AEPD (Spain) - EXP202208230: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00243-2023 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00243-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__...") |
m (Ar moved page AEPD (Spain) - PS/00243/2023 to AEPD (Spain) - EXP202208230) |
||
(11 intermediate revisions by 7 users not shown) | |||
Line 22: | Line 22: | ||
|Outcome=Other Outcome | |Outcome=Other Outcome | ||
|Date_Started=29.06.2022 | |Date_Started=29.06.2022 | ||
|Date_Decided= | |Date_Decided= | ||
|Date_Published=21.08.2023 | |Date_Published=21.08.2023 | ||
|Year=2023 | |Year=2023 | ||
Line 28: | Line 28: | ||
|Currency=EUR | |Currency=EUR | ||
|GDPR_Article_1=Article | |GDPR_Article_1=Article 28(2) GDPR | ||
|GDPR_Article_Link_1=Article | |GDPR_Article_Link_1=Article 28 GDPR#2 | ||
|GDPR_Article_2=Article | |GDPR_Article_2=Article 28(3) GDPR | ||
|GDPR_Article_Link_2=Article | |GDPR_Article_Link_2=Article 28 GDPR#3 | ||
|GDPR_Article_3= | |GDPR_Article_3= | ||
|GDPR_Article_Link_3= | |GDPR_Article_Link_3= | ||
|GDPR_Article_4= | |GDPR_Article_4= | ||
|GDPR_Article_Link_4= | |GDPR_Article_Link_4= | ||
|GDPR_Article_5= | |GDPR_Article_5= | ||
|GDPR_Article_Link_5= | |GDPR_Article_Link_5= | ||
|GDPR_Article_6= | |GDPR_Article_6= | ||
|GDPR_Article_Link_6= | |GDPR_Article_Link_6= | ||
|GDPR_Article_7= | |GDPR_Article_7= | ||
|GDPR_Article_Link_7= | |GDPR_Article_Link_7= | ||
|GDPR_Article_8= | |GDPR_Article_8= | ||
|GDPR_Article_Link_8= | |GDPR_Article_Link_8= | ||
|GDPR_Article_9= | |GDPR_Article_9= | ||
|GDPR_Article_Link_9= | |GDPR_Article_Link_9= | ||
|GDPR_Article_10= | |GDPR_Article_10= | ||
|GDPR_Article_Link_10= | |GDPR_Article_Link_10= | ||
|GDPR_Article_11= | |GDPR_Article_11= | ||
|GDPR_Article_Link_11= | |GDPR_Article_Link_11= | ||
Line 58: | Line 58: | ||
|EU_Law_Link_2= | |EU_Law_Link_2= | ||
|National_Law_Name_1= | |National_Law_Name_1= | ||
|National_Law_Link_1= | |National_Law_Link_1= | ||
|National_Law_Name_2= | |National_Law_Name_2= | ||
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | |National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | ||
|National_Law_Name_3= | |National_Law_Name_3= | ||
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | |National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | ||
|National_Law_Name_4= | |National_Law_Name_4= | ||
|National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | |National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | ||
|National_Law_Name_5= | |National_Law_Name_5= | ||
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | |National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | ||
|National_Law_Name_6= | |National_Law_Name_6= | ||
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | |National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | ||
|National_Law_Name_7= | |National_Law_Name_7= | ||
|National_Law_Link_7=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | |National_Law_Link_7=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | ||
|National_Law_Name_8= | |National_Law_Name_8= | ||
|National_Law_Link_8=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | |National_Law_Link_8=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 | ||
|National_Law_Name_9= | |National_Law_Name_9= | ||
Line 97: | Line 97: | ||
}} | }} | ||
Spanish DPA | The Spanish DPA sanctioned a processor for violating GDPR [[Article 28 GDPR|Articles 28(2)]] and [[Article 28 GDPR|28(3).]] This was despite the fact that no written contract existed between the processor and the subprocessors and the controller had not been told of the subprocessors' involvement in data processing activities. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A package from | A package from Carrefour was to be delivered to the data subject's address. In case the data subject was not at home, they gave the permission to deliver their package to their neighbour. However, the package was delivered to someone else. | ||
As the controller, Carrefour has a contract with a processor responsible for deliveries, Fourth Party Logistics SL. In this contract, it is established that the processor should notify the controller in case of contracting a subprocessor. Even though a subprocessor did the delivery, Carrefour was not notified of the existence of any subprocessor. | |||
The processor (Fourth Party Logistics SL) explained that there were two subprocessors involved in the delivery, Envialiva World SL. and The Bee Logstics SL, however no contract between these parties was presented to the DPA. The processor Fourth Party Logistics SL did not comply with their contract with the controller and there were no formal agreements with the subprocessors. | |||
=== Holding === | === Holding === | ||
The DPA held that there was enough evidence to start a sanctioning procedure. Especially considering the lack of legally binding instruments between the processor and the subprocessors involved in the delivery of a package to the data subject. With this, the Spanish DPA established that a possible fine of €90 | The DPA held that there was enough evidence to start a sanctioning procedure. Especially considering the lack of legally binding instruments between the processor and the subprocessors involved in the delivery of a package to the data subject. Considering that the subprocessor had to process personal data controlled by Carrefour, there was a breach of the GDPR. | ||
With this, the Spanish DPA established that a possible fine of €90,000 could be imposed for the breach of [[Article 28 GDPR|Articles 28(2)]] and [[Article 28 GDPR|28(3)]] of the GDPR. The data processor decided to finalize the procedure by paying the reduced fine of €72,000, which implies admitting the breach of the data protection rules. | |||
== Comment == | == Comment == | ||
This case shows how processors (and not only controllers) can be held responsible for their failure to comply with Article 28 GDPR. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 13:12, 13 December 2023
AEPD - PS-00243-2023 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 28(2) GDPR Article 28(3) GDPR |
Type: | Complaint |
Outcome: | Other Outcome |
Started: | 29.06.2022 |
Decided: | |
Published: | 21.08.2023 |
Fine: | 96000 EUR |
Parties: | FOURTH PARTY LOGISTICS, S.L. Data Subject |
National Case Number/Name: | PS-00243-2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | isabela_maria_rosal |
The Spanish DPA sanctioned a processor for violating GDPR Articles 28(2) and 28(3). This was despite the fact that no written contract existed between the processor and the subprocessors and the controller had not been told of the subprocessors' involvement in data processing activities.
English Summary
Facts
A package from Carrefour was to be delivered to the data subject's address. In case the data subject was not at home, they gave the permission to deliver their package to their neighbour. However, the package was delivered to someone else.
As the controller, Carrefour has a contract with a processor responsible for deliveries, Fourth Party Logistics SL. In this contract, it is established that the processor should notify the controller in case of contracting a subprocessor. Even though a subprocessor did the delivery, Carrefour was not notified of the existence of any subprocessor.
The processor (Fourth Party Logistics SL) explained that there were two subprocessors involved in the delivery, Envialiva World SL. and The Bee Logstics SL, however no contract between these parties was presented to the DPA. The processor Fourth Party Logistics SL did not comply with their contract with the controller and there were no formal agreements with the subprocessors.
Holding
The DPA held that there was enough evidence to start a sanctioning procedure. Especially considering the lack of legally binding instruments between the processor and the subprocessors involved in the delivery of a package to the data subject. Considering that the subprocessor had to process personal data controlled by Carrefour, there was a breach of the GDPR.
With this, the Spanish DPA established that a possible fine of €90,000 could be imposed for the breach of Articles 28(2) and 28(3) of the GDPR. The data processor decided to finalize the procedure by paying the reduced fine of €72,000, which implies admitting the breach of the data protection rules.
Comment
This case shows how processors (and not only controllers) can be held responsible for their failure to comply with Article 28 GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/15 File No.: EXP202208230 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On June 16, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against FOURTH PARTY LOGISTICS, S.L. (hereinafter, the claimed party), through the Agreement that is transcribes: << File No.: EXP202208230 AGREEMENT TO START SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: Ms. A.A.A. (hereinafter, the complaining party) dated June 29, 2022 filed a claim with the Spanish Data Protection Agency. The The claim is directed against “Envialia”. The claim is stated: “Today, June 28 at 2:30 p.m., the messenger with telephone number ***TELÉFONO.1 calls me to give me a package from Carrefour. Not being at home, I told him to leave it to him. my neighbor on the first left, B.B.B.. He told me it was perfect. When 20 arrived Minutes later, at home, my neighbor tells me that they haven't delivered anything. He called the transporter and tells me that a boy with a cap came through the portal and told him that it was him and He gave it to her without further ado. I have complained to the transport company and they tell me that they have carried by a certain C.C.C. and search among the neighbors, when they should do it. It is no longer just the lack of a solution for the literal theft of my package, but in the In addition to my merchandise, all my personal information, ID, telephone number, address, name, surname and an invoice for what was purchased with my bank details, data that I have not at any time authorized them to give to a unknown that can be used illicitly, causing me great harm. For the I pray you intercede.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/15 Along with the claim, a thread of emails exchanged with “Envialia” is provided. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to ENVIALIA WORLD (in hereinafter, EW) to proceed with its analysis and inform this Agency in the period of one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on July 28, 2022 as It is stated in the certificate that is in the file. On August 25 of that same year, this Agency received a letter of response indicating that "...has not been aware of it until the notification received from the AEPD, therefore it has not been possible to respond to the claimant, since We did not have the claim or their contact information. It proceeds to give response to the e-mail that appears in Annex 1 (***USUARIO.1@hotmail.com) and Attached is a copy of the response given. b) Regarding the decision adopted regarding this claim: It is necessary understand the roles of the various companies involved in the delivery process: Client: Hire the services of the cargo agency. Charge agency: Acts as Data Controller, has a contract with Envialia World that makes the Envialia Network made up of other agencies available to you with whom you have a contract. Envialia World: Acts as Data Processor. Cargo Agency: Acts as sub-processor Recipient: It is the interested party and in this case harmed by the malpractice of the cargo agency courier At Envialia World we consider this fact as a theft and in this situation we Inform the responsible agencies to file the corresponding complaint. On the other hand, whether it is the Cargo agency, such as ENVIALIA WORLD or the destination are only responsible for the data that appears on the label that accompanies the package to be delivered, in no case can they be responsible for the data that may be inside the package (such as the invoice mentioned by the interested party with their data banking) since none of the ENVIALIA companies or agencies involved access nor should access and does not even know what is inside the package. We understand that if there is any type of violation of the rights of the interested is on the part of the sub-in-charge of treatment, which is the processing agency. destination. For this reason, we proceed to inform you of the claim received and analyze the reasons that gave rise to the poor delivery practice and demand the application of measures to prevent the problem from recurring…” THIRD: On August 30, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/15 issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: On April 12, 2023, information was requested from EW to provide: "1. Description of all parties involved in the business relationship and the process collection/delivery of shipments. 2. Documentation that proves the relations of ENVIALIA WORLD S.L. with the subjects that you describe in your answer, and in particular the commission contract of the data processing, since point 2.b) of your answer defines ENVIALIA WORLD S.L. as the person in charge of the treatment.” On April 27, 2023, a response to it was received, in the following terms: - Respond in the FIRST point to point 1 of the requirement: "Client: SHOPPING CENTERS CARREFOUR, S.A., with NIF A28425270, and domiciled in P.I. "Las Mercedes", Calle Campezo 16, 28022 Madrid. Agency of charge; FOURTH PARTY LOGISTICS, S.L., with NIF B86496007 and with address at Avenida Switzerland 2, 28821, Coslada, Madrid. FOURTH PARTY LOGISTICS SL, operates under the ENVIALIA brand, within a national network of transportation. FOURTH PARTY LOGISTICS subcontracts the services of FOURTH PARTY SERVICES, S.L., a company from the same network, which maintains relations with ENVIALIA WORD, S.L., established in a contract of transportation and courier. ENVIALIA WORLD SL, puts its transport network at available to FOURTH PARTY SERVICES SL, to carry out the management and provision of services. In this case, courier shipping was carried out directly by FOURTH PARTY SERVICES SL, through the company THE BEE LOGISTICS, SLU, which was the one who had to deliver the package to Ms. A.A.A.. The courier delivered the package to the neighbor indicated by Ms. A.A.A., a fact not disputed by the complainant, what happens is that she indicates that his name is B.B.B. and the package is delivered to C.C.C., who picks it up and Provide your ID. On the other hand, the data available only FOURTH PARTY SERVICES SL, are those that appear on the package, only identifying information, and in no case are there bank details, nor national identity document or equivalent. In any case, after occurred, FOURTH PARTY SERVICES SL, requested THE BEE LOGISTICS, SLU. to adopt preventive and reactive measures, and to review with its workers the Envialia Operations Manual, for its proper compliance. The collection and delivery process is as follows: 1. The customer buys at Carrefour, through its online platform, and the latter, once completed the purchase process, gives the order to your transport provider and courier, FOURTH PARTY LOGISTICS SL, to carry out the delivery. The daily communication of the list of shipments that will travel through the Envialia network, It is done through a SOAP Service, where an XML is extracted, with the data necessary for the correct management and delivery of the same (address, type of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/15 service, observations, etc.). The label is generated from a ZPL code, with a barcode in CODE 128. 2. FOURTH PARTY LOGISTICS, through FOURTH PARTY SERVICES, carries out carry out the delivery of this package, with the collaboration of the transport company THE BEE LOGISTICS, contracted for this service. 3. THE BEE LOGISTICS SLU, makes the delivery to the person indicated by the buyer - Mrs. A.A.A.-.” - Respond in point SECOND to point 2 of the requirement: “Responding To this question, we attach the current contract, formalized between CARREFOUR AND FOURTH PARTY LOGISTICS SL. The contract between FOURTH PARTY LOGISTICS and THE BEE LOGISTICS SLU, is a verbal contract, for Since RD-Law 3/2022 did not come into force until September 2022, which established the obligation that continuous transportation contracts were in writing, also giving full validity to the contracts of sporadic transportation only the corresponding consignment note.” EW provides a copy of a service provision contract between FOURTH PARTY LOGISTICS S.L. and CARREFOUR S.A. SHOPPING CENTERS for the distribution, home delivery and delivery of the merchandise sold. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Possible administrative violation. Article 4 of the GDPR, points 7 and 8, specifies what should be understood by responsible for the treatment and in charge of the treatment. So we have, like: “7) “responsible for the treatment” or “responsible” is the natural person or legal entity, public authority, service or other body that, alone or together with others, determine the purposes and means of the processing; If the law of the Union or of the Member States determine the purposes and means of the processing, the controller C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/15 of the treatment or the specific criteria for its appointment may establish them by the law of the Union or of the Member States; 8) "processor" or "processor" is the natural or legal person, public authority, service or other body that processes personal data for account of the person responsible for the treatment;..” In short, the person responsible for the treatment is the natural or legal person or authority public, which decides on the processing of personal data, determining the purposes and means of said processing. Under the principle of proactive responsibility, the data controller must apply technical and organizational measures to, in response to the risk that involves the processing of personal data, complying with and being able to demonstrate the compliance. For its part, the person in charge of the treatment is the natural or legal person, authority public, service or other body that provides a service to the person responsible that entails the processing of personal data on its behalf. In this sense, the person responsible is the one who decides the “why” and “how” relative to the personal data and the person in charge is the one who is responsible for carrying out the processing position of the person responsible. The figure of the person in charge of treatment in the RGPD is defined in its article 28, where The requirements that must be met regarding data protection are established: 1.When treatment is to be carried out on behalf of a person responsible for the treatment, this will only choose a manager who offers sufficient guarantees to apply appropriate technical and organizational measures, so that the treatment complies with the requirements of this Regulation and ensures the protection of the rights of the interested party. 2.The person in charge of the treatment will not resort to another person in charge without prior authorization in writing, specific or general, from the person responsible. In the latter case, the manager will inform the person responsible of any planned change in the incorporation or replacement of other managers, thus giving the person in charge the opportunity to oppose to these changes. 3.The treatment by the processor will be governed by a contract or other legal act with under the law of the Union or of the Member States, binding the person in charge regarding the person responsible and establishes the object, duration, nature and purpose of the processing, the type of personal data and categories of interested parties, and the obligations and rights of the person in charge. Said contract or legal act shall stipulate, in particular, that the person in charge: a) will process personal data only following documented instructions from the responsible, including with respect to transfers of personal data to a third country or an international organization, unless obliged to do so under of Union or Member State law applicable to the processor; in In such case, the person in charge will inform the person responsible of that legal requirement prior to the treatment, unless such Law prohibits it for important reasons of interest public; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/15 b) will ensure that the persons authorized to process personal data have committed to respecting confidentiality or are subject to an obligation to confidentiality of a statutory nature; c) take all necessary measures in accordance with article 32; d) will respect the conditions indicated in sections 2 and 4 to resort to another treatment manager; e) will assist the person responsible, taking into account the nature of the treatment, through appropriate technical and organizational measures, whenever possible, so that this can fulfill its obligation to respond to requests that are intended the exercise of the rights of interested parties established in Chapter III; f) will help the person responsible to ensure compliance with obligations established in articles 32 to 36, taking into account the nature of the treatment and the information available to the person in charge; g) at the discretion of the controller, delete or return all personal data once once the provision of treatment services is completed, and will delete copies existing unless the retention of personal data is required under of the law of the Union or of the Member States; h) will make available to the person responsible all the information necessary to demonstrate compliance with the obligations established in this article, as well as to enable and assist in the performance of audits, including inspections, by part of the person in charge or of another auditor authorized by said person in charge. In relation to the provisions of letter h) of the first paragraph, the person in charge shall inform immediately to the controller if, in their opinion, an instruction violates this Regulation or other provisions on data protection of the Union or of the member states. 4. When a person in charge of the treatment uses another person in charge to carry out certain treatment activities on behalf of the person in charge, will be imposed on this other person in charge, by means of a contract or other legal act established in accordance with the Law of the Union or of the Member States, the same obligations of data protection than those stipulated in the contract or other legal act between the responsible and the person in charge referred to in section 3, in particular the provision of sufficient guarantees of application of appropriate technical and organizational measures so that the treatment is in accordance with the provisions of this Regulation. If that other person in charge breaches his data protection obligations, the initial processor will remain fully accountable to the controller treatment with regard to the fulfillment of the obligations of the other in charge. (…). These specific obligations may be supervised by the enforcement authorities. data protection, without prejudice to the control that may be carried out in relation to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/15 with compliance with the RGPD or the LOPDGDD by the person in charge or the treatment manager. In accordance with the provisions of article 28 GDPR, the person in charge and the person in charge of data processing must regulate the processing of data in a contract or act legal linking the person in charge with respect to the person in charge; that contract or legal act must establish the object, duration, nature and purpose of the treatment, the type of personal data and categories of interested parties, the obligations and rights of the responsible etc The person in charge of the treatment, in turn, may resort to another person in charge (“sub-processor”) provided that you have the prior written authorization of the responsible for the treatment, either a specific or general authorization. In these cases, the person in charge is obliged to inform the person responsible for the changes in the incorporation or substitution of other managers, so that said person responsible can oppose such changes. The relationship that links the person responsible for the treatment and the person in charge, or the latter and another commissioned, must be formalized in writing, including in electronic format. In Both cases must be imposed on the person in charge or “sub-processor” the same obligations referred to in section 3 of article 28 transcribed. In the present case, EW explains that: “- Envialia World has a transport and courier contract with Fourth Party Logistics. - Fourth Party Logistics subcontracts the services of Fourth Party Services. - Envialia World puts its transportation network at the service of Fourth Party Services to that carries out the provision of the service. - Fourth Party Logistics has a verbal courier contract with The Bee Logistics, company that it identifies as a "charging agency" and that would be responsible for the delivery of the package.” A copy of a service contract between SHOPPING CENTERS is provided CARREFOUR SA with NIF A28425270 (as a client, although his signature does not appear) and FOURTH PARTY LOGISTICS SL with NIF B86496007 (as carrier), for delivery of goods at home, in whose section on data protection declares that the first is responsible, and the second in charge, of the treatment of the personal information. Said contract expressly establishes that "...In those cases in which the subcontracted service involves access or processing of personal data owned by CARREFOUR by the subcontracted company on CARRIER must guarantee that the subcontracting is carried out in compliance with the provisions of the applicable legislation and, in particular, with the provisions in the Personal Data Protection regulations. In the event that authorized subcontractors have access to personal data responsibility of CARREFOUR, will act as sub-manager of the treatment, the following being applicable: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/15 • The CARRIER will notify CARREFOUR of the identity of the sub-manager before to proceed with subcontracting; • The processing of data by the sub-processor must comply with the CARREFOUR instructions; and • The CARRIER and the sub-manager will sign a contract/clause that in accordance with the provisions of the Data Protection regulations. The CARRIER will notify CARREFOUR of the execution of this contract with the sub-manager and will provide you with a copy if you so request..." EW states that between FOURTH PARTY LOGISTICS SL and THE BEE LOGISTICS SL there is a verbal service contract, but it is not accredited. It is evident that between ENVIALIA WORLD SL, FOURTH PARTY SERVICES SL and FOURTH PARTY LOGISTICS SL there are contractual relationships; although it has not been provided documentation thereof. Consequently, FOURTH PARTY LOGISTICS SL, ENVIALIA WORLD SL, FOURTH PARTY SERVICES SL, and THE BEE LOGISTICS SL would necessarily have to also process personal data; although, FOURTH PARTY LOGISTICS SL would do so in its capacity as data processor and ENVIALIA WORLD S.L., FOURTH PARTY SERVICES SL and THE BEE LOGISTICS SL., as sub-managers thereof. Analyzing the relationship of the different participants, it is evident that the subcontracting does not comply with the provisions of data protection regulations in force, due to the lack of formalization of contracts or legal acts, as well as the lack of authorizations prior to their formalization. In accordance with the evidence available in this agreement of initiation of the sanctioning procedure, and without prejudice to what results from the instruction, it is considered that the known facts could constitute a infringement, attributable to FOURTH PARTY LOGISTICS SL for violation of the articles 28.2 and 28.3 of the GDPR. IV. Classification of the infringement of article 28.2 of the GDPR If confirmed, the aforementioned infringement of article 28.2 of the GDPR could lead to the commission of the offenses typified in article 83.4 of the GDPR that under the The heading "General conditions for the imposition of administrative fines" provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of maximum EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the person in charge under articles 8, 11, 25 to 39, 42 and 43; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/15 (…)” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that "The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 "Infractions considered serious" of the LOPDGDD indicates: "Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) l) The contracting by a person in charge of the treatment of other managers without counting with the prior authorization of the person in charge, or without having informed him about the changes produced in subcontracting when legally required. (…)”. V Penalty for violation of article 28.2 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, it is appropriate to graduate the sanction to be imposed according to the following criteria that Article 83.2 of the GDPR establishes: As aggravating factors: - b) The link between the offender's activity and the performance of processing of personal data. The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which, with respect to entities whose activity involves continuous data processing of clients, indicates that "...the Supreme Court has understood that there is recklessness whenever a legal duty of care is neglected, that is, when the offender does not behave with the required diligence. And in assessing the degree of diligence, the professionalism or not of the subject must be specially considered, and not there is no doubt that, in the case now examined, when the activity of the appellant is of constant and abundant handling of personal data, it must be insisted on the rigor and exquisite care to comply with the legal provisions in this regard.” FOURTH PARTY LOGISTICS SL is a company that is dedicated to Transportation of goods by rail traffic by normal and narrow track, freight transport by road, other land transport, maritime transport of goods international (except crude oil and gases), cabotage and road transport inland waterways (except for crude oil and gases). Transport companies handle a very significant amount of data, both data of the clients, the respective ones to their shipments, as well as that of the employees as suppliers. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/15 FOURTH PARTY LOGISTICS SL is registered in the Mercantile Registry of Madrid, it is a small-sized company whose share capital is in the range of 50,001 - €100,000, with a number of employees between 11 and 50 and a sales amount of between €3,000,001 and €50,000,000. The balance of the circumstances contemplated in article 83.2 of the RGPD and the article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the established in article 28.2 of the RGPD, allows initially setting a sanction of €60,000 (SIXTY THOUSAND EUROS). SAW Classification of the violation of article 28.3 of the RGPD If confirmed, the aforementioned violations of article 28.3 of the RGPD could mean the commission of the infractions classified in article 83.4 of the RGPD that under the The section “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor in accordance with articles 8, 11, 25 a 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) k) Entrust the processing of data to a third party without the prior formalization of a contract or other written legal act with the content required by article 28.3 of the Regulation (EU) 2016/679. (…)”. VII Penalty for violation of article 28.3 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, The sanction to be imposed should be graduated according to the following criteria: Article 83.3 of the GDPR establishes: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/15 As aggravating factors: - b) The linking of the offender's activity with the performance of treatments of personal data. The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which, with respect to entities whose activity involves continuous data processing of clients, indicates that "...the Supreme Court has understood that there is recklessness whenever a legal duty of care is neglected, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, the professionalism or otherwise of the subject must be especially considered, and not There is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of personal data, it must be insisted on the rigor and exquisite care to comply with the legal preventions in this regard.” FOURTH PARTY LOGISTICS SL is a company dedicated to transportation of goods by rail traffic on normal and narrow gauge, transport of goods by road, other land transport, maritime transport of goods international (except for crude oil and gases), cabotage transport and by routes inland navigable vessels (except crude oil and gases). Transport companies handle a very important amount of data, both the customer data, those corresponding to their shipments, as well as that of employees such as suppliers. FOURTH PARTY LOGISTICS SL is registered in the Commercial Registry of Madrid, it is a small-sized company whose share capital is in the range of 50,001 - €100,000, with a number of employees between 11 and 50 and a sales amount of between €3,000,001 and €50,000,000. The balance of the circumstances contemplated in article 83.2 of the RGPD and the article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the established in article 28.3 of the RGPD, allows initially setting a sanction of €60,000 (SIXTY THOUSAND EUROS). VIII Adoption of measures If the infraction is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified term…”. The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided in art. 83.2 of the GDPR. It is warned that failure to comply with the possible order to adopt measures imposed by This body in the sanctioning resolution may be considered as a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/15 administrative offense in accordance with the provisions of the RGPD, classified as infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: START SANCTIONING PROCEDURE for FOURTH PARTY LOGISTICS, S.L., with NIF B86496007, for the alleged violation of articles 28.2 and 28.3 of the RGPD, both typified in article 83.4 a) of the RGP. SECOND: APPOINT D.D.D. and, as secretary, to E.E.E., indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Legal Department of the Public Sector (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the complaining party and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Inspection of Data in the actions prior to the start of this sanctioning procedure. FOURTH: THAT for the purposes provided for in article 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), the sanction that may apply, without prejudice to what result of the instruction, would be: SIXTY THOUSAND EUROS (€60,000) for alleged violation of article 28.2 typified in Article 83.4 a) GDPR. SIXTY THOUSAND EUROS (€60,000) for alleged violation of article 28.3 typified in Article 83.4 a) GDPR. FIFTH: NOTIFY this agreement to FOURTH PARTY LOGISTICS, S.L., with NIF B86496007, granting a hearing period of ten business days so that formulate the allegations and present the evidence you consider appropriate. In its written allegations must provide your NIF and the procedure number that appears at the top of this document. If within the stipulated period you do not make allegations to this initial agreement, the same may be considered a proposal for a resolution, as established in the article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a 20% reduction in the sanction that may be imposed in this procedure. With the application of this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/15 reduction, the penalty would be established at 96,000.00 euros, resolving the procedure with the imposition of this sanction. Likewise, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, The penalty would be established at 96,000.00 euros and its payment will imply termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for the voluntary payment of the penalty is cumulative with that corresponding apply for recognition of responsibility, provided that this recognition of the responsibility becomes evident within the period granted to formulate allegations at the opening of the procedure. Voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at 72,000.00 euros. In any case, the effectiveness of any of the two mentioned reductions will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above (96,000.00 euros or 72,000.00 euros), you must make it effective by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of Data Protection in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure appearing in the heading of this document and the reason for the reduction of the amount to which it applies. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue the procedure in accordance with the quantity entered. The procedure will have a maximum duration of twelve months from the date of the initiation agreement. After this period, its expiration will occur and, in consequently, the file of actions; in accordance with the provisions of the Article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-290523 Sea Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On July 3, 2023, the claimed party has proceeded to pay C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/15 the penalty in the amount of 72,000 euros making use of the two reductions provided for in the initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations to The opening of the procedure entails the renunciation of any action or appeal pending. administrative against sanction and recognition of responsibility in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter, LPACAP), under the heading "Termination in disciplinary proceedings" provides the following: "1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/15 of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased “regularly.” According to what has been stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of the procedure EXP202208230, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to FOURTH PARTY LOGISTICS, S.L.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 936-040822 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es