TL;DR
- UK GDPR (retained under the Data Protection Act 2018) binds every mobile network operator that processes data about UK residents.
- Operators process call records, location data, browsing metadata, payment details and device identifiers — all of which count as personal data.
- You have the right to access, correct, erase, restrict, port and object to processing of your data, subject to legal exemptions.
- Subject access requests must be answered free of charge within one calendar month in most cases.
- The Information Commissioner’s Office (ICO) can investigate complaints, issue enforcement notices and impose fines of up to £17.5 million or 4% of global annual turnover.
How UK GDPR applies to mobile operators
Mobile network operators are data controllers under the UK General Data Protection Regulation, which was retained in domestic law by the Data Protection Act 2018 after the UK left the European Union. As controllers, they must have a lawful basis for every processing activity, keep records of those activities, and give customers clear privacy information at the point of sign-up and on request thereafter. The ICO maintains a public register of data controllers, and all major UK networks are required to pay the annual data protection fee and register their processing purposes.
The lawful bases most commonly relied on by operators include contract performance (processing billing and connectivity data to deliver the service), legitimate interests (fraud prevention, network security), legal obligation (data retention requirements under the Investigatory Powers Act 2016 and Communications Act 2003), and, in more limited circumstances, consent (for marketing by electronic means, which also engages the Privacy and Electronic Communications Regulations 2003). Where consent is the basis, it must be freely given, specific, informed and unambiguous — pre-ticked boxes or bundled consent do not meet the standard.
What personal data mobile operators typically process
The volume and variety of personal data that a mobile operator holds about a customer is substantial. At the contractual layer it includes name, address, date of birth, payment card or bank account details, credit-check outcomes and identification documents. At the network layer it includes the international mobile subscriber identity (IMSI) tied to your SIM, the international mobile equipment identity (IMEI) of your handset, call detail records (numbers called, duration, timestamp), SMS metadata, and the cell towers your device registered with — which approximates your location over time.
Operators may also process internet connection records (ICRs) — the domains or IP addresses your device contacted — which they are required to retain for 12 months under the Investigatory Powers Act 2016 for potential law-enforcement access. In addition, operators who offer add-on services such as device insurance or Wi-Fi calling may process further categories. The operator’s privacy notice, which UK GDPR requires to be concise, transparent and easily accessible, must list all of these categories and the purposes for which each is processed.
Your core GDPR rights as a mobile customer
UK GDPR confers a suite of rights that customers can exercise directly against their operator. The right of access (Article 15) lets you obtain confirmation that your data is being processed and a copy of it, along with information about the purposes, categories, recipients and retention periods. The right to rectification (Article 16) allows you to require correction of inaccurate data — relevant, for instance, if a billing address or usage record is wrong. The right to erasure (Article 17, the “right to be forgotten”) allows deletion where data is no longer necessary for the original purpose, where consent has been withdrawn, or where you object and there are no overriding legitimate grounds; it does not apply where retention is legally required.
The right to restriction (Article 18) lets you request a processing freeze while accuracy or legitimacy is disputed. The right to data portability (Article 20) enables you to receive your data in a structured, commonly used, machine-readable format and to have it transmitted to another controller — relevant if you want to move data-intensive usage records to a new provider. The right to object (Article 21) lets you object to processing based on legitimate interests or for direct marketing; an objection to direct marketing must always be honoured with no need to justify it. These rights are summarised in the table below.
| Right | What it lets you do | Key exemptions for operators | Response deadline |
|---|---|---|---|
| Access (Art. 15) | Obtain a copy of all personal data held | Third-party data, national security | 1 calendar month |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | Limited | 1 calendar month |
| Erasure (Art. 17) | Request deletion of your data | Legal obligation to retain (e.g. IPA 2016) | 1 calendar month |
| Restriction (Art. 18) | Pause processing while dispute is resolved | Storage only permitted during restriction | 1 calendar month |
| Portability (Art. 20) | Receive data in machine-readable format | Applies only to consent/contract basis | 1 calendar month |
| Object (Art. 21) | Stop marketing or legitimate-interest processing | Compelling legitimate grounds may override (not for marketing) | Must cease marketing immediately |
How to make a subject access request
A subject access request (SAR) does not need to follow any particular form. You can submit it by email, letter, or even via a social-media direct message if that is a channel the operator formally monitors for customer queries. Best practice is to write to the operator’s data protection officer, whose contact details must appear in the privacy notice under UK GDPR Article 13. State clearly that you are making a subject access request, specify the data you want (or confirm you want everything), and provide enough identifying information — typically your account number and the address on the account — for the operator to locate your records without excessive effort.
The operator must respond within one calendar month from the day after receipt. For complex or numerous requests, they may extend by a further two months, but they must notify you of the extension within the first month and explain why. The response must be provided free of charge for a first request; a reasonable fee can be charged for manifestly unfounded or excessive repeat requests. If you are not satisfied with the response — for instance, if records appear to be missing or if the deadline is missed — you can escalate to the ICO.
Direct marketing and PECR
The Privacy and Electronic Communications Regulations 2003 (PECR) sit alongside UK GDPR and impose additional requirements on electronic direct marketing. An operator (or any company marketing mobile services) must not send unsolicited marketing emails, SMS messages or automated calls without prior consent, unless an existing customer relationship and a clear opt-out was given at the time data was collected. This “soft opt-in” for existing customers applies where the marketing is for similar products and services to those already purchased, and the customer was given a simple means to refuse at the point of collection.
You have an absolute right to opt out of direct marketing at any time. Under both PECR and UK GDPR, the operator must act on an opt-out without delay and at no cost to you. If marketing continues after a valid opt-out, the ICO can investigate and take enforcement action under PECR, including issuing monetary penalties of up to £500,000 for serious breaches, in addition to UK GDPR enforcement powers.
The ICO’s role and enforcement powers
The Information Commissioner’s Office is the UK’s independent supervisory authority for data protection and information rights. Under the Data Protection Act 2018 and UK GDPR, the ICO can receive complaints from individuals, conduct investigations, issue information notices compelling operators to provide information, issue enforcement notices requiring specific actions or prohibiting processing, and impose administrative fines. For the most serious infringements of UK GDPR — such as processing without any lawful basis or failing to respond to subject access requests — the ICO can impose fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.
The ICO also publishes regulatory guidance, undertakes audit programmes, and works with Ofcom on matters that span both data-protection and communications regulation. While the ICO does not award compensation to individuals — that requires a civil claim in court under Section 168 of the Data Protection Act 2018 or Article 82 of UK GDPR — a successful ICO investigation can support a subsequent damages claim by establishing that a breach occurred.
What this means in practice
Priya, a customer with a mid-tier UK mobile operator, notices that she is receiving targeted text messages about handset upgrades despite having registered her number with the Telephone Preference Service and not having ticked a marketing consent box at sign-up. She emails the operator’s data protection officer, citing Article 21 UK GDPR and Regulation 22 PECR, and requests that marketing stops immediately and that a subject access request is fulfilled confirming what consent record was held. The operator, unable to produce a valid consent record, ceases marketing, provides the SAR response within three weeks, and acknowledges the error in writing. Had it not done so, Priya’s ICO complaint would have created a formal enforcement record and potentially grounds for a Section 168 damages claim in the county court.
Related Guides
Related Guides
How we verified this
This article was verified against the UK General Data Protection Regulation as retained by the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, the Investigatory Powers Act 2016 (data retention provisions), ICO guidance on subject access requests and individual rights, and the ICO’s published enforcement and fines register at ico.org.uk.
Disclaimer: Kaeltripton.com is an independent UK editorial publisher. We are not regulated by Ofcom or the FCA and we do not sell or arrange mobile services, insurance, or financial products. This content is for general information only and is not legal, financial, or technical advice. Rules, prices, and operator policies change. Verify the current position with Ofcom, GOV.UK, the ICO, or your provider before acting. ICO registered ZC135439. Last reviewed: 2026-06-05.
Frequently Asked Questions
What data does my mobile operator process about me?
Mobile operators typically process your name, address, payment details, credit history, call and SMS metadata (numbers, timestamps, duration), location data derived from cell-tower registration, internet connection records showing domains contacted, your IMSI (SIM identifier) and IMEI (handset identifier), and any information collected during account management interactions. The full list must appear in the operator’s privacy notice, which UK GDPR requires to be easily accessible.
Can I ask my mobile operator to delete my data?
Yes, under Article 17 UK GDPR you can request erasure where your data is no longer necessary for the original purpose, where you withdraw consent, or where processing was unlawful. However, operators can refuse where they are legally required to retain data — for example, internet connection records held under the Investigatory Powers Act 2016 — or where data is needed to defend a legal claim. They must explain any refusal in writing within one month.
What is a subject access request to a mobile operator?
A subject access request (SAR) is a formal request under Article 15 UK GDPR for a copy of all personal data an organisation holds about you, together with details of how and why it is processed. You can submit it in any format to the operator’s data protection officer. The operator must respond free of charge within one calendar month, supplying the data in an intelligible form and confirming the purposes, categories, retention periods and any third-party recipients.
What are my GDPR rights with mobile networks?
Under UK GDPR you have the right to access your data, have inaccurate data corrected, have data erased in certain circumstances, restrict processing while a dispute is resolved, receive your data in a portable machine-readable format, and object to direct marketing or legitimate-interests processing. These rights apply to all UK mobile networks as data controllers and must be exercised free of charge, with a one-month response deadline in most cases.
How do I complain to the ICO about a mobile operator?
You must first raise the concern directly with the operator and give it a reasonable opportunity to respond, usually at least eight weeks. If unresolved, you can submit a complaint to the ICO via its online portal at ico.org.uk. Provide the operator’s name, a description of the issue, copies of correspondence, and your contact details. The ICO will assess whether to investigate and will inform you of the outcome, though timescales vary depending on case complexity.
