Mobile contracts do more than set prices and minutes—they shape how personal data is collected, shared, secured, and retained across entire organizations in the UK.
In the wake of recent regulatory updates, it’s vital to read both the commercial and privacy terms together, making sure that contract clauses align with UK GDPR, the Data Protection Act 2018, PECR, and evolving guidance from the ICO and Ofcom.
Why GDPR belongs in your mobile contract checklist
Any mobile plan for a business will involve personal data: employee identifiers, billing details, call records, location/traffic data, and device identifiers used for management or analytics.
UK GDPR requires clear roles (controller/processor), a lawful basis for processing, transparency with users, and security measures proportionate to the risks, all of which should be reflected in your supplier contract and internal policies.
Where the provider acts as a processor, Article 28 terms are mandatory, covering instructions, confidentiality, security, sub-processing, audits, and end-of-contract data return or deletion.
The regulatory backdrop to know in 2025
- ICO guidance continues to emphasise accountability, contracts, and data sharing, noting that materials are being updated following the Data (Use and Access) Act 2025 (DUAA).
- The DUAA introduces targeted reforms while retaining UK GDPR’s core protections; it raises PECR penalty ceilings to GDPR levels and clarifies “reasonable and proportionate” searches for DSARs, with some provisions live and others phased through 2025–2026.
- Ofcom rules require short, simple contract summaries, clearer modification notices, and improved exit rights—key consumer-style protections that also affect many business customers when buying mobile services.
Controller or processor? Spell it out
Mobile providers may be processors for certain services (e.g., MDM, device lifecycle management, managed security), but can be controllers for their own network analytics, fraud prevention, or statutory retention obligations. Your contract should specify the role split—and include Article 28 terms wherever the provider processes personal data on your behalf—with details on subject matter, duration, nature, purpose, data types, data subjects, and both parties’ obligations and rights.
Lawful basis, transparency, and purpose limitation
- Define the lawful basis for each processing activity tied to the contract—common bases include contract necessity (for employee connectivity services), legal obligation (regulatory retention), and legitimate interests (fraud prevention, security monitoring), with consent reserved for scenarios where it’s truly freely given and granular (e.g., some marketing or device tracking settings).
- Ensure privacy notices for staff are aligned with what the provider does—especially if traffic/location data or analytics are used for troubleshooting, optimisation, or billing—so the use is transparent, limited to defined purposes, and supported by appropriate retention limits.
Security and encryption commitments
Security must be risk-based and documented, with contractual commitments to appropriate technical and organisational measures, encryption in transit/at rest where sensible, and incident response cooperation. The ICO’s fining guidance underscores the potential scale of penalties for poor security and governance, with maxima up to £17.5m or 4% of worldwide turnover under UK GDPR. Ask providers how they manage key storage, device lock/wipe, SIM/eSIM provisioning security, and isolation of corporate data on BYOD.
Sub-processors, audits, and end-of-contract data
Contracts should require approval (or at least notification) of sub-processors, flow-down of Article 28 duties, audit rights proportionate to risk, and clear offboarding steps for data return or deletion when the contract ends. Map which systems hold call detail records, device telemetry, or identity data, and make sure deletion timelines are specified with evidence available on request.
International data transfers
If any support, analytics, or cloud hosting involves data leaving the UK, the contract must cover transfer mechanisms (e.g., the UK IDTA or Addendum to EU SCCs) and require transfer risk assessments, with transparency on locations and onward processors. Verify that the provider can evidence transfer safeguards and will notify of material changes (e.g., a change in hosting region or sub-processor).
DSARs, objections, and employee rights
The DUAA has clarified that DSAR searches should be “reasonable and proportionate,” offering procedural certainty—particularly relevant where multiple systems (carrier billing portals, MDM platforms, security tools) hold personal data.
Contracts should require providers to assist with rights requests, including access, rectification, erasure (where applicable), and objections to direct marketing, within statutory timeframes. Build in practical service levels for request support and cost controls to avoid surprises.
Marketing, PECR, and mobile numbers
If mobile numbers are used for SMS or calling campaigns, PECR applies alongside GDPR, with consent rules and soft opt-in conditions that differ by audience and channel; each message must identify the sender and include an easy opt-out, and enforcement sits with the ICO. Under the DUAA, PECR penalties can reach UK GDPR levels for serious breaches, raising compliance stakes for any mobile-linked marketing activity.
Ofcom-driven contract clarity you should expect
Providers must supply a short, simple pre-contract summary covering key terms—price, duration, speed or service performance, early termination, and how price changes affect the bill—with the contract only becoming effective after express consent following receipt of the summary. They must also provide at least 1 month’s notice of contractual modifications for relevant services or bundles, improving visibility over mid-contract changes that might impact privacy or costs.
Practical clauses to require in mobile agreements
- Roles and scope: Explicit controller/processor status by processing activity; detailed processing annex for any processor work.
- Security: Specific controls (e.g., encryption standards, device management baselines), incident notification timelines, testing regimes, and evidence obligations.
- Sub-processing: Approval/notification, flow-down, and live register access with change notices.
- Data subject rights: Assistance obligations, timelines, point of contact, and process for “reasonable and proportionate” searches.
- Data minimisation and retention: Purpose-bound collection, configured retention periods for logs and telemetry, and deletion certification at end of term.
- International transfers: Identified locations, transfer tools (IDTA/Addendum), and regular re-assessment commitments.
- Transparency alignment: Provider to supply accurate, timely information to keep employee privacy notices up to date.
- Audit and assurance: Proportionate audit rights, third-party certifications, and remediation timelines for findings.
- Ofcom compliance: Warranties to provide required contract summaries, modification notices, and exit rights in line with General Conditions.
Governance tips for in-house teams
- Do a data map for mobile: list data types (billing, usage, location, device IDs), systems, purposes, retention, and transfer paths before negotiating.
- Align HR/IT/Legal: update staff notices, BYOD policies, and MDM settings to match the provider’s processing reality and the contract terms.
- Test DSAR readiness: run a drill to see how quickly provider portals and internal systems can produce complete and proportionate responses.
- Review marketing flows: if using mobile numbers for campaigns, validate consent/soft opt-in logic and unsubscribe handling under PECR.
- Track changes: set calendar reviews for DUAA-related secondary legislation and ICO/Ofcom updates that may require contract addenda.
Red flags when reviewing provider terms
- Vague role definitions that blur controller/processor responsibilities or omit Article 28 terms when the provider plainly processes on your behalf.
- Open-ended sub-processor rights with no notice, no register, or no flow-down obligations.
- Generic security language with no measurable standards, timelines, or evidence mechanisms.
- Silence on international transfers despite offshore support or cloud components.
- Missing Ofcom-mandated contract summaries, weak modification notices, or unclear exit mechanics.
Final Words
Treat mobile contracts as privacy contracts. Demand clarity on roles, security, sub-processing, retention, and international transfers, and insist on Ofcom-compliant contract summaries and modification notices to avoid surprises mid-term.
With the DUAA bedding in and PECR penalties rising toward GDPR levels, strong contractual controls and practical governance are no longer optional—they’re essential to protect people, operations, and budgets.
