Why Carriers Need DPAs for Tracking Data

Eric Pong - 
Disclaimer: This article is for informational purposes only and does not constitute legal advice. For guidance specific to your situation, please consult a qualified attorney or legal professional.

GDPR, UK GDPR, CCPA, DPDA…there’s simply no shortage of data privacy and protection frameworks all around the world to ruin your day. Double that when you are a carrier that shares tracking data. Why? Because when you create tracking events and milestones, you are creating new personal data. Congratulations, you’ve become a data controller — and here’s why.

1. Is tracking data considered “personal data”

YES. GDPR takes the position that tracking data, as long as it is “data related to an identified or identifiable natural person,” is sufficient to be qualified as individual data.

So if you have a tracking number for a delivery, say Tracking ID 123456 and that tracking ID is going to be delivered to a Mr. Truman Burbank, then all information related to at shipment is personal data. GDPR agrees:

Even though tracking numbers or updates cannot alone be used to directly identify a natural person, when used in combination with other available information, they constitute personal data in that they allow indirect identification of end-users and parcel recipients. (See Opinion 4/2007 on the concept of personal data and ICO, UK GDPR Guidance and Resources, “What is personal data?”).

The European Court of Justice confirmed that information that only indirectly identifies an individual is considered personal data (C-582/14 - Patrick Breyer v. Federal Republic of Germany (2016); C-210/16 - Wirtschaftsakademie Schleswig-Holstein (2018); and C-479/22 OC v Commission (2024).

This means that any information related to the tracking including (1) tracking number (2) timestamps (3) locations (4) event names like Delivered, Signed, Received (5) descriptions like Not at Home, Left at Reception, are all considered “Personal Data.”

Settled case law by data protection authorities have also established that postal service providers are data controllers with relation to data related to the “journey” of packages. Relevant decisions by the Serbian Data Protection Authority, Polish Data Protection Authority (Refer here and here, pg9, 2nd column), and Spanish Data Protection Authority.

2. Is the Carrier the Data Controller of the Tracking Data?

YES. GDPR Article 4(7) defines a Data Controller as:

As the carrier created the tracking system, including the data (ie events, timestamps, descriptions, etc.), and it controls WHO can access that data and HOW, the Carrier undeniably controls both the purpose and means of processing, and is therefore the Data Controller of the Tracking Data.

3. Is a DPA needed between a Carrier and Tracking Service Provider?

YES. According to GDPR Article 28(3):

So when a tracking services provider (a Data Processor), wants to process the tracking data of a carrier (a Data Controller), a Data Protection Agreement aka DPA is required by GPDR.

4. If a Carrier isn’t based in the EU, does it need to comply with GDPR?

If a Carrier has any international shipments to and from the EU to any EU Resident, regardless of nationality or residency status, OR it solicits business from EU based residents, it will need to comply with GDPR. Per Recital 14:

If the Carrier neither has shipments to and from the EU, nor targets business from the EU, then it may not need to comply with GDPR. It may, however, need to comply with a different set of data privacy laws in any country to and from which it ships.

A large number of data protection laws worldwide are modelled after GDPR, and you can check for details on sites such as the DLA Piper Data Protection, but broadly speaking, even if you can avoid GDPR, you are probably required to comply with something else like CCPA or PDPA which are very similar. In short, you probably still need a DPA.

5. What are the Fines and Penalties for NOT having a DPA?

Per Article 83(4), (5), and Recitals 148 and 150, of GDPR

  • Tier 1 up to: €10 million or 2% of global turnover
  • Tier 2 up to: €20 million or 4% of global turnover

Uber was fined €290 million for not having a mechanism in place to send personal data from UK/EEA data subjects to the US.

Austrian Post aka Österreichische Post was fined €27.50 million for failing to respond to data privacy inquiries via email.

FAQ

Q: If a Carrier only services B2B shipments, does all this apply?

As long as “data related to an identified or identifiable natural person” is involved, data privacy laws will apply. Examples of B2B shipments in which personal data is involved:

  • Consignee listed as “John Doe”
  • Proof of delivery, or signed for delivery “John Joe” recorded
  • Email for notifications was john.doe@company.com
  • Phone number provided belonged to John Joe’s mobile phone

Q: Can a Carrier claim that Tracking Data is simply a status update of the Order Data that they were instructed to process?

No. If the carrier simply received the order, then delivered it without provided any tracking number or updates on the statuses, then no there would be no tracking data. However, upon receiving the order processing instruction, if the carrier then creates new data which includes the tracking number, the time stamps, the event milestone descriptions, etc. which is all new personal data that has been created.