Disclaimer: This article is for informational purposes only and does not constitute legal advice. For guidance specific to your situation, please consult a qualified attorney or legal professional.

GDPR, UK GDPR, CCPA, DPDA…there’s simply no shortage of data privacy and protection frameworks all around the world to ruin your day. Double that when you are a carrier that shares tracking data. Why? Because when you create tracking events and milestones, you are creating new personal data. Congratulations, you’ve become a data controller — and here’s why.

1. Is tracking data considered “personal data”

YES. GDPR takes the position that tracking data, as long as it is “data related to an identified or identifiable natural person,” is sufficient to be qualified as individual data.

“The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons.”

So if you have a tracking number for a delivery, say Tracking ID 123456 and that tracking ID is going to be delivered to a Mr. Truman Burbank, then all information related to at shipment is personal data. GDPR agrees:

"Since the definition includes 'any information,' one must assume that the term 'personal data' should be as broadly interpreted as possible."

Even though tracking numbers or updates cannot alone be used to directly identify a natural person, when used in combination with other available information, they constitute personal data in that they allow indirect identification of end-users and parcel recipients. (See Opinion 4/2007 on the concept of personal data and ICO, UK GDPR Guidance and Resources, “What is personal data?”).

The European Court of Justice confirmed that information that only indirectly identifies an individual is considered personal data (C-582/14 - Patrick Breyer v. Federal Republic of Germany (2016); C-210/16 - Wirtschaftsakademie Schleswig-Holstein (2018); and C-479/22 OC v Commission (2024).

This means that any information related to the tracking including (1) tracking number (2) timestamps (3) locations (4) event names like Delivered, Signed, Received (5) descriptions like Not at Home, Left at Reception, are all considered “Personal Data.”

Settled case law by data protection authorities have also established that postal service providers are data controllers with relation to data related to the “journey” of packages. Relevant decisions by the Serbian Data Protection Authority, Polish Data Protection Authority (Refer here and here, pg9, 2nd column), and Spanish Data Protection Authority.

2. Is the Carrier the Data Controller of the Tracking Data?

YES. GDPR Article 4(7) defines a Data Controller as:

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

As the carrier created the tracking system, including the data (ie events, timestamps, descriptions, etc.), and it controls WHO can access that data and HOW, the Carrier undeniably controls both the purpose and means of processing, and is therefore the Data Controller of the Tracking Data.

3. Is a DPA needed between a Carrier and Tracking Service Provider?

YES. According to GDPR Article 28(3):

Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

So when a tracking services provider (a Data Processor), wants to process the tracking data of a carrier (a Data Controller), a Data Protection Agreement aka DPA is required by GPDR.

4. If a Carrier isn’t based in the EU, does it need to comply with GDPR?

If a Carrier has any international shipments to and from the EU to any EU Resident, regardless of nationality or residency status, OR it solicits business from EU based residents, it will need to comply with GDPR. Per Recital 14:

The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

If the Carrier neither has shipments to and from the EU, nor targets business from the EU, then it may not need to comply with GDPR. It may, however, need to comply with a different set of data privacy laws in any country to and from which it ships.

A large number of data protection laws worldwide are modelled after GDPR, and you can check for details on sites such as the DLA Piper Data Protection, but broadly speaking, even if you can avoid GDPR, you are probably required to comply with something else like CCPA or PDPA which are very similar. In short, you probably still need a DPA.

5. What are the Fines and Penalties for NOT having a DPA?

Per Article 83(4), (5), and Recitals 148 and 150, of GDPR

• Tier 1 up to: €10 million or 2% of global turnover

• Tier 2 up to: €20 million or 4% of global turnover

Uber was fined €290 million for not having a mechanism in place to send personal data from UK/EEA data subjects to the US.

Austrian Post aka Österreichische Post was fined €27.50 million for failing to respond to data privacy inquiries via email.

FAQ

Q: If a Carrier only services B2B shipments, does all this apply?

As long as “data related to an identified or identifiable natural person” is involved, data privacy laws will apply. Examples of B2B shipments in which personal data is involved:

• Consignee listed as “John Doe”

• Proof of delivery, or signed for delivery “John Joe” recorded

• Email for notifications was john.doe@company.com

• Phone number provided belonged to John Joe’s mobile phone

Q: Can a Carrier claim that Tracking Data is simply a status update of the Order Data that they were instructed to process?

No. If the carrier simply received the order, then delivered it without provided any tracking number or updates on the statuses, then no there would be no tracking data. However, upon receiving the order processing instruction, if the carrier then creates new data which includes the tracking number, the time stamps, the event milestone descriptions, etc. which is all new personal data that has been created.