General Data Protection Regulation (GDPR)
Effective Dates: 25 May 2018
UPS has a longstanding commitment to privacy. The protection of information about our customers has been part of our policies and procedures for decades. For more than ten years, UPS has demonstrated compliance with European Union data protection laws, and has enhanced its data protection management to comply with the General Data Protection Regulation (GDPR). UPS has enhanced policies and procedures and developed new training for our people in data protection to support the expansion of individual rights covered by GDPR. Over a decade ago, UPS adopted a legal mechanism to transfer personal data throughout the UPS organisation in compliance with EU privacy laws. This mechanism, commonly referred to as the “Model Clauses,” was created by the European Commission for companies that transfer personal data out of the EU.
Intent of GDPR
The General Data Protection Regulation (GDPR) will be enforced throughout the European Union (EU), including the U.K. effective 25 May 2018. The regulation is intended to strengthen and unify data protection for citizens of the EU. The GDPR applies to all businesses that process personal data in the EU or that receive personal data from the EU.
Preparation for GDPR
UPS began preparing for the GDPR well before the effective date of 25 May 2018. We are implementing a comprehensive GDPR readiness programme. This programme is supervised by the highest levels of UPS management and takes into consideration UPS’s privacy notices and policies, as well as additional accountability-related measures. These measures include the establishment of a compliant record keeping system, embracing privacy by design and privacy by default, managing existing vendors, and complying with an individual’s data protection rights, where applicable.
Data Protection Approach
The parcel transportation industry is unique, compared to other vendors in other industries, and consequently, the standard GDPR data protection form may not apply. UPS, as a parcel transportation company, has an inherent need to use the shipping data we receive from our customers for purposes beyond simply providing the transportation service. We describe these purposes in the UPS Privacy Notice on ups.com. UPS is acting in the capacity of a “controller” of personal shipping data we receive from our small parcel customers. For example, UPS uses shipping data to plan and optimise its daily routes; to engage in planning and optimisation of its internal parcel flows and operations; to make decisions regarding placement of drop boxes, alternate delivery locations and parcel facilities; and to correct and improve its address and mapping information.
UPS also collects and processes shipping information that is not provided by our customers such as actual dimensions and weight of parcels, details of the handling of parcels through the UPS network, and the geographical coordinates of delivery points.
We update shipping information automatically and constantly with UPS information concerning addresses and individual shipment attributes as well as UPS operational details and requirements for shipments meeting these attributes. All of this additional information that UPS collects and processes about our customers can be considered personal data for which UPS’s customers are not the original data controllers.
Data Protection Obligations
UPS has a “one-to-many” service model in which UPS uses a common set of systems, facilities and processes to perform small parcel transportation services for all of our customers. This includes a shared information technology (IT) platform that UPS uses across its customers. The UPS GDPR readiness programme carefully aligns with UPS’s operations and technologies.
UPS cannot be responsible for data protection obligations with respect to data inside parcels. UPS does not “process” the personal data, if any, that customers place inside parcels tendered to UPS for transportation. UPS cannot be held responsible for personal data contained in parcels, such as data stored on USB drives or other storage media inside a parcel.
- As a general rule, UPS does not know what customers have placed inside the parcels tendered to UPS for transportation.
- UPS handles parcel contents as a “mere conduit,” not unlike how a telecommunications carrier handles calls over its network.
- You as the shipper are in a better position to determine what security measures, if any, should be deployed for what personal data is contained in parcels.
UPS cannot be responsible for the privacy of information placed on the outside of parcels, such as on shipping labels.
- Information on the outside of parcels is publicly viewable.
- Customers concerned about public access to information on the outside of a parcel should address that concern through decisions concerning what information to include on a label, and through changes to packaging (e.g. making the packaging more generic, etc.).
How to Contact Us
We provide consumers with the opportunity to exercise their privacy rights directly with UPS. Consumers can submit privacy requests to UPS through the UPS Privacy Notice on ups.com.
Customers can contact their account executives with additional questions regarding GDPR or in the event more information is needed on data protection for parcel transportation service with UPS. Customers may also submit questions regarding GDPR through the How to Contact Us email application in the UPS Privacy Notice on ups.com.