Skip to content
LegalVision UK

Options When an Online Business Supplier Breaches Data Protection Rules in the UK

Avatar photo

By Clare Farmer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

Online businesses like you have to comply with many different rules when carrying out the day-to-day work of your eCommerce brand. One of these is data protection rules if you store and process personal data. However, there may be situations where you, as an eCommerce business and data controller, pass personal information to another online business as the supplier or processor of that personal data. 

For example, your online business may have customers’ personal details to deliver their goods. However, you may use another online business to deliver their goods for you. In that case, you will pass them the personal data. This article will explain what you can do if your online business supplier breaches data protection rules. It is essential to understand this, as data protection breaches can result in penalties such as hefty fines.

What are Data Protection Rules?

As an online business, you may come across personal data. For example, your online customers may give you personal details such as their date of birth for you to allow them to sign up for your online rewards scheme. If so, your eCommerce business must comply with the Data Protection Act 2018, which is how the UK implemented the General Data Protection Regulation (GDPR).

The Data Protection Act 2018 requires your online business to follow ‘data protection principles’. These include:

  • using data lawfully, fairly and transparently;
  • ensuring that the data you use is for the exact purposes you specify;
  • using data only as necessary, adequate and relevant;
  • that you keep data up to date and ensure it is accurate;
  • that you do not hold onto data longer than needed, and
  • that you handle data with the right level of security. 

What is a Data Protection Breach for Online Businesses?

A data protection breach for an online business like you is where a breach of security means that personal data which you either:

  • process;
  • store; or 
  • transmit

Has accidentally or unlawfully been:

  • destroyed;
  • lost;
  • altered;
  • disclosed without authorisation; or
  • accessed.
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Can I Do if My Online Business Supplier Breaches Data Protection Rules?

As an eCommerce business, using another online business for a service makes you the controller of this data, which you pass to them as a supplier or processor. Your eCommerce business controls the data because you decide what data the other online business needs to process. The supplier or processor will follow your instructions. 

You expect the processor or supplier to act responsibly with the data and ensure there is no data breach. For example, you expect the supplier to have systems in place, such as technological and organisational ones, to keep the data safe and secure. If your online business supplier commits a personal data breach, they should let you, as the controller of that data, know immediately. 

If your online business supplier or processor of personal data breaches data protection rules, you need to know what to do. Your supplier should notify you of a security breach immediately, per the data protection rules and any contract you have with them. You must ask your supplier for as much information about the data protection breach as possible.

Once your eCommerce business, as the controller, has information about the data protection breach by your supplier, you must assess whether it is a ‘serious personal data breach’. If so, there is a legal requirement to let the Information Commissioner’s Office (ICO) know without unnecessary delay and at least 72 hours after your supervisor tells you about the data breach. 

If the data protection breach means there is a high risk of negatively affecting your customer’s rights and freedoms, you should tell them about it without unnecessary delay. Ultimately, you should take advice from a legal professional if your online business supplier breaches the data protection rules and affects you as an eCommerce business. 

Key Takeaways

Data protection rules control how businesses like your eCommerce business use and process data. Failing to comply with these rules can result in a data protection breach. This can mean a penalty for your business, such as a fine. If you pass personal data to another online business, they are the data processor or supplier. Your online brand is the data controller as you choose what data to pass them and instruct them. 

For example, if they pass the names and addresses of your customers to an online business that you use to deliver the purchases. If your online business supplier or processor of personal data has a data protection breach, they must notify you as the controller immediately. You will need to assess if it is a ‘serious personal data breach’ and, if so, let the ICO know. You must also inform your customers if the breach affects their rights and freedoms. If you need help understanding what you can do if your online business supplier breaches data protection rules.

For more information, LegalVision’s experienced eCommerce lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Preventing Employee Competitors: How to Protect Your Business

Online
Learn how to protect your business from employee competitors. Register for our free webinar today.
Register Now

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now
See more webinars >
Clare Farmer

Clare Farmer

Read all articles by Clare

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

3 Documents Your Company Needs to Demonstrate GDPR Compliance

3 Tips to Resolve a Dispute With Your Supplier

4 Common Challenges Your Company Will Face With the GDPR in the UK

Are Email Disclaimers Mandatory for UK Businesses Under the GDPR?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards