So you think you own your customers’ data…

Additional data collected by third-party fulfilment providers is often overlooked in the context of the retailer–fulfilment provider contractual relationship. We look at the important points to consider.

Third party fulfilment providers, such as parcel carriers and subcontractors, play a vital role in ensuring that customers receive the goods/services ordered. For the purpose of fulfilling the orders, personal data relating to customers has to be shared between the retailer and the fulfilment provider (e.g. name, delivery address, contact telephone number). This sharing of information should be dealt with within the contract that exists between the retailer and fulfilment provider (or in a separate data processing agreement).

However, fulfilment providers are increasingly collecting more and more data directly from customers. For example, a parcel carrier may need to find out from the customer if they will be at home to take delivery or may want to know what the customer thought of the service after it has been completed and data can, in turn, be used to create statistics such as how most customers prefer to be contacted and when certain demographics of customers are likely to be out of the house. This data may not be personal data in itself, but when combined with the data provided by the retailer/information already held on the customer, it may well fall within the remit of personal data.

This additional data is often overlooked in the context of the retailer – fulfilment provider contractual relationship. We have outlined four important points below which should be considered when entering into a third party fulfilment contract from either side.

1. Who owns the data collected?

The data collected and/or developed by the fulfilment provider is valuable and, in most cases, the retailer would want to ensure that it owns this data so that it can build a clearer profile of the customer. Is this covered in the contract with the retailer? When entering a new contract / negotiating new terms, the fulfilment provider can use this as a bargaining tool. I.e. what can the retailer offer in return for handing this data over? It should be covered, either way.

2. Is the fulfilment provider complying with data protection obligations?

In collecting the additional data and determining the purpose for which it is used, the fulfilment provider is the ‘data controller’ under The Data Protection Act 1998 (DPA). Yet, the fulfilment provider may not be as alert to its data obligations as the retailer. Questions that need to be considered include:

  • Is there a privacy policy in place?
  • Is the data being processed only for the purposes it was collected (and the customer notified, under the privacy policy)?
  • Are sufficient data security systems in place?
  • Does the fulfilment provider have the right to send direct marketing communications?

3. Is the data held securely?

This extends beyond computer databases. For example, how is data collected on hand-held devices protected from unauthorised disclosure? The DPA imposes an obligation on the data controller to provide a level of security appropriate to the risk that could be posed by unauthorised disclosure. The majority of headline grabbing data breaches concern data being lost/leaked due to insufficient or inadequate security.

4. Is the data truly anonymised?

Businesses are often under the impression that if data doesn’t sit side-by-side with the name of the individual to whom it relates, it is not personal data. This is a myth; wherever the data can be linked to a living individual (and used to identify such living individual in the aggregate) it must be treated as personal data. This general misunderstanding can lead to the fulfilment provider not only breaching the DPA but also any contractual obligations to the retailer to only act in accordance with the retailer’s instructions when processing data. It is fundamental to proper compliance that the parties clearly identify, understand and agree precisely what data is to be captured and how it will be used, who will use it and in what data protection capacity. Imposing clearly defined instructions, permissions, limitations, and audit rights around the use of data will help minimise risks.

In summary, both parties should think carefully about the data that could be collected/processed outside of the direct retailer - fulfilment provider contractual relationship. This should be dealt with head-on to ensure that the value in the data is realised and that the data is treated appropriately.

There is an increasing trend towards, and demand for, analytics given its value in the real world but ‘Big Data’ is on the ICO’s radar and this should be at the forefront of any organisation’s mind when collecting data. Organisations should watch out for the ICO’s code of practice on Big Data (currently being finalised) but by building compliance into documentation and processes, businesses can make good, commercial and legitimate use of this valuable data.

If you have any questions or would like more information, please contact one of our specialists below.

Author: Rosanna Biggs

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.


There has been a revolution in retail. The convergence of bricks and clicks, emergence of dark stores and increase of convenience stores, reliance on multi-channel platforms, increased consumer choice, economic changes, extended supply chains and the increasingly complex regulatory framework that surrounds them present opportunities for retailers.

Find out more about how we can help

Elaine Fletcher


I specialise in data protection and freedom of information law. I believe that compliance done well is a business facilitator not a blocker, and that privacy by design brings commercial benefits.

Hilary Ross

Executive Partner (London) - Head of Retail, Food & Hospitality

Recognised by The Lawyer as one of the UK’s Top 100 lawyers, I advise clients on compliance and challenges across the EU in relation to products, systems and safety.