Effective August 28, 2025
At AT&T, our relationship with our customers is built on a foundation of respect and trust. These principles extend to the careful and responsible way that we handle your Personal Data. This AT&T Business Customer Privacy Notice – Most of World (Notice) outlines the types of Personal Data that we Process, why we Process it, who has access to it, when we delete it, and individual rights with respect to the Personal Data. If you have questions after you’ve reviewed this Notice, please contact your account team or you can contact AskPrivacy@att.com. Additional information is also available at AT&T’s Privacy Center.
| Term | Meaning |
|---|---|
| AT&T Business Customer | A legal entity (excluding AT&T affiliates) that has contracted with AT&T to provide Services |
| Customer Data Subject | An identified or identifiable individual authorized by an AT&T Business Customer to use the Services or to interact with AT&T on behalf of the AT&T Business Customer |
| Data Controller | An entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Depending on the Processing activity, there may be more than one Data Controller. |
| Data Privacy Laws | Applicable country or regional laws or regulations in relation to Processing of Personal Data. The standards of AT&T’s MOW privacy program are primarily based on the European Union’s General Data Protection Regulation (GDPR), AT&T Business Customer MOW Privacy Notice (May 2021) 2 but incorporate provisions of other laws that are stricter than or supplemental to GDPR requirements. |
| Most of World or MOW | Includes all countries in which AT&T provides Services to AT&T Business Customers, other than the United States of America |
| Personal Data | Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier. |
| Process or Processing | Any operation(s) performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction |
| Services | The products and services provided by AT&T under a contract between AT&T and the AT&T Business Customer |
| Sensitive Personal Data | Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person`s sex life or sexual orientation, as well as Processing of Personal Data relating to criminal convictions and offenses. |
Meaning:
A legal entity (excluding AT&T affiliates) that has contracted with AT&T to provide Services.
Meaning:
An identified or identifiable individual authorized by an AT&T Business Customer to use the Services or to interact with AT&T on behalf of the AT&T Business Customer.
Meaning:
An entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Depending on the Processing activity, there may be more than one Data Controller.
Meaning:
Applicable country or regional laws or regulations in relation to Processing of Personal Data. The standards of AT&T’s MOW privacy program are primarily based on the European Union’s General Data Protection Regulation (GDPR), AT&T Business Customer MOW Privacy Notice (May 2021) 2 but incorporate provisions of other laws that are stricter than or supplemental to GDPR requirements.
Meaning:
Includes all countries in which AT&T provides Services to AT&T Business Customers, other than the United States of America.
Meaning:
Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.
Meaning:
Any operation(s) performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Meaning:
The products and services provided by AT&T under a contract between AT&T and the AT&T Business Customer
Meaning:
Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person`s sex life or sexual orientation, as well as Processing of Personal Data relating to criminal convictions and offenses.
This Notice applies when:
Additional information of interest to the Customer Data Subject may be available directly from the AT&T Business Customer. AT&T maintains other policies and notices, including the AT&T Privacy Notice, as well as general and product-specific services guides, that address data protection. Unless specifically stated otherwise, where another AT&T notice or policy conflicts with the purposes of this Notice, this Notice will prevail as to Customer Data Subjects in Most of World.
AT&T generally Processes the following categories of data, which may include Personal Data of Customer Data Subjects:
AT&T Processes Personal Data when a Customer Data Subject uses the Services or when the AT&T Business Customer provides the Personal Data to AT&T in relation to the Services. In connection with the provision of Services, AT&T will generally Process Personal Data of Customer Data Subjects for the purposes of:
Applying the principle of data minimization, AT&T will Process only the Personal Data necessary for the above purposes.
AT&T Processes Personal Data of Customer Data Subjects only pursuant lawful and appropriate bases for Processing as necessary for:
In limited circumstances, AT&T may Process Personal Data as necessary for:
AT&T will not Process Sensitive Personal Data or similarly designated data under applicable Privacy Data Laws about Customer Data Subjects unless specifically authorized by law, for example where the Customer Data Subject has given explicit consent; as necessary for carrying out obligations and exercising specific rights in the field of employment and social security and social protection law; to protect life, physical safety or health of the Customer Data Subject or another natural person; to guard against fraud; and/or as necessary for the establishment, exercise, or defense of legal claims.
AT&T affiliates are part of the AT&T group of companies operating internationally. All members of the AT&T group support and interact with each other to run AT&T’s business and to set group-wide strategy. Certain Personal Data can be accessed by any of the AT&T group of companies where relevant, necessary for the purposes described and legally permitted.
Personal Data about Customer Data Subjects will be disclosed,to the extent required for Service delivery, to appropriate and authorized recipients. Recipients may include: AT&T affiliates and personnel; business partners and third-party service providers, suppliers, vendors, and subcontractors; and/or other third parties performing services for any of the AT&T companies. Personal Data may also be provided to the AT&T Business Customer and its agents. Third parties may also collect and Process Personal Data on AT&T’s behalf for the above purposes. A list of AT&T affiliates and the countries in which they are located may be accessed at this link.
Third parties given access to Personal Data about Customer Data Subjects will be required to use appropriate security measures, including AT&T’s Supplier Information Security Requirements (SISR), consistent with Data Privacy Laws and all other applicable legal requirements when Processing Personal Data. Where the third party is Processing such Personal Data on behalf of AT&T, the third party is obligated to do so only pursuant to AT&T’s instructions
AT&T may disclose Personal Data if compelled to do so by courts of law, regulators, law enforcement agencies, governmental agencies and parties to civil lawsuits in connection with inquiries, proceedings, investigations or lawfully requested to do so by a relevant governmental authority using the appropriate means of request. These entities may be located anywhere in the world. Prior to any such disclosure, AT&T examines all such requests to determine that they are legally valid, appropriate and proportionate; and AT&T may challenge such requests if it determines that these criteria are not met. AT&T may disclose Personal Data if AT&T determines it is necessary or appropriate to comply with the law or to protect or defend AT&T’s rights, property, or employees.
AT&T is a multinational company, but has centralized business and operational activities to better manage a global business. That centralization may result in the transfer of Personal Data to, or access to Personal Data from, countries outside of the country in which the Customer Data Subject is located. For example, a Customer Data Subject’s Personal Data may be transferred for Processing in the United States of America by AT&T or third-party service providers. In some of these countries, the Data Privacy Laws may offer a lower standard of protection than the country in which the Customer Data Subject is located. As applicable, AT&T takes appropriate technical, organizational, and contractual steps to conduct cross border transfers of Personal Data in accordance with the requirements of the more stringent Data Privacy Laws in order to safeguard Personal Data as set out in this Notice.
AT&T generally transfers Personal Data about Customer Data Subjects between AT&T affiliates on the basis of our Intra-Group Agreement (IGA), which includes standard contractual clauses for export of Personal Data to third countries. AT&T may additionally rely on other lawful bases for transfer of Personal Data. A Customer Data Subject may request to review the safeguards AT&T uses for cross border transfers by contacting the AT&T Chief Privacy Office at AskPrivacy@att.com.
Wherever Personal Data is Processed, AT&T uses appropriate security measures consistent with Data Privacy Laws.
Personal Data will be retained as needed for business administration, tax, or legal purposes and as consistent with Data Privacy Laws. In many cases, this will require retention through the administrative period of the contract between AT&T and the AT&T Business Customer, or through the period of the relationship between the AT&T Business Customer and the Customer Data Subject. After that, Personal Data will be destroyed by making it unreadable or indecipherable. While Personal Data is retained, AT&T implements appropriate technical and organizational measures designed to secure Personal Data. Such measures may include:
The Customer Data Subject has rights regarding the Processing of their Personal Data. AT&T is committed to honoring these rights and has established effective and transparent policies and procedures to do so. A Customer Data Subject’s rights with respect to his or her own Personal Data may include:
Whether, how, and to what extent a specific right applies and how it will be addressed by AT&T will depend upon the applicable Data Privacy Law, the lawful basis pursuant to which Personal Data is Processed, the nature of the Personal Data, and AT&T’s ability to determine that it holds responsive Personal Data. As the Personal Data is Processed as part of AT&T’s contractual obligations to the AT&T Business Customer, for applicability and authentication purposes AT&T will coordinate responses to requests of Customer Data Subjects with the AT&T Business Customer. The Customer Data Subject should directly contact the AT&T Business Customer to initiate a rights request. AT&T's Business Customers should submit requests on behalf of users by emailing their AT&T account manager or AT&T Service Management contact. Please copy AskPrivacy@att.com on the email. AT&T will work with the AT&T Business Customer to determine the appropriate response to a request. Provision of Personal Data in response to a Customer Data Subject’s request shall not adversely affect the rights and freedoms of others.