out services on our behalf or to help us provide services to you. These include to provide customer-service, infrastructure and information technology services, process payment transactions, conduct marketing and sales, administer promotions and competitions, conduct research, measurement and analytics, and derive insights.
In the UK, we also use third parties, such as BT Local Businesses and other partners, as our sales representatives to sell and market BT products and services for us to customers in the UK. BT shares customer personal data with our BT Local Businesses based on region. The BT Local Business will manage these customer accounts. To find out more about BT Local Businesses please follow the link here.
Where we use another organisation, we still control your personal information. And we have strict controls in place to make sure it’s properly protected. In relation to how we protect this information when we transfer it to another organisation for processing in another country, please see the international transfers section below.
AdTech Providers
We share certain personal information with third parties (e.g. ad agencies, advertising networks and platforms, social media platforms) for processing. The processing is generally done in a hashed or de-identified form, to provide advertising to you based on your interests, or assist with creating associated profiles and audiences for use by us and third parties on our behalf. This is subject in each case to any other controls you exercise with regard to our processing of your personal information (e.g. where you have chosen to opt-out of certain processing).
For more information on the purposes of processing, the data concerned and the basis for the processing, please see the Marketing and Personalised Advertising section above.
Change of ownership
If there’s a change (or expected change) in who owns us or any of our assets, we might share personal information with the new (or prospective) owner. If we do, they’ll have to keep it confidential.
Law enforcement bodies, the authorities, and courts
Where necessary, we disclose personal information for the prevention, investigation or prosecution of criminal activities, and in response to legal process, for example, in response to a court order or a subpoena, or in response to a regulator, government authority or law enforcement body’s request.
International transfers
The BT group is a large multinational group of companies which operates internationally. Some of the processes involved in our use of your personal information will require your personal information to be stored or processed in countries outside the country where you are located. This may include countries where the level of legal protection is different to where you are based and where you may have fewer legal rights. Where this happens, we will take the following steps to comply with the law and ensure adequate protection of your data whether transferred to an BT or non-BT company. Where required by local law in relation to any particular type of data, BT will rely on consent for cross border transfers.
Transfers of UK/EEA personal data to BT group companies
To make sure your personal information is protected no matter which company in the BT group holds that personal information, we have a group-wide arrangement, known as Binding Corporate Rules (BCRs). Our BCRs cover any transfers of personal information intra-group within the BT group, and any transfers from our customers to a BT entity (which is protected by the UK/EU General Data Protection Regulation (GDPR)). There is one set of BCRs for transfers of data out of the UK and another for transfers out of the European Economic Area (EEA).
Transfers to a non-BT company
If we transfer personal information to a company that is not in the BT group, we will put in place an appropriate transfer mechanism as required by local law, such as, in the case of a transfer out of the EEA or the UK, the relevant Standard Contractual Clauses.
If you’d like information about the documents we use to protect your personal information when it’s transferred outside your region or country, please contact us.
Protecting your information and how long we keep it
How do we protect your personal information?
We have strict security measures to protect your personal information, and standards for how we classify and handle personal information. We check your identity when you get in touch with us, and we follow our security procedures and apply suitable technical measures, such as encryption, to protect your Information.
How long do we keep your personal information?
In broad terms, we will only retain your personal information for as long as is necessary for the purposes described in this Policy. This means that the retention periods will vary according to the type of information and the reason that we have collected the information. For example, some information related to the provision to you of our products will be kept for a number of years in order to comply with various telecommunications, finance and tax related legal obligations.
We have detailed internal retention policies that set out the various retention periods for different categories of information, depending on our legal obligations and whether there is a commercial need to retain it. After a retention period has lapsed, the personal information is securely deleted, unless it is necessary for the establishment, exercise or defence of legal claims.
For further information regarding applicable retention periods, please contact us using the details set out below.
Your rights to see your personal information and limit our use of it
Subject to local data privacy laws, you may have certain rights with respect to your personal information, as set out below.
Right | Description |
Right to access data
| You can request confirmation as to whether or not we are processing personal information concerning you and (where this is the case) access to the personal information and certain other information about the processing. |
Right to correct data | You can request that we correct any errors in any personal information we hold about you. |
Right to erasure (“right to be forgotten”)
| You can ask for your personal information to be deleted. In some cases, we might keep information that you have asked us to delete. This could be for legal or regulatory reasons, so that we can keep providing our products and services where these are still required, or for another legitimate reason. For example, we keep certain billing information to show we have charged correctly. But we’ll always tell you why we keep the information. If you want us to stop using personal information we’ve collected via cookies on our website or apps, please refer to the relevant cookie policy on the site you are visiting. |
Right to portability
| The right in some cases to receive your personal information in a digital format or to have it transmitted directly to another controller (where technically feasible). |
Right to object to processing, including marketing
| The right to object (on grounds relating to your particular situation) to the processing of your personal information on the basis of our legitimate interests, including for direct marketing purposes. You can opt out of receiving marketing from us using the unsubscribe link in the email or opt-out code in the SMS we send you. Alternatively, if you are a UK customer, you can give us a call on 0800 800 152 to let us know whether you’re happy to hear from us by email, text, post, or telephone. You may also let us know if you want us to stop using information about how you use our products and services for marketing purposes or profiling you for marketing purposes. For more information about how we use your information for marketing purposes, please see above. |
Right to withdraw consent | You can withdraw your consent at any time in respect of any processing which is based upon your consent. |
UK Customers: To exercise these rights, you can do the following:
If you want a copy of your billing information, the number to call as business customer is 0800 800 152.
If you want to see what contact information we hold about you, you can also log in to your account. It’s quick and simple to access it this way.
If you want a copy of the information we hold about you, or you would like to ask us to correct, complete, delete or stop using any personal information we hold about you, you can contact us here.
If you work for one of our corporate customers, where possible, please ask your employer – they’ll ask for this on your behalf.
Please contact us here or see our list of controllers for further ways to contact us in some specific territories.
We will assess any request to exercise these rights on a case-by-case basis and we may ask you for proof of identity or other information before doing so.
There may be circumstances in which we are not legally required to comply with a request because of relevant exemptions. In some instances, this may mean that we are able to retain your information even if you withdraw your consent.
We aim to provide our products and services in a way that protects personal information and respects your request. Because of this, when you delete or change your information from our systems (or ask us to), we might not do so straight away from our back-up systems or copies on our active servers. And we may need to keep some information to fulfil your request, for example, keeping your email address to make sure it’s not on our marketing list.
Where we can, we’ll confirm any changes. For example, we’ll check a change of address against any authoritative postal address file, or we might ask you to confirm it.
We’ll always try to help you with your request. But we may refuse all or part of your request if sharing the information would have a negative effect on others, for example because it includes personal information about someone else, or the law prevents us from doing so.
It will normally take us up to one month to get back to you but could take longer (up to a further two months) if it’s a complicated request or we receive a lot of requests at once.
How will we tell you about changes to this policy?
Our Policy might change from time to time. We will take reasonable measures to communicate any substantial changes we make to this Policy, for example, by posting an update on our websites, or sending you an updated version of the Policy.
You can contact us here. We’re always interested in hearing your questions and comments about our Policy and you can use these contact details to exercise your rights or find out more about the controller for your personal information.
Alternatively, you can write to us at:
BT Data Legal Team
Floor 16
1 Braham Street
London
E1 8EE
If you want to make a complaint on how we have handled your personal information, please contact us in the first instance here, and we will investigate the matter and report back to you. (Or see our list of controllers) for further ways to contact us in some specific territories. If you are still not satisfied after our response, you also have the right to complain to your data-protection regulator. Please contact us for details on how to contact your local data protection regulator.