Date last updated: 08 June 2026

1. Who we are and what is the purpose of this privacy notice?

We are GSM Association (“GSMA”, “we”, “us” or “our”) with registered office at 1 Angel Lane, London EC4R 3AB, England.

This privacy notice (“Privacy Notice”) explains how we collect and process personal data of representatives and other personnel of GSMA members (or prospective members).

GSM Association is the controller of your personal data under the EU General Data Protection Regulation (“GDPR”).

2. What categories of personal data do we collect and process about you?

In this Privacy Notice, when we mention “personal data”, we mean any information that is about you.

We may process the following personal data about you:

Contact Data your full name, email address, postal address, phone number, preferred language.

Member Data company/organisation name, job title, industry, whether your organisation is a GSMA member, membership type, organisation email address, country / region, photograph, areas of expertise.

Billing Data your full name, company or organisation name, job title, company registration number, tax registration number, email address, phone number, purchase order reference (optional), VAT number (optional),

Login Credentials email address for Member Gateway or Roaming Gateway.

Usage Data your username, location (country and city), IP address, information on your use of our website, Member Gateway or Roaming Gateway, or other usage data.

3. For what purposes do we process your personal data?

We may process your personal data for the purposes described below. We also set out the data categories that we process for each purpose and our lawful basis under the GDPR for undertaking the processing purpose we have described.

1. Enquiry Form for Future Members
   • Description: If you express interest to join GSMA as a member and/or submit an enquiry form on our website, we will process your personal data for contact purposes and to respond to your enquiry.
   • Data categories: Contact Data, Member Data, other data related to your enquiry.
   • Lawful basis: Our legitimate interest that involves using your personal data to process and respond to your enquiry.
2. Working Group Enquiry Form
   • Description: If you submit an enquiry form on our website about GSMA Membership and/or Working Group(s), we will process your personal data in order to respond to your enquiry.
   • Data categories: Contact Data, Member Data, other data related to your enquiry.
   • Lawful basis: Our legitimate interest that involves responding to your enquiry.
3. GSMA Membership
   • Description: We will process your personal data for the purposes related to your membership, including member onboarding, participation in meetings, voting, events, training, working groups and forums, networking with other Members, providing contributions and communication.
   • Data categories: Contact Data, Member Data.
   • Lawful basis: Our legitimate interest, which involves processing your personal data for activities related to your GSMA membership.
4. GSMA Member Gateway and Roaming Gateway
   • Description: We will process your personal data to grant you access to the Member Gateway and/or Roaming Gateway, manage your account, communicate with you via the chat available in the Member Gateway or Roaming Gateway or to send you notifications related to your account.
   • Data categories: Contact Data, Member Data, Login Credentials, Usage Data.
   • Lawful basis: Performance of a contract and our legitimate interest involving communication with you.
5. GSMA Membership Newsletter
   • Description: If you subscribe to our Membership Newsletter, we will process your personal data to send you updates related to GSMA membership, latest initiatives, industry news, insights and reports curated by our team across the mobile ecosystem.
   • Data categories: Contact Data, Member Data.
   • Lawful basis: Consent.
6. Billing
   • Description: We will process your personal data for billing purpose as well as for tax and accounting purposes.
   • Data categories:Billing Data.
   • Lawful basis:Performance of a contract and compliance with legal obligations.
7. Technical support and security
   • Description: We may use your personal data to diagnose, troubleshoot, and fix issues with our Member Gateway or Roaming Gateway, to keep our services secure, for access verification and identification purposes.
   • Data categories: Contact Data, Usage Data, other data required for technical support & security.
   • Lawful basis: Our legitimate interest that involves diagnosing and fixing technical issues with our services and ensuring the security of our services.
8. Data subjects’ requests and enquiries
   • Description: We may use your personal data to respond to your enquiry, complaint, or a data subject request (e.g. access to data, erasure, etc.).
   • Data categories: Contact Data, other data relevant to your request.
   • Lawful basis: Compliance with legal obligations and our legitimate interest that involves processing your personal data to respond to your request or enquiry.

Consent

Where we process your personal data based on consent, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted on other lawful processing grounds.

Legitimate Interest

If we collect and use your personal data based on our legitimate interests (or of a third party), you may object to such processing. In that case we will no longer process your personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where we process your personal data for direct marketing purposes, you may object to such processing at any time.

4. Marketing

If you provide us with your consent or we have another lawful basis for sending marketing communications, we may process your personal data for direct marketing purposes using different communication channels such as email.

We may also use automated tools within our marketing technology platforms, including AI and machine-learning algorithms, to analyse how you interact with our communications, events and online content. This helps us understand your interests and engagement patterns, segment our audiences, tailor the content and communications we send to you and improve the relevance of our marketing.  

This processing may involve the use of your contact details, profile information and usage data, such as email engagement, event attendance and website interactions. It may also generate scores or place you into audience segments based on predicted interests or likelihood of engagement. We use the outputs of this processing only to support our marketing activities and not to make decisions based solely on automated processing which produce legal effects concerning you or similarly significantly affect you. You have the right to object to this processing at any time. 

You can update your marketing communication preferences anytime in the preference centre on our website. You can access the preference centre via unsubscribe link included in each email from us.

5. Automated processing

We will not use your personal data to make a decision about you based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless it is necessary for a contract between us and you, is permitted by law or you have provided us with your consent for such processing. 

6. How do we collect your personal data?

Directly from you, for example when you represent GSMA member (or prospective member), create your Member Gateway or Roaming Gateway account, subscribe for our newsletter, use our services or products, interact with our apps or websites, communicate with us via email or other means.

From third parties, for example from GSMA member (or prospective member) or a person who provided us with your contact details.

7. Who has access to your personal data?

We may share your personal data with the following recipients:

• Our agents, vendors, or service providers who perform functions on our behalf or provide services to us; for example, IT service providers, billing providers, service providers who maintain our platforms, accounting service providers or archiving service providers,
• Other GSMA members for networking and meeting arrangements when you opt in,
• Authorities where we are required to do so by law for example for security reasons or in connection with criminal or regulatory investigations,
• Outside advisers, including legal counsels for the purpose of defence of legal claims, or regulatory proceedings,
• Our affiliates for example for administrative purposes, group reporting, or provision of other services.

Please note that this list is non-exhaustive and we may need to share your data with other parties in connection with your membership or to effectively deliver our services.

8. International data transfers

As we operate via a global network of corporate offices, booking and service centres, and data centres, it may be necessary to transfer your personal data internationally, i.e. outside of the country where it was originally collected or outside of your country of residence.

Where we transfer personal data that originates in the European Union (“EU”), the United Kingdom (“UK”) or Switzerland to a country outside the EU, the UK or Switzerland, we will ensure such transfer is made in accordance with applicable laws. We use a variety of legal mechanisms, including Standard Contractual Clauses adopted by the European Commission, to ensure your rights and protections travel with your data.

9. How long do we keep your personal data?

We retain your personal data only for as long as necessary to fulfil the purposes described in this Privacy Notice or to comply with legal requirements. Retention periods vary depending on the data type and processing purpose. Specific retention periods are set out below where applicable.

Your personal data will be deleted as follows:

• Data relating to your representation of a GSMA Member (or prospective member) will be deleted no later than a few business days after the termination of legal relationship with a GSMA Member. We may retain some of your personal data for up to 7 years to comply with applicable regulations.
• Data relating to your Member Gateway or Roaming Gateway account will be deleted after you delete your account. However, we may retain some of your personal data for up to 6 years to comply with applicable regulations.
• Data relating to your creations and contributions to working groups and projects may be kept for up to 30 years to protect intellectual property rights or to comply with applicable regulations.

We may retain your other personal data for the duration of our legal relationship with you or to comply with applicable regulations such as tax or accounting. You may contact us anytime if you want to know more about how long we will keep your data.

10. Your rights as a data subject

Below you will find descriptions of rights that you may be able to exercise in relation to the personal data we process about you.

Confirmation of processing – you can ask us to confirm if we are processing your personal data;

Access – you can ask us to provide a copy of the personal data that we hold about you;

Rectification – you can ask us to rectify the record of your personal data that we maintain;

Restrict – you can ask us to restrict the processing of your personal data in certain situations;

Object to processing – you can object to the processing of your personal data, where we process your data based on our legitimate interests;

Deletion – you can ask us to delete some or all of the personal data that we hold about you;

Portability – in certain circumstances, you can ask GSMA to provide you a copy of your personal data in a structured, electronic format, or to transmit it directly to another data controller, where technically feasible.

You have the right to contact the relevant data protection authority if you have concerns about how GSMA processes personal data. Our lead data protection authority in the EU is the Agencia Española de Protección de Datos.

However, we encourage you to contact us directly in the first instance so that we can attempt to address your concerns directly.

For additional questions or information concerning the processing of your personal data or if you would like to exercise one of your rights, you can email us at dataprivacy@gsma.com.

11. Contact us

You can contact us with any enquiry relating to your personal data by filling out this form, sending an email to dataprivacy@gsma.com or writing to:

Data Privacy – Legal

GSM Association, 1 Angel Lane,

London, EC4R 3AB

United Kingdom