Key Takeaways
- On your own store (Shopify, WooCommerce), you are the data controller and the platform is your processor — it must help you fulfil a data subject access request under GDPR Article 28(3)(e).
- On a marketplace (Amazon, Etsy, eBay), the platform is an independent controller and you are a separate controller of only the buyer data you actually receive — you cannot access, and are not responsible for, data that lives solely in the marketplace's systems.
- A buyer can send the same DSAR to both you and the marketplace: Article 26(3) lets them exercise their rights "against each of the controllers," so neither of you can simply deflect to the other.
- You have one month to respond to a DSAR, extendable by two further months for complex requests under Article 12(3) — the clock does not pause because your data is split across channels.
- Amazon and Etsy are not interchangeable: Amazon gives sellers no data-protection agreement, while Etsy's seller terms expressly contemplate seller joint-controllership. Read your role per platform, not once for all of them.
Introduction
It is 4:52 p.m. on a Thursday when the email lands: "Please send me everything you hold about me — and then delete it." You sell the same candles on your own Shopify store, on Amazon, and on Etsy. Three channels, three separate data trails, and a one-month clock that started the moment the message arrived.
Which of those three do you actually have to answer for? Where does your responsibility end and the marketplace's begin? This is one of the most-asked and worst-answered questions in eCommerce privacy — sellers argue about it in public forums, and at least one told Amazon's own seller community they contacted the ICO directly because the marketplace would not clarify. This guide gives you the functional test the law actually uses, channel by channel, plus a DSAR playbook you can run when the request comes in.
Who is the data controller when you sell on a marketplace?
You are the controller of the buyer data you decide how to use, and the marketplace is a controller of the data it decides how to use — the two roles sit side by side, not one inside the other. GDPR Article 4(7) defines a controller as whoever "determines the purposes and means of the processing." It is a functional test based on what you actually do, not on which logo is bigger.
The European Data Protection Board (EDPB) is explicit that controllership is fact-based and that, in its words, "it is not necessary that controllers have access to the personal data" — Guidelines 07/2020. So you can be a controller of data you cannot fully see, and you can be free of responsibility for data you never controlled in the first place. Sorting out which is which is the whole game.
Your own store: you are the controller, the platform is your processor
On a store you run yourself, you decide why customer data is collected and how it is used, which makes you the controller; your platform runs the technical processing on your instructions, which makes it your processor. Shopify's Data Processing Addendum says it plainly: "You shall act as a Data Controller and Shopify shall act as a Data Processor with respect to the processing of Your Customer Personal Data," processing only "in accordance with Your Documented instructions."
That relationship is why a DSAR on your own store is the simplest case, not the hardest. Under Article 28(3)(e), a processor must "assist the controller ... for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights." Shopify commits to exactly that: it will "provide such reasonable assistance as You may reasonably request" to answer Data Rights Requests. You hold the controller duty; the platform is contractually on the hook to help you meet it — which is what a proper [data processing agreement](/resources/blog/gdpr-data-processing-agreements-ecommerce-guide) is for.
A marketplace: an independent controller sitting next to you
On a marketplace, the platform is not your processor — it is its own controller, and you become a separate controller of only the slice of buyer data you receive for your own purposes. When an Amazon buyer places an order, you may receive a name and shipping address for merchant-fulfilled orders, and you decide to use it for fulfilment, tax records, and perhaps your own follow-up. Under the Article 4(7) test, that decision makes you the controller of that data.
But the buyer's marketplace account, browsing history, saved payment tokens, and account-level identity live in the marketplace's systems, under the marketplace's control. As one widely-cited analysis of marketplace roles puts it, marketplaces "establish their own rules on how they handle users ... they have autonomy so they are clearly data controllers." You have neither the access nor the authority to answer for that data — and the law does not ask you to.
Crucially, you are not the marketplace's processor. A processor acts "only on documented instructions from the controller" (Article 28(3)(a)) under a binding contract. The same analysis notes that "Amazon does not provide any agreement for processors nor for joint controllers, and the seller cannot 'assume' any of these roles without an agreement." No instructions, no processor contract — so the honest characterisation is two independent controllers, each answerable for its own processing.
Amazon vs Etsy: the same law, two different postures
Here is the trap that catches multichannel sellers: the marketplaces are not interchangeable. Amazon hands sellers no data-protection agreement, which points toward independent-controller status by default. Etsy goes the other way — its seller terms expressly contemplate that "Etsy and you are found to be joint data controllers of personal information," in which case the seller agrees to indemnify Etsy for claims arising from the seller's own processing, and must keep a GDPR-compliant privacy policy and handle buyers' requests. (Etsy's legal pages block automated access, so treat that as reported by Etsy's own terms rather than a line fetched from the page.)
The practical read: do not decide your GDPR role once and apply it everywhere. Read each marketplace's terms and check what data it actually shares with you. Your posture on Amazon may be "independent controller of a thin data slice," while your posture on Etsy may be "possible joint controller with contractual duties spelled out." Same regulation, different operating instructions.
What data are you actually responsible for?
Your responsibility follows the data you control — the records you hold and decide how to use — and stops at the boundary of the marketplace's own systems. That distinction defines both what you must produce in an access request and what you must (and can) erase. The table below maps the three common channels.
| Channel | Your GDPR role | Platform's role | Who answers the DSAR |
|---|---|---|---|
| Your own store (Shopify, Woo) | Controller | Your processor | You — the platform must assist (Art 28(3)(e)) |
| Amazon | Independent controller of the order data you receive | Separate independent controller | You for your slice; the buyer goes to Amazon for account-level data |
| Etsy | Controller; Etsy's terms contemplate joint controllership | Controller / possible joint controller | You for your slice, coordinated per Etsy's terms |
Whatever the channel, one rule holds: you cannot hide behind the marketplace's privacy policy. Because you decide why and how to use the buyer data you collect, you are its controller regardless of the marketplace's own policies, you must tell buyers how to lodge a request, and you remain liable for the processing you direct. What you are not responsible for is the data you never touched.
How to handle a DSAR across your sales channels
When a request arrives, work the channels in order rather than treating "your data" as one undifferentiated pile. A data subject can, under Article 26(3), exercise their rights "in respect of and against each of the controllers," so expect that the same buyer may have emailed the marketplace too. Here is the sequence:
- Log the request and start the clock. You have one month from receipt under Article 12(3); diarise the deadline the day it lands. Complex or high-volume requests can be extended by two further months, but you must tell the requester within the first month.
- Verify identity proportionately. Confirm the requester is who they say they are without demanding excessive new data — a marketplace order number plus the email on file is usually enough.
- Map the request to your channels. For each channel, ask the Article 4(7) question: did I decide the purposes for this data? Your own-store customer record, your Amazon merchant-fulfilled shipping data, your Etsy order and message history, your marketing list — those are yours to produce.
- Produce your slice. Under Article 15, give confirmation of processing plus a copy and the required context, including "the recipients or categories of recipient" — which is where you name the marketplace, your 3PL, and your email tool.
- Route what isn't yours. For account-level data held solely by the marketplace, tell the buyer plainly that the marketplace is the controller of it and point them to the marketplace's own request process. This is not passing the buck; it is naming the correct controller.
- For erasure, apply Article 17 to your slice only. Delete what you control, honour your legal-retention exceptions (tax and accounting records survive an erasure request), and where you have shared the data onward, take "reasonable steps ... to inform" those recipients under Article 17(2).
Building this into a repeatable [DSAR workflow](/resources/blog/data-subject-access-requests-automation) is what turns a channel-by-channel scramble into a ten-minute routine.
Common mistakes multichannel sellers make
The costliest error is assuming the marketplace has it covered. It does not: the marketplace answers for its data, and you answer for yours, and a buyer who gets silence from you can complain to a supervisory authority no matter how well Amazon handled its own half. Treat "the platform will deal with it" as the single most expensive assumption on this list.
The second mistake is the mirror image — over-reaching. Some sellers, trying to be diligent, promise to erase data they neither hold nor can reach, then cannot deliver. You cannot delete what lives in the marketplace's account systems, and committing to it just manufactures a second broken promise. Answer for your slice precisely; route the rest.
Third, and quietly common: running three sales channels on one undocumented mental model. If your record of processing activities treats "customer data" as a single blob, you will misjudge every cross-channel request. Article 30 exists precisely so that each processing activity — its purpose, its lawful basis, its recipients, its retention — is written down per channel before a request forces you to reconstruct it under a deadline. A record that lives only in your head is not a record.
How PrivacyForge Helps
Multichannel DSARs are a mapping problem before they are a response problem — you cannot answer accurately for data you have not inventoried. PrivacyForge's data-mapping builds your Article 30 record channel by channel, so your own-store, Amazon, and Etsy data flows are documented with their distinct roles, lawful bases, and recipients rather than lumped together.
When a request comes in, the DSAR workflow starts the one-month clock, tracks the extension window, and gives you a structured place to record which slice you produced and which controller you routed the rest to — the paper trail a supervisory authority will ask for. And because your role genuinely differs per marketplace, PrivacyForge's compliance scoring flags the channels where you are acting as a controller without a privacy notice or a documented lawful basis. The goal is not to make the request disappear; it is to let you answer it correctly and prove you did.
Frequently Asked Questions
Am I a data controller or a data processor when I sell on Amazon or Etsy?
You are a controller, not a processor, of the buyer data you receive and decide how to use. A processor acts only on a controller's documented instructions under a contract (Article 28), and marketplaces like Amazon give sellers no such agreement. Because you determine the purposes of your order and fulfilment data, Article 4(7) makes you an independent controller of it.
Do I have to answer a DSAR for data that only lives in Amazon's or Etsy's systems?
No. You answer only for the personal data you control — the order, fulfilment, and marketing data you actually hold. Account-level data, browsing history, and payment tokens held solely in the marketplace's systems are the marketplace's controllership. Tell the requester this plainly and direct them to the marketplace's own request process; naming the correct controller is part of a compliant response.
Who is responsible if a buyer asks me to delete their data on a marketplace?
You are responsible for erasing the data you control under Article 17 — your copy of their order and contact details, subject to legal-retention exceptions like tax records. You cannot delete data held in the marketplace's own account systems, and you should not promise to. Direct the buyer to the marketplace for anything outside your control.
Do I need my own privacy policy if I only sell on marketplaces?
Yes. Because you are a controller of the buyer data you process, you need your own GDPR-compliant privacy notice explaining what you collect, why, how long you keep it, and how to lodge a request. Relying on the marketplace's policy does not discharge your transparency duty under Articles 13 and 14 — the marketplace's policy covers the marketplace's processing, not yours.
How do I handle DSARs when I sell on my own store and marketplaces at the same time?
Treat each channel as a separate controller relationship. On your own store you are the controller and the platform is your processor that must assist you. On each marketplace you are an independent controller of the data you receive. Map the request to every channel, produce the data you control, and route account-level data to the relevant marketplace — all within the one-month deadline.
Conclusion
The question "who handles the DSAR when Amazon holds the data?" has a clean answer once you stop looking for a single owner: each controller answers for the data it controls, and a marketplace seller controls only the slice it receives and uses. Produce that slice precisely, route the rest to the correct controller, and document the split before a request forces the issue. The sellers who get caught out are the ones who guessed their role once and applied it everywhere; the ones who stay calm map it per channel and keep the receipts.
Map your channels before the next request lands: [start your Article 30 record](/resources/blog/data-mapping-101-how-to-build-a-record-of-processing-activities) and turn a scramble into a routine.
This article is informational content, not legal advice. For your specific circumstances, consult a qualified data protection professional.
Sources
- [GDPR Article 4 – Definitions](https://gdpr-info.eu/art-4-gdpr/)
- [GDPR Article 12 – Transparency and modalities](https://gdpr-info.eu/art-12-gdpr/)
- [GDPR Article 15 – Right of access](https://gdpr-info.eu/art-15-gdpr/)
- [GDPR Article 17 – Right to erasure](https://gdpr-info.eu/art-17-gdpr/)
- [GDPR Article 26 – Joint controllers](https://gdpr-info.eu/art-26-gdpr/)
- [GDPR Article 28 – Processor](https://gdpr-info.eu/art-28-gdpr/)
- [EDPB Guidelines 07/2020 on the concepts of controller and processor (summary)](https://www.hunton.com/privacy-and-cybersecurity-law-blog/edpb-publishes-guidelines-on-the-concepts-of-controller-and-processor-in-the-gdpr)
- [Shopify Data Processing Addendum](https://www.shopify.com/legal/dpa)
- [Marketplaces – Data Processors or Data Controllers (analysis)](https://www.linkedin.com/pulse/marketplaces-data-processors-controllers-tudor-galos)
- [Seller's Guide to the GDPR](https://sellerstrategies.com/gdpr-amazon-sellers/)
- [GDPR and Amazon – Seller Central forum](https://sellercentral-europe.amazon.com/forums/t/gdpr-and-amazon/155662)