DWF logo


DWF logo

            So you think you own your customers’ data…

            Date: 03/08/2015

            Additional data collected by third-party fulfilment providers is often overlooked in the context of the retailer–fulfilment provider contractual relationship. We look at the important points to consider.

            Third party fulfilment providers, such as parcel carriers and subcontractors, play a vital role in ensuring that customers receive the goods/services ordered. For the purpose of fulfilling the orders, personal data relating to customers has to be shared between the retailer and the fulfilment provider (e.g. name, delivery address, contact telephone number). This sharing of information should be dealt with within the contract that exists between the retailer and fulfilment provider (or in a separate data processing agreement).

            However, fulfilment providers are increasingly collecting more and more data directly from customers. For example, a parcel carrier may need to find out from the customer if they will be at home to take delivery or may want to know what the customer thought of the service after it has been completed and data can, in turn, be used to create statistics such as how most customers prefer to be contacted and when certain demographics of customers are likely to be out of the house. This data may not be personal data in itself, but when combined with the data provided by the retailer/information already held on the customer, it may well fall within the remit of personal data.

            This additional data is often overlooked in the context of the retailer – fulfilment provider contractual relationship. We have outlined four important points below which should be considered when entering into a third party fulfilment contract from either side.

            1. Who owns the data collected?

            The data collected and/or developed by the fulfilment provider is valuable and, in most cases, the retailer would want to ensure that it owns this data so that it can build a clearer profile of the customer. Is this covered in the contract with the retailer? When entering a new contract / negotiating new terms, the fulfilment provider can use this as a bargaining tool. I.e. what can the retailer offer in return for handing this data over? It should be covered, either way.

            2. Is the fulfilment provider complying with data protection obligations?

            In collecting the additional data and determining the purpose for which it is used, the fulfilment provider is the ‘data controller’ under The Data Protection Act 1998 (DPA). Yet, the fulfilment provider may not be as alert to its data obligations as the retailer. Questions that need to be considered include:

            • Is there a privacy policy in place?

            • Is the data being processed only for the purposes it was collected (and the customer notified, under the privacy policy)?

            • Are sufficient data security systems in place?

            • Does the fulfilment provider have the right to send direct marketing communications?

            3. Is the data held securely?

            This extends beyond computer databases. For example, how is data collected on hand-held devices protected from unauthorised disclosure? The DPA imposes an obligation on the data controller to provide a level of security appropriate to the risk that could be posed by unauthorised disclosure. The majority of headline grabbing data breaches concern data being lost/leaked due to insufficient or inadequate security.

            4. Is the data truly anonymised?

            Businesses are often under the impression that if data doesn’t sit side-by-side with the name of the individual to whom it relates, it is not personal data. This is a myth; wherever the data can be linked to a living individual (and used to identify such living individual in the aggregate) it must be treated as personal data. This general misunderstanding can lead to the fulfilment provider not only breaching the DPA but also any contractual obligations to the retailer to only act in accordance with the retailer’s instructions when processing data. It is fundamental to proper compliance that the parties clearly identify, understand and agree precisely what data is to be captured and how it will be used, who will use it and in what data protection capacity. Imposing clearly defined instructions, permissions, limitations, and audit rights around the use of data will help minimise risks.

            In summary, both parties should think carefully about the data that could be collected/processed outside of the direct retailer - fulfilment provider contractual relationship. This should be dealt with head-on to ensure that the value in the data is realised and that the data is treated appropriately.

            There is an increasing trend towards, and demand for, analytics given its value in the real world but ‘Big Data’ is on the ICO’s radar and this should be at the forefront of any organisation’s mind when collecting data. Organisations should watch out for the ICO’s code of practice on Big Data (currently being finalised) but by building compliance into documentation and processes, businesses can make good, commercial and legitimate use of this valuable data.

            If you have any questions or would like more information, please contact one of our specialists below.

            Author: Rosanna Biggs

            Related people

            Hilary Ross

            • Head of Retail, Food & Hospitality // Executive Partner (London)

            We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

            Learn More

            Your Privacy

            When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
            Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

            Functional cookies


            These cookies let you use the website and are required for the website to function as expected.

            These cookies are required

            Tracking cookies

            Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

            They may also be used to personalise your experience on our website by remembering your preferences and settings.

            Marketing cookies

            These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.