← creativecyber.in/Regulatory Insights/DPDP Knowledge Hub/Resources & Checklists
PRACTITIONER FAQ

E-Commerce Marketplace + Third-Party Sellers: Who Controls Customer Data and Who Is Responsible for DSAR?

10 min read|Marketplace DPO · Seller Compliance · Platform Legal · E-Commerce CTO|April 2026
Share this article
LinkedInXFacebookWhatsApp
PRACTITIONER FAQ · EPISODE 03 OF 10E-Commerce · Marketplace · Platform Economy

E-Commerce Marketplace + Third-Party Sellers: Who Controls Customer Data and Who Is Responsible for DSAR?

50,000 sellers. Customer data visible to relevant sellers. DSAR arrives. Who responds — the platform, the seller, or both? And when is the right to erasure actually enforceable?

🛒
THE SCENARIO

A marketplace hosts 50,000 sellers. Customer order data, delivery addresses, and purchase history are visible to relevant sellers. Some sellers download customer contact data for post-sale follow-up in their own CRMs. A customer submits a DSAR asking for all personal data held about them, and a separate customer demands complete deletion.

Q 3.1

Is the marketplace a Fiduciary and are sellers Fiduciaries — or are sellers Processors?

The marketplace is unambiguously a Data Fiduciary for all core customer data. Sellers occupy a hybrid position: when they access data within the marketplace interface purely to fulfil orders, they act closer to a Processor. When they download customer contact data into their own CRM and use it beyond that specific order, they become an independent Data Fiduciary for that downstream use.

⚠️ Regulatory RiskIf sellers routinely download and re-use customer data, the Data Protection Board may view the marketplace as enabling unlawful processing at scale. The marketplace cannot disclaim responsibility simply by being "just a platform."
Q 3.2

A DSAR arrives requesting all personal data. Platform, seller, or both must respond?

DSAR RESPONSE RESPONSIBILITY — MARKETPLACE MODELMUST RESPONDPlatform — Account data, order history,browsing history, payment recordsMUST RESPOND(independently)Seller who downloaded customercontact data to own CRMNOT REQUIRED(platform responds)Seller who only viewed datawithin platform interface

The marketplace must respond for all data it directly controls. For data sellers have downloaded into their own systems, each such seller is an independent Fiduciary with their own DSAR obligation. The platform's DSAR response should include a statement directing the data principal to contact sellers directly for any independently-held data.

Q 3.3

A customer demands complete deletion of their account and all data. What are the limits?

● PARTIAL DELETION ONLY

Must delete: profile data, browsing history, marketing preferences, saved addresses beyond active orders.

May retain: GST invoice records (mandatory 7 years), payment records for fraud/dispute resolution, order records under Consumer Protection Act, data in active legal proceedings.

🔧 Implementation PatternBuild a deletion workflow: anonymise marketing/behavioural data immediately; quarantine transactional records in restricted-access vault tagged with legal retention basis and expiry date; generate a deletion certificate for the customer.

Map your data-sharing architecture and DSAR workflows on CreativeCyber.

Book a platform walkthrough →
Share this article
LinkedInXFacebookWhatsApp

Get DPDP compliance insights in your inbox

Practical guides for CISOs, DPOs, and compliance teams — no spam, unsubscribe anytime.

Ready to implement what you've read?

The CreativeCyber DPDP Assurance Platform puts every framework, workflow, and control referenced in this article into a single audit-ready platform — built specifically for BFSI.

Book a Live Demo →