Track and trace solutions in all their various forms are currently all the rage. Retailers are increasingly looking to use metrics to demonstrate supply chain efficiencies and provide transparency over things like delivery times and sustainability information for a better customer experience, and this flows down through the supply chain with wholesalers and logistics providers sometimes leading the way by implementing their own solutions. There have even been a number of regulations from the European Commission requiring track and trace solutions for public health and customs purposes.

In this note, we take a look at some of the different technologies deployed in traceability schemes, key strategic questions to consider when structuring your contracts and some of the different legal aspects to the data generated in the process. 


Bar codes or QR codes feeding into a centralised database: Retailers may want different partners to input data or scan an item at various stages in the production process. By maintaining a centralised data repository, the retailer can use the data to oversee the various stages in the production process.      

  • However, the production line needs to be updated to apply the codes, and manufacturers will need to think through the impact on the production process: if supply chain partners need to apply or generate a code (potentially from a third party source, such as the ultimate retailer) then how will this new ‘raw material’ fit into the production timeline?
  • The European Commission imposed this type of solution for verifying the authenticity of medicinal and tobacco products under the Falsified Medicines Directive and the Tobacco Products Directive, requiring industry to establish data repository systems allowing data to be generated and tracked at all stages from manufacture to point of sale.
  • Interestingly, the Commission decided not to use this solution for Medical Devices where the requirement is simply to apply a unique ID number to each device and log that number with the regulator, but there is no end-to-end tracking system in place. Similarly, for customs tracking purposes, shippers only need to provide their Container Status Messages (an existing code used in the shipping industry) to the European Anti-Fraud Office (OLAF) which itself maintains a directory.
    Connected devices / Internet of Things (IoT):
  • Used for tracking larger assets (e.g. shipping containers or delivery vehicles), a connected IoT solution can provide real-time data on the location of products or other key status indicators, like temperature or shock. 
  • This type of solution can be used to provide data streams to end users, where the design and functionality of the user interface will be important for establishing a brand and recognition. Organisations purchasing this type of solution may therefore want to own or have exclusive rights in the user interface. They will then need to make sure the connected devices meet the technical requirements to operate with the user interface and the contract with the hardware vendor includes the necessary rights for interoperability if the user interface is procured from a separate vendor.
  • If you’re tracking devices using a global connectivity solution, you will also need to check your solution is suitably ‘future-proofed’ with countries switching off their 2G and even 3G networks, with more plans to do so (

Blockchain: Distributed ledger technology has been generating a lot of excitement for a while, and has been developed for track and trace applications in a number of situations, often for tracking high value or unique assets, such as diamonds, jewellery or artworks (see here for some examples:

  • The key advantage of blockchain is that each transaction is verified across the blockchain, so there is no single authority that could manipulate the transaction records. For many track and trace scenarios, that is not necessarily a concern. However, for high value or unique assets there is a clear vulnerability that blockchain could help address.
  • The difficulty then is linking up the asset to the blockchain. This would also require a system of unique IDs, and then the vulnerability shifts from ensuring the integrity of the single authority to the various players seeking to first register a unique ID on the blockchain. 
  • Whatever the relationships between the players in the particular market, there will need to be a comprehensive system of contractual relationships to set out what the legal effect of a particular transaction would be, and how that relates to activities on the blockchain.



Third party integrations: It’s important to consider the key stakeholders in the ecosystem. The real value from track and trace solutions often comes from integrations with third parties, for example if a retailer provides a platform for suppliers to input their data or if a logistics company allows customers to access and view data on their deliveries.

Centralised authority: If you’re tracking delivery vans, containers or other items where the real interest is in what’s inside them, who will have access to the manifest data? If you’re tracking larger or more valuable assets, do you need verification that the manifest matches the contents? If so, who will do this?

Ownership of the solution: One of the key strategic questions to consider before embarking on a track and trace project is whether you require exclusive use of the solution to establish a brand name, for example if you want to differentiate your core product by providing a unique data service on top, or alternatively if you simply want something off-the-shelf that can be more easily swapped out for a competing product further down the line. A hybrid strategy could be to use different vendors for different components, which can prove more challenging from a contractual / operational risk perspective, as a systems integration role may be required.



Commercialise and exploit: Track and trace solutions generate vast amounts of data.

  • It’s key at the outset to consider what value you want to derive from the data. What rights will you give customers and business partners to access the data? Will you generate any analytics using the data, and what sort of data products do you want to generate? You should make sure you have licence terms in place with any third parties accessing the data making sure you retain the rights you need for any future commercial exploitation.
  • Your supply contracts should make clear who owns the rights in the data, who backs up the data and whether you need any support with data portability on termination. 
  • Personal data: If you’re tracking people, such as delivery drivers, then you will need to think about your GDPR obligations. Have you checked if you need to do a Data Protection Impact Assessment? Even if you’re not tracking people, the GDPR is likely to be engaged given most solutions will collect personal data for the users logging into the system. Have you thought about how the GDPR will affect the contracting structure and transfers of personal data overseas? 
  • Non-personal data: You may have missed it, but there’s now a regulation on the free-flow of non-personal data ( Initially, this will mainly impact buyers in the public sector who need to think carefully before imposing any restrictions on the territory of data storage, but look out for the codes of conduct envisaged under this regulation which the Commission will encourage service providers to develop by 29 November 2020 and implement six months later.