![[Deleted User]](https://secure.gravatar.com/avatar/?s=96&d=mm&r=g "[Deleted User]"){kind=avatar}
Hi all,
Is a courier company a data controller or processor when taking orders from an e-merchant?
DHL and Royal Mail consider themselves data controllers and ICO seems to agree with them. Nevertheless, other delivery services consider themselves as processors – which adds complexity when an organization is dealing with more than 15/20 delivery companies.
Interested to hear people’s thoughts & experience on above so to implement an unified privacy approach on this topic.
Alexander Sturing
In The Netherlands, a consortium of larger mail carriers have agreed with the AP (ICO equivalent) that when it comes to deliver the mail, they are a data controller based on their legal obligation to send/deliver the mail.
Personal data used for this purpose is strictly divided from other processes (as it should be always), so for other aspects, these carriers can be considered a data processor, but not for sending/delivering mail.
Hope this helps.
BlueBottle
Good question, I don’t have much experience with carrier relationships but it is certainly possible to have a mix of roles among your supply chain, and it primarily depends on whether the supplier takes it upon themselves to determine the purposes and means of processing the consignor/consignee data you might provide to them. This affects your privacy notices and risk assessments more than anything else, and in practice you’re not likely to choose a carrier based on their data protection stance alone. A robust vendor risk management process would be my preferred approach.