BT's Business Privacy Policy

Consumer Policy      Business Policy 

 

Who we are

BT is one of the UK’s leading telecommunications and network providers and a leading provider of global communications services and solutions. This Policy applies to all companies in the BT group that provide services to businesses and explains what personal information BT collect, use, share and otherwise process (as a data controller), about you. Where we say “BT group” we mean all our brands, including EE In the UK.

The company that is the controller of your personal information, that is, that decides the purposes for which it is processed and how, will generally be the company that you deal with as named in any terms and conditions or messages sent to you. The company that does the great majority of our trading in the UK is British Telecommunications plc. The other companies in the BT group who are the potential controllers of your personal information under this Policy are set out here . 

In some circumstances, more than one controller may be responsible for processing your personal information, such as when personal information is shared with other BT group companies as set out in this Policy. If you are unsure who the controller is for the processing of your personal information, please contact us using the details set out in the how to contact us and further details section.

This privacy notice has been written in line with our obligations under the General Data Protection Regulation (GDPR), UK GDPR and the Data Protection Act 2018 as they apply in the UK. Depending on where you are based there may be local law requirements within and outside the UK which apply instead. 

Whats covered by this policy

This Policy applies to personal information we hold about you:

  • where the BT group of companies (“we” or “us”) supplies your business or organisation (“Business Customers”) with products and services, or where you enquire about products and services. This includes where you trade with us in your individual capacity as a sole trader. Such products and services may include, for example, phones, mobiles, broadband, Customer contact solutions (e.g. Cloud contact centre), Digital workplace, security, or infrastructure solutions
  • where you obtain products and services from one of our Business Customers as their customer
  • where we resell third-party products or services to you
  • where you work for or provide services to a Business Customer, and
  • where you work for or provide services to a business or organisation which we do business with, for example, where we engage your business as a supplier.

 

This Policy explains what personal information we collect about you, how we use it and when we may share your personal information. It also describes your data protection rights, including a right to object to some of the processing which we carry out. More information about your rights, and how to exercise them, is set out in the “Your rights to see your personal information and limit our use of it?” section. Please note this Policy doesn’t apply to the information we hold about companies or organisations (except for sole traders).  

What's not covered by this policy

This Policy doesn’t apply to:

  • Consumer customers of BT, EE or Plusnet in the UK, please see:

o   BT’s privacy policy,

o   EE’s privacy policy, or

o   Plusnet’s privacy policy

This Policy also does not apply to BT acting as a data processor (or sub-processor), where we process data on the instructions of another data controller. That processing will be covered by a contract between us and that other person or company.

For information about how we use cookies on our websites, please refer to the relevant cookie policy on the site you are visiting.

We review our Policy regularly. It was last updated in December 2022.

What personal information we collect

We may collect, use and otherwise process the following categories of personal information:

Registration, account and contact information

When you enquire about our products and services; register for or purchase them; register for an online account with us; enter a promotion or competition; download and register on one of our apps; or seek to sell products or services to us.

 

 

 

 

 

 

This may include:

  • job title
  • email address
  • name
  • title
  • username
  • telephone number
  • postal address
  • date of birth
  • password
  • security credentials

In some cases, we may need information on your gender.

If you tell us you have a disability or otherwise need support, we’ll note this, but only if you give your permission or if we have to for legal or regulatory reasons.

Information when you buy our products and services

 

 

 

In the UK, this may include:

  • payment information for credit checks
  • payment and financial information for billing purposes
  • contact details
  • date of birth
  • recent home addresses
  • information from credit reference and fraud prevention agencies

Information about your use of our products and services

 

 

 

 

This may include:

  • IP address (which may identify an individual)
  • call records (meaning the date, time, length and cost of your communications)
  • the location the call was made to and from
  • the network used and the type of communication (including when you make calls abroad)
  • information from cookies and similar technologies placed on your connected devices

In the UK, content information

  • Content of SMS you send and receive using our network, to the extent permitted by law

Device Information

 

 

 

 

 

 

 

 

This may include:

  • where you use our products and services, the MAC address, MSISDN, IMEI, IMSI and advertising identifiers for your device
  • MAC address (media access control address) is a unique identifier assigned to a network connection made to a device
  • MSISDN (mobile station international subscriber directory number) means a mobile phone number that uniquely identifies a service subscription
  • IMEI (international mobile equipment identity) is a unique number given to every single mobile-phone handset
  • IMSI (international mobile subscriber identity) is a unique number identifying a mobile subscriber
  • hardware manufacturer, model, and operating system version for the device

 

Records of communications between us

 

 

 

This may include:

  • emails
  • call recordings when you contact us, or one of our third-party sales agents, through our customer call centres
  • messages through social media sites or via webchats
  • records of any settings or marketing or communication preferences you choose

 

Information from other organisations

Such as data brokers, our partners (e.g. business directories), and publicly available sources like the electoral roll

This may include:

  • electoral roll information to the extent permitted by law
  • contact information

 

Information you provide when participating in customer surveys or research studies

 

This may include:

  • any personal information provided online or in writing
  • where applicable, personal information provided in any audio or video responses

 

Information about your interactions with our channels and accounts on social media sites and in third party communities and forums

 

This may include:

  • where you “like” one of our posts
  • any posts where you reference the BT group
  • details about yourself such as your name and user ID

 

Event information

To enable us to organise and manage the event

 

This may include:

  • information on your attendance
  • food allergies and other individual requirements
  • any images or videos captured at the event by us or a third party on our behalf

 

 Information from our buildings

 

  • CCTV footage from our buildings
  • Contact details, Names, Job title, E-mail address, Date of entry and leave, Purpose of visit.

 

 

Sources of personal information we collect

We may collect personal information:

Directly from you:

  • For example, when you register as a user of one of our sites, express interest in our products or services, approach us to solicit interest in one of yours, or send us an enquiry, or where you visit one of our buildings. 

 

From other sources:

  • You may be receiving our services from one of our customers or from your employer, in which case your service provider or employer may pass personal information about you to enable us to provide service to you.
  • We work closely with third parties providing services to us, and we may also receive personal information about you from them.
  • From other business contacts, for example by a referral or if you are invited to participate in activities on our sites or to attend an event.
  • From publicly available sources.
  • From other communication providers, for example, to include your information in directory services.
  • From others such as data brokers and credit reference agencies, as described in this Policy.

 

How we use personal information, and our legal grounds for doing so

We use your personal information for a variety of purposes related to the products and services that we provide to you or procure from you. We have set out an explanation of this below.

Where required by local law in relation to any particular type of data, BT will rely on consent for data collection, cross border transfers and sharing data with third parties as applicable.

Provision of the services

For the purposes set out below, generally, the legal basis that we rely on is that the processing is necessary to take steps at your request before entering into a contract or to perform a contract or to comply with our legal obligations. Otherwise, the legal basis is that it is in our legitimate interests to process the personal information because we have a legitimate interest in providing our products and services, contacting our customers with important notices or updates, responding to our customer queries and complaints, running, improving, and preventing harm to our business, enforcing contracts, and operating as an efficient and effective business.

Billing

We use personal information in order to bill our services.

 

 

  • Necessary for the performance of the contract

 

 

  • Registration, account and contact information
  • Payment and financial information
  • Information about your use of our products and services

Exercise and enforce rights

We may use personal information to exercise and enforce the rights granted to us under the conditions of the products and services, such as to collect debt. If a bill payer doesn’t pay bills when due, we might ask a debt-recovery agency to collect what is owed. Or we may choose to sell the debt to another organisation to allow us to receive the amount due. In either case we’ll give them information such as account and contact details, including the amount of the debt.

  • Necessary for the performance of the contract
  • Legitimate interests
  • Registration, account and contact information
  • Information about your use of our products and services

Traffic data

We monitor traffic over our network to provide our services without disruption. This usually does not involve the processing of personal information as we are unable to identify an individual.

  • Necessary for the performance of the contract
  • Legal obligation

 

 

  • Information about your use of our products and services

Directories

In the UK, if you are a subscriber where this service is offered and you want your details included in our directory services such as our Phone Book, we’ll publish your details and we’ll share that information with other providers of directory services.

Your information may also be shared with regulated third-party service providers that may use our database for credit reference checks, identity verification and fraud prevention services.

 

  • Consent

 

  • Contact information

Improving and developing our products and services

For the purposes below, we rely on legitimate interests including improving and developing our products and services, preventing harm to our business, and creating efficiencies in our business. For some types of processing, we may rely on your consent (where given) where legally required.

Purpose

Lawful basis for processing

Relevant categories of personal information

Analysing, improving, personalising and evaluating our products and services

We may use your personal information for the purposes of analysing, improving, personalising and evaluating our products and services, and your use of them, as well as to develop new products and services.

 

 

 

 

 

  • Legitimate interests
  • Consent (where required)
  • Registration, account and contact information
  • Information about what you buy from us, how you ordered and pay for it, and your use of our products and services
  • Information when you buy our products and services
  • Information about your use of our products and services
  • Records of communications between us
  • Information from other organisations
  • Information you provide when participating in customer surveys or research studies
  • Device Information

Aggregating and anonymising information

In some cases we use personal information to create aggregated and anonymised information that we then use to:

  • improve our products and services and business
  • run management and corporate reporting, research, and analytics

You cannot be identified from this information.

This helps us to provide good quality products and services, tell you about anything affecting products and services you get from or supply to us, and manage, protect and improve our network and our business.

We’ll also provide other organisations with aggregated and anonymised reports.

  • Legitimate interests
  • Consent
  • Information about what you buy from us, how you ordered and pay for it, and your use of our products and services
  • Device Information

To run credit and fraud prevention checks on Business Customers and suppliers

For the purposes below, the legal basis that we rely on is that it is our legitimate interests to process the personal information in order to prevent harm to our business and to operate as an efficient and effective business.

As part of running credit and fraud prevention checks using your personal information, decisions may be made by automated means.  This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making, if you have any questions about this please contact us using the details below.

Purpose

Lawful basis for processing

Relevant categories of personal information

Fraud prevention and anti-money laundering

We use personal information to confirm your identity, manage our credit risk, and detect and prevent fraud and money laundering.

 

 

 

  • Legitimate interests

 

  • Registration, account and contact information
  • Financial information
  • Information when you buy our products and services
  • Information from other organisations

Sharing information with third parties for our credit reference and fraud prevention purposes

We use personal information given to us by you, credit reference agencies, trade associations (security alerts), and fraud prevention agencies. Credit reference and fraud prevention agencies will keep a record of enquiries from us, information that we provide on credit-worthiness and any fraud or money laundering risk.

Other organisations might see this, which may result in them refusing to provide services, financing or employment to you. 

  • Legitimate interests
  • Registration, account and contact information
  • Information when you buy our products and services
  • Information from other organisations

To prevent, detect and investigate crime and fraud (and other illegal activities)

In the cases below, we rely on necessity to comply with our legal obligations, and on our legitimate interests to protect our business interests and rights, or that of our customers and users, establish, exercise, or defend legal claims, and, by sharing your personal information with third parties, pursue available remedies or limit damage that we may sustain. We may also rely on your consent, where required, to provide information to third parties, such as other communication providers, for the purposes of maintaining the security and preventing the misuse of networks and services.

Purpose

Lawful basis for processing

Relevant categories of personal information

Investigate and prevent criminal activities

We may need to use personal information to detect, investigate and prevent criminal activities (see above for fraud prevention and below for misuse of our networks and services).

In the UK and Ireland, if you call the emergency services, we’ll give them information about you and where you are so they can help. We do this because it is necessary to protect you, or another person, and because it is in our interests to help the emergency services in providing help to you.

 

 

 

 

 

 

 

 

 

 

 

  • Legal obligation
  • Legitimate interests

 

  • Registration, account and contact information
  • Your payment and financial information
  • Information when you buy our products and services
  • Information about your use of our products and services
  • Device information
  • Records of communications between us
  • Publicly available information from other organisations (for example: credit reference and fraud prevention agencies)
  • CCTV footage from our buildings
  • Call records - the date, time, length and cost of your communications, device information, the location of your device from Cell Site data (the antennae and communications equipment that we use to create the cellular network), where the call was made to and from, the network used and the type of communication, including when you make calls abroad.

 

Misuse of networks and services

We monitor traffic over our network, trace nuisance or malicious calls, and track malware and cyber-attacks.

Where permitted by applicable laws, we may also share your personal information with others who have a legitimate interest in preventing and detecting crime, such as other communication providers and banks.

  • Legitimate interests
  • Consent
  • Legal obligation 

 

  • Information about your use of our products and services
  • Device information
  • Internet traffic (including IP address where this is personal information) 
  • Call records as described above

Law enforcement and sharing information with public authorities

In limited circumstances, we may also share your personal information with other public authorities (including law enforcement bodies), even if we do not have to, for example in the interests of preventing and detecting serious crime, (e.g. in case of reporting fraud/scam) or protecting national security). However, we would need to be satisfied that a request for personal information is lawful and proportionate. And we would need appropriate assurances about security and how the information is used and how long it is kept.

  • Legal obligation
  • Legitimate interests
  • Consent

 

  • Registration, account and contact information (including gender)
  • Information when you buy our products and services
  • Information about your use of our products and services
  • Device information
  • Records of communications between us
  • Information from other organisations
  • Content information
  • Call records as described above

Marketing and Personalised Advertising

The processing of personal information is necessary for our legitimate interests to further our commercial interests by marketing and advertising our products and services to existing customers and for the purposes of acquiring new customers and promoting the BT brand (except where consent is required).

In certain jurisdictions, for certain types of processing, such as where we send to certain types of customers direct marketing communications by email, text message or SMS, we rely on your consent (where given).

Purpose

Lawful basis for processing

Relevant categories of personal information

Marketing and advertising

We may use customers’ and prospective customers’ personal information for the purpose of marketing and selecting advertising of the products and services we offer that we believe you might want to hear about, including products and services from our partners which we think may interest you.

We use the personal information we have about you to personalise these messages wherever we can as we believe it is important to make them relevant to you.

  • Legitimate interests
  • Consent (where required)
  • Registration, account and contact information
  • Information about your use of our products and services

Third-party marketing and advertising purposes

We use third-party providers to assist us in our marketing efforts. We may therefore obtain personal information from third-party providers or provide them with personal information in order to allow them to provide their services to us.

Set out below is a list of the purposes for this information sharing:

Behavioural analysis

  • to understand the behaviours of users on our site and to optimise the user experience, including through the use of tags
  • for campaign attribution
  • to understand the return on investment of our media campaigns
  • to optimise our ads and remarket our products to targeted audiences

Creating profiles and segments

  • to create a profile about you to better understand you based on what you have ordered from us and how you use our products and services
  • to tailor the offers we share with you and give you more relevant advertising
  • to create targeted audiences of users who have opted-in to our website cookies

Advertising on platforms, including social media

  • to reach relevant users with enterprise/business offerings
  • to build the awareness and engagement for our products
  • to drive brand awareness and sales

Placement targeting

  • to ensure our advert placements are next to the appropriate content

Phone call conversion tracking

  • If you are in the UK, we carry out phone call conversion tracking to see how effectively ad clicks lead to different kinds of phone calls 

We may use your personal information for the purposes specified above which may involve an algorithm automatically selecting advertising which is intended to be of interest to you, however we do not make fully automated decisions that may have a legal or significant effect on you, without either your explicit consent, or where otherwise permitted by applicable law.

See also the section on AdTech providers below.

  • Legitimate interests
  • Consent (where required)
  • Registration, account and contact information
  • Information about your use of our products and services

To fulfil legal obligations

In some cases, we will need to use your personal Information to fulfil a legal obligation.

  • We might have to release personal information about you to meet our legal and regulatory obligations, including to data protection authorities. For example, if you are in the UK and Ireland, and you call the emergency services using our services, we are required to give them information about where you are.   
  • Under investigatory powers legislation, we might have to share personal information about you with government and law-enforcement agencies, such as the police, to help detect and stop crime, prosecute offenders, and protect national security. You can read more about our approach to investigatory powers on our website
  • We might have to process call data records to comply with local electronic communications legislation.

For regulatory reasons

If you are in the UK and Ireland, we’ll also use your call records and IP address to find the best way of routing your communications through the various parts of our network, equipment and systems as required by our regulator and to provide the service. 

Sharing your personal information

We may share personal information with others as follows. Where required by local law in relation to any particular type of data, BT will rely on consent for sharing data with third parties.

The BT group

We may share your personal information with other companies within the BT group for the purposes described in this Policy and where there is a legal basis to do so.

We will ensure that the personal information shared will be consistent with any permissions you have given (e.g. whether or not you wish to receive marketing communications) and any other controls you exercise with regard to our processing of your personal information (e.g. where you have chosen to opt-out of certain processing).

In relation to how we protect this personal information when we transfer it to another country, please see the section below on International transfers.

Other third party service providers

We use other providers to carry out services on our behalf or to help us provide services to you. These include to provide customer-service, infrastructure and information technology services, process payment transactions, conduct marketing and sales, administer promotions and competitions, conduct research, measurement and analytics, and derive insights.

In the UK, we also use third parties, such as BT Local Businesses and other partners, as our sales representatives to sell and market BT products and services for us to customers in the UK.

Where we use another organisation, we still control your personal information. And we have strict controls in place to make sure it’s properly protected. In relation to how we protect this information when we transfer it to another organisation for processing in another country, please see the international transfers section below.

AdTech Providers

We share certain personal information with third parties (e.g. ad agencies, advertising networks and platforms, social media platforms) for processing. The processing is generally done in a hashed or de-identified form, to provide advertising to you based on your interests, or assist with creating associated profiles and audiences for use by us and third parties on our behalf. This is subject in each case to any other controls you exercise with regard to our processing of your personal information (e.g. where you have chosen to opt-out of certain processing).

For more information on the purposes of processing, the data concerned and the basis for the processing, please see the Marketing and Personalised Advertising section above.

Change of ownership

If there’s a change (or expected change) in who owns us or any of our assets, we might share personal information with the new (or prospective) owner. If we do, they’ll have to keep it confidential.

Law enforcement bodies, the authorities, and courts

Where necessary, we disclose personal information for the prevention, investigation or prosecution of criminal activities, and in response to legal process, for example, in response to a court order or a subpoena, or in response to a regulator, government authority or law enforcement body’s request.

International transfers

The BT group is a large multinational group of companies which operates internationally. Some of the processes involved in our use of your personal information will require your personal information to be stored or processed in countries outside the country where you are located. This may include countries where the level of legal protection is different to where you are based and where you may have fewer legal rights. Where this happens, we will take the following steps to comply with the law and ensure adequate protection of your data whether transferred to an BT or non-BT company. Where required by local law in relation to any particular type of data, BT will rely on consent for cross border transfers.

Transfers of UK/EEA personal data to BT group companies

To make sure your personal information is protected no matter which company in the BT group holds that personal information, we have a group-wide arrangement, known as Binding Corporate Rules (BCRs). Our BCRs cover any transfers of personal information intra-group within the BT group, and any transfers from our customers to a BT entity (which is protected by the UK/EU General Data Protection Regulation (GDPR)). There is one set of BCRs for transfers of data out of the UK and another for transfers out of the European Economic Area (EEA).

Transfers to a non-BT company

If we transfer personal information to a company that is not in the BT group, we will put in place an appropriate transfer mechanism as required by local law, such as, in the case of a transfer out of the EEA or the UK, the relevant Standard Contractual Clauses.

If you’d like information about the documents we use to protect your personal information when it’s transferred outside your region or country, please contact us.

Protecting your information and how long we keep it

How do we protect your personal information?

We have strict security measures to protect your personal information, and standards for how we classify and handle personal information. We check your identity when you get in touch with us, and we follow our security procedures and apply suitable technical measures, such as encryption, to protect your Information.

How long do we keep your personal information?

In broad terms, we will only retain your personal information for as long as is necessary for the purposes described in this Policy. This means that the retention periods will vary according to the type of information and the reason that we have collected the information. For example, some information related to the provision to you of our products will be kept for a number of years in order to comply with various telecommunications, finance and tax related legal obligations.

We have detailed internal retention policies that set out the various retention periods for different categories of information, depending on our legal obligations and whether there is a commercial need to retain it. After a retention period has lapsed, the personal information is securely deleted, unless it is necessary for the establishment, exercise or defence of legal claims.

For further information regarding applicable retention periods, please contact us using the details set out below.

Your rights to see your personal information and limit our use of it

Subject to local data privacy laws, you may have certain rights with respect to your personal information, as set out below.

Right

Description

Right to access data

You can request confirmation as to whether or not we are processing personal information concerning you and (where this is the case) access to the personal information and certain other information about the processing.

Right to correct data

You can request that we correct any errors in any personal information we hold about you.

Right to erasure (“right to be forgotten”)

You can ask for your personal information to be deleted. In some cases, we might keep information that you have asked us to delete. This could be for legal or regulatory reasons, so that we can keep providing our products and services where these are still required, or for another legitimate reason. For example, we keep certain billing information to show we have charged correctly. But we’ll always tell you why we keep the information.

If you want us to stop using personal information we’ve collected via cookies on our website or apps, please refer to the relevant cookie policy on the site you are visiting.

Right to portability

The right in some cases to receive your personal information in a digital format or to have it transmitted directly to another controller (where technically feasible).

Right to object to processing, including marketing

The right to object (on grounds relating to your particular situation) to the processing of your personal information on the basis of our legitimate interests, including for direct marketing purposes. You can opt out of receiving marketing from us using the unsubscribe link in the email or opt-out code in the SMS we send you.

Alternatively, if you are a UK customer,  you can give us a call on 0800 800 152 to let us know whether you’re happy to hear from us by email, text, post, or telephone.

You may also let us know if you want us to stop using information about how you use our products and services for marketing purposes or profiling you for marketing purposes.  For more information about how we use your information for marketing purposes, please see above.

Right to withdraw consent

You can withdraw your consent at any time in respect of any processing which is based upon your consent.

UK Customers: To exercise these rights, you can do the following:

  • If you want a copy of your billing information, the number to call as business customer is 0800 800 152.

  • If you want to see what contact information we hold about you, you can also log in to your account. It’s quick and simple to access it this way.

  • If you want a copy of the information we hold about you, or you would like to ask us to correct, complete, delete or stop using any personal information we hold about you, you can email us at cpo@bt.com

  • If you work for one of our corporate customers, where possible, please ask your employer – they’ll ask for this on your behalf.

Please email cpo@bt.com or see our list of controllers for further ways to contact us in some specific territories.

We will assess any request to exercise these rights on a case-by-case basis and we may ask you for proof of identity or other information before doing so.

There may be circumstances in which we are not legally required to comply with a request because of relevant exemptions. In some instances, this may mean that we are able to retain your information even if you withdraw your consent.

We aim to provide our products and services in a way that protects personal information and respects your request.  Because of this, when you delete or change your information from our systems (or ask us to), we might not do so straight away from our back-up systems or copies on our active servers. And we may need to keep some information to fulfil your request, for example, keeping your email address to make sure it’s not on our marketing list. 

Where we can, we’ll confirm any changes. For example, we’ll check a change of address against any authoritative postal address file, or we might ask you to confirm it.

We’ll always try to help you with your request. But we may refuse all or part of your request if sharing the information would have a negative effect on others, for example because it includes personal information about someone else, or the law prevents us from doing so.

It will normally take us up to one month to get back to you but could take longer (up to a further two months) if it’s a complicated request or we receive a lot of requests at once.

How will we tell you about changes to this policy?

Our Policy might change from time to time. We will take reasonable measures to communicate any substantial changes we make to this Policy, for example, by posting an update on our websites, or sending you an updated version of the Policy. 

How to contact us and further details

You can contact us, and our Data Protection Officer at cpo@bt.com. We’re always interested in hearing your questions and comments about our Policy and you can use these contact details to exercise your rights or find out more about the controller for your personal information.

Alternatively, you can write to us at:

BT Data Legal Team
Floor 16
1 Braham Street
London
E1 8EE

 

If you want to make a complaint on how we have handled your personal information, please contact us in the first instance at cpo@bt.com, and we will investigate the matter and report back to you. (Or see our list of controllers) for further ways to contact us in some specific territories. If you are still not satisfied after our response, you also have the right to complain to your data-protection regulator. Please contact us for details on how to contact your local data protection regulator.