AEPD (Spain) - PS/00670/2022

From GDPRhub
Revision as of 09:24, 29 July 2024 by Lm (talk | contribs)
AEPD - PS/00670/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(7) GDPR
Article 4(12) GDPR
Article 5(1)(f) GDPR
Article 32 GDPR
Article 58(2) GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(4) GDPR
Article 83(5) GDPR
Article 47 LOPDGDD
Article 48(1) LOPDGDD
Article 63 LPACAP
Article 64 LPACAP
Article 64(2) LOPDGDD
Article 65 LOPDGDD
Article 68(1) LOPDGDD
Article 71 LOPDGDD
Article 73 LOPDGDD
Article 76 LOPDGDD
Type: Complaint
Outcome: Upheld
Started: 15.03.2018
Decided:
Published: 03.06.2024
Fine: 55000
Parties: GEOPOST ESPAÑA, S.L.
A.A.A.
National Case Number/Name: PS/00670/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: isabela.maria.rosal

The Spanish DPA fined a controller €45,000 for leaving a note in a common area of a residential building, accessible by various people, with different personal information of the data subject, confirming a breach of Articles 5(1)(f) and 32 GDPR.

English Summary

Facts

A seller company provided the wrong address for a delivery, which was notified by the customer (the data subject) for the correction of the information. However, the delivery company (the controller) left a note with different personal information outside of the wrong address, in a place accessible by various people.

Holding

First, the DPA recognized that a confidentiality breach occurred by the data controller when leaving a note with the data subject's personal information outside of the resident, according to Articles 4(12). In the same evaluation, the DPA confirmed a breach of Articles 5(1)(f) and 32 GDPR. Even though the data controller argued that a breach of Article 32 would already include any breach of Article 5(1)(f), since there was only one action, the DPA considered that the same action violated the different provisions.

Second, the DPA recognized that an employee's negligent action does not exclude the data controller's responsibility, according to Article 4(7) GDPR. On this, the DPA reaffirmed that the initial delivery company was incorporated by a new company, which should be considered as the controller for the procedure. Finally, the DPA confirmed that even though there were good practices in place, there was a personal data confidentiality breach, thus the policies could not be considered as mitigating measures for the sanction.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/23








     File No.: EXP202210818 (PS/00670/2022)




               RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                  BACKGROUND

FIRST: Mrs. A.A.A. (hereinafter, the complaining party), on September 12
of 2022, filed a claim with the Spanish Data Protection Agency. The
claim is directed against GEOPOST ESPAÑA, S.L. (absorbing company of the

extinct SEUR, S.A.), with NIF B85645349, (hereinafter, GEOPOST). The motives
on which the claim is based are the following:

The complaining party states that GEOPOST was in charge of collecting a
Amazon product, at address ***ADDRESS.1, on 08/29/2022. No

However, Amazon incorrectly indicated the address since at that time the
claiming party was in ***LOCALITY.1.

On August 29, 2022, the complaining party requested Amazon to modify
the direction.


On September 6, 2022, he learned through relatives that
They passed by the house, that a delivery man from the claimed company had left
a notice on the outside of the mailbox of your home in ***LOCALIDAD.2, in view of
any neighbor or visitor to the property, in which your personal data appeared,
specifically, your first and last name, postal address, as well as your telephone number.


This label was displayed in a transit area until September 6,
2022, date on which he retired.

Along with the claim, provide a copy of the message received in your email

on the date of collection of the package, sent by the claimed party, mail
email sent by Amazon to the complaining party in which it is revealed
the correction of the package pick-up address, as well as various images of
the label displayed on the outside of the mailbox for your address at ***LOCALITY.2.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights
(hereinafter LOPDGDD), said claim was communicated to the claimed party,
to proceed with its analysis and report to this Agency within a period of one month,
of the actions carried out to adapt to the requirements provided for in the
data protection regulations.


The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/23








Public Administrations (hereinafter, LPACAP), through electronic notification, was received in
date October 17, 2022, as stated in the certificate in the file.


On November 14, 2022, this Agency received a written response from
the claimed part in which it states the following:

- That on August 30, 2022, a GEOPOST delivery person went to the
the claimant's address to make a collection.


- That the claimant was absent at the time of collection.

- That, consequently, the delivery man left an absent notice posted on the outside
from the claimant's mailbox


In this way, after analyzing the facts, GEOPOST considers that the incidence has been
produced as a result of human error on the part of the delivery person, and there must have been
left the warning note inside the mailbox or under the door as indicated by the
GEOPOST manual and not posted on the outside of the mailbox.

In this sense, GEOPOST informs the AEPD that, in compliance

of the obligations of the applicable regulations of its transport activity, it has
implemented the corresponding procedures and corporate manuals, where
They determine the guidelines to follow for the correct delivery or collection of the merchandise.

Specifically, it is indicated that GEOPOST has a manual with the operations that

delivery drivers must follow the so-called “Delivery Operative Manual”,
document that is delivered to them at the time of contracting or
beginning of the provision of the service with GEOPOST. In the section “Operation in
Route” of said manual specifically specifies the obligation that the delivery of
the merchandise must always be made to the recipient and that, in case of absence of the

recipient, an absent notice note will be left at the address under the door,
on the door wedge or in the mailbox. Screenshots of the manual are included as Annex I.
where the obligations of the delivery people for the correct delivery or
merchandise collection.

In addition, it states that GEOPOST provides regular training to delivery drivers.

about the obligations established in the different procedures and manuals
corporate, emphasizing the importance of making good use and treating
diligently manage the personal data that they manage on a daily basis from the senders,
recipients and/or authorized. Specifically, one of the latest training actions
carried out consisted of disseminating a video called “Good practices in

Privacy".

For all this, it confirms that the incident has occurred due to specific malpractice
of the delivery person by not following the company's internal protocols.


However, and as a result of the incident that occurred, GEOPOST has
reiterated the commitment that all delivery drivers comply with what is established in
the different procedures, policies and manuals made available to you with the
in order to correctly carry out deliveries and returns, as well as, a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/23








diligent action on the personal data they process in compliance with their
job functions or service provision.
Finally, it indicates that GEOPOST manages a large volume of deliveries daily.

and collected, properly following the protocols by the delivery people
internal of the company without incidents similar to the object of this
claim. In 2021 alone, the volume managed was more than 50 million
of deliveries and collections and considers that the malpractice of the delivery person is a fact that
It does not resemble normal operations.


THIRD: On December 2, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: According to the report collected from the AXESOR tool, the extinct
SEUR, S.A. (absorbed by GEOPOST ESPAÑA, S.L.) is a medium-sized company

established in 1984, and with a turnover of (…) €, in 2021.

FIFTH: On May 22, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in

hereinafter, LPACAP), for the alleged violation of Article 5.1.f) of the RGPD, typified
in article 83.5 of the RGPD, as well as for the alleged violation of article 32 of the
RGPD, typified in article 83.4 of the RGPD.

SIXTH: The aforementioned initiation agreement was notified on May 23, 2023 in accordance with the

rules established in Law 39/2015, of October 1, on the Procedure
Common Administrative System of Public Administrations (hereinafter, LPACAP),
GEOPOST presented a written statement of allegations in which, in summary, it stated that the
incident has occurred due to poor practice by the delivery person by failing to comply with the
instructions and internal company protocols; there was no possibility of

commit a violation of article 5.1 f) without the commission, in turn, of an infraction
of article 32 of the RGPD, and only the corresponding sanction should be imposed
to the most serious infraction committed (art. 29.4 of the LRJSP); understands it is proven that
have adopted appropriate measures (protocols, periodic training plan...) in
depending on the risk and, finally, with respect to aggravating factors, the
volume of orders managed by GEOPOST and the exceptional nature of this type of

cases, other circumstances not having been taken into account as mitigating circumstances
to reduce sanctions.

SEVENTH: On January 31, 2024, the investigating body of the procedure
formulated a proposed resolution, in which it proposes that the Director of the AEPD

GEOPOST is sanctioned, with NIF B85645349, for a violation of Article 5.1.f) of the
RGPD, typified in article 83.5 of the RGPD, with a fine of €40,000 (forty
thousand euros), and for the alleged violation of article 32 of the RGPD, typified in the
article 83.4 of the RGPD, with a fine of €15,000 (fifteen thousand euros).


This proposed resolution, which was notified to GEOPOST in accordance with the rules
established in Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (LPACAP), was collected on date 1 of
February 2024, as stated in the acknowledgment of receipt in the file.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/23










EIGHTH: On February 14, 2024, this Agency receives, on time and

form, letter from GEOPOST in which it alleges allegations to the proposed resolution
in which, in summary, it manifested the violation of the right to defense due to absence
of accreditation of the facts of which he is accused.

Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:



                                PROVEN FACTS

FIRST: On August 29, 2022, at 10:38 a.m., AMAZON sent the

complaining party an email from the address (...)@amazon.es with the
following content:

“Hello, A.A.A.

I hope you are having a great day and have a great week!


You talk to B.B.B., Amazon.es customer service agent, who had
the pleasure of helping you today.

I appreciate the time you have so kindly taken to contact us and

so we can do everything necessary to improve the service we provide you.

Initially I apologize for the difficulties encountered with your order, please
that you deserve quality service and I want you to know that you have nothing to
worry since you have our support in all your purchases and the solution that

We will always look for the one that benefits you the most.

As we agreed today, SEUR will collect the package within 72 business hours.
You do not need to print any return labels. SEUR will take care of
You provide the label and it will be attached to the package when you arrive to pick up the product.


Address:
A.A.A.
***ADDRESS.2
Main phone ***PHONE.1


I hope I have solved your request, it was a pleasure to assist you today, I
I have done everything in my power to provide you with the best answer, so
so you can have the best Customer service experience on Amazon.es.

[…]”


SECOND: On August 29, 2022, at 1:14 p.m., GEOPOST sent
to the complaining party an email from the address
infoenvios@mail.seur.info with the following content:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/23









“Hello A.A.A.


Pickup of your shipment is estimated today between 1:45 p.m. and 2:45 p.m.

Collection data

Shipping number: (...)


Address: ***ADDRESS.1

THIRD: In the photographs in the file (pages 7 to 8), provided
by the claiming party next to the claim, the exterior of a
mailbox inside a doorway of a building. A note is attached to the mailbox

“SEUR”, in which personal data of the complaining party appears, specifically, their
name and surname, postal address, as well as your telephone number, and how
recipient “AMAZON – returns”.

Given the transfer of the claim of October 17, 2022 formulated by this
Agency, GEOPOST sent a response on November 14, 2022, which states

that: “…after receiving this information request, SEUR, S.A. ha
proceeded to investigate the events that occurred and has verified the following:
- That on August 30, 2022, a SEUR, S.A. delivery driver went to
the claimant's address to make a collection.
- That the claimant was absent at the time of collection.

- That, consequently, the delivery man left an absent notice posted on the outside
from the claimant’s mailbox.” (emphasis is ours)

Therefore, GEOPOST recognizes the veracity of the content of the
photograph provided by the complaining party.


Consequently, it is considered proven that the label was attached to the mailbox by the
GEOPOST delivery man.

FOURTH: On August 3, 2023, an announcement was published in the BORME
merger by absorption of GEOPOST ESPAÑA, S.L. (absorbing company) and SEUR,

S.A. (absorbed company).



                           FOUNDATIONS OF LAW


                                           Yo
                                    Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
Guarantee of Digital Rights (hereinafter, LOPDGDD), is competent to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/23








initiate and resolve this procedure, the Director of the Spanish Agency for
Data Protection.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."




                                           II
                                  Previous Issues


GEOPOST ESPAÑA, S.L. has carried out a corporate merger operation
absorption of SEUR, S.A., according to the agreement referred to in the Fourth Proven Fact,
acquiring by universal succession all the rights and obligations of SEUR, S.A.,
which is declared extinct. In this way, the present procedure, initiated against
SEUR, S.A. It continues its processing with GEOPOST ESPAÑA as the claimant,
S.L.


GEOPOST is a leading company in urgent transportation and comprehensive logistics in
Spain that processes personal data for the development of its activity,
personal data being understood as: “all information about a natural person
identified or identifiable.”


You carry out this activity in your capacity as data controller, given that it is
who determines the purposes and means of such activity, under article 4.7 of the GDPR:
"responsible for the treatment" or "responsible": the natural or legal person, authority
public, service or other body that, alone or together with others, determines the purposes and

means of treatment; whether Union or Member State law
determines the purposes and means of the treatment, the person responsible for the treatment or the
Specific criteria for their appointment may be established by Union Law.
or of the Member States

An identifiable natural person is considered one whose identity can be determined,

directly or indirectly, in particular through an identifier, such as a
name, an identification number, location data, an online identifier or
one or more elements of the physical, physiological, genetic, psychological identity,
economic, cultural or social of said person.


Likewise, treatment should be understood as “any operation or set of
operations carried out on personal data or sets of personal data, whether
whether by automated procedures or not, such as collection, registration, organization,
structuring, conservation, adaptation or modification, extraction, consultation,
use, communication by transmission, dissemination or any other form of

enabling access, collating or interconnecting, limiting, deleting or destroying.”

Article 4 section 12 of the GDPR broadly defines “violations of
security of personal data” (hereinafter security breach) as “all

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/23








those security violations that cause the destruction, loss or
accidental or illicit alteration of personal data transmitted, preserved or processed
otherwise, or unauthorized communication or access to said data.”


The reported facts materialize in access by uninterested third parties to
personal data of the complaining party due to malpractice by a delivery person by not
Follow internal company protocols.

In the present case, there is a personal data security breach in the

circumstances indicated above, categorized as a breach of confidentiality,
whenever the claimed party has exposed personal information and data
without legitimizing legal basis, when a delivery person leaves an absent notice note attached
on the outside of the claimant's mailbox (the label only indicated the number and
letter of the apartment), in which your personal data appeared: name, surname, address

postal address, as well as your telephone number.

According to GT29, a “Violation of confidentiality” occurs when
an unauthorized or accidental disclosure of personal data, or access to
themselves.


Within the treatment principles provided for in article 5 of the RGPD, the
integrity and confidentiality of personal data is guaranteed in section 1.f)
of article 5 of the GDPR. For its part, the security of personal data comes
regulated in article 32 of the RGPD, which regulates the security of the treatment.




                                           III
 Response to the allegations made by GEOPOST to the initiation agreement and the
                  allegations adduced to the proposed resolution



A) In relation to the allegations alleged to the agreement at the beginning of this
sanctioning procedure, we proceed to respond to them according to the order
stated by GEOPOST in its writing:


“FIRST.- Regarding the issue that is the subject of the sanctioning procedure, the receipt of the
request for information from the AEPD by GEOPOST and the response
carried out by GEOPOST.”

Firstly, the claimed party alleges that the incident occurred due to poor

praxis of the delivery person by failing to comply with the instructions and internal protocols of the
company, even using a specific document (shipping identification label)
for a purpose incompatible with that for which it had been designed by GEOPOST.

In response to this allegation, it should be noted that the security measures

must be adopted in response to each and every one of the risks present in a
processing of personal data, including among them, the factor
human. The employee's negligent actions do not exempt the employee from liability.
GEOPOST, responsible for the data processing now analyzed, since

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/23








As defined in art 4.7 of the RGPD, it is the entity that determines the purpose and means
of the treatments performed.


The responsibility of the company in the area of sanctions for the action
negligence of an employee that involves non-compliance with the regulations of
Data protection has been confirmed by the jurisprudence of the Supreme Court.

In this regard, it is worth mentioning the Supreme Court Ruling no.
188/2022 (Litigation Chamber, Section 3), of February 15, 2022 (rec.

7359/2020), whose Fourth Legal Basis provides:

“The fact that it was the negligent action of an employee does not exempt him from his
responsibility as the person in charge of the correct use of safety measures
security that should have guaranteed the proper use of the security system

designed data record. As we already stated in STS No. 196/2020, of December 15,
February 2021 (rec. 1916/2020) the person in charge of the treatment is also responsible for
the performance of its employees and cannot excuse itself in its diligent performance,
separately from the actions of its employees, but rather it is the "guilty" action
of these, as a consequence of the violation of existing security measures, which
bases the responsibility of the company in the area of sanctions for acts

“own” by their employees or positions, not third parties.”

The sentence continues arguing about the responsibility of the
legal entities in our system: “…It simply happens that, being
admitted in our Administrative Law the direct responsibility of people

legal, which are therefore recognized as infringing capacity, the subjective element
of the infringement is reflected in these cases in a different way than what happens with respect to
of natural persons, so that, as indicated by the constitutional doctrine that
We have previously reviewed -SsTC STC 246/1991, December 19 (F.J. 2) and 129/2003,
of June 30 (F.J. 8) - direct blameworthiness derives from the legal good protected by

the rule that is violated and the need for said protection to be truly effective
and for the risk that, consequently, the legal entity that is subject must assume
to compliance with said standard." (emphasis added)

For all the above reasons, this allegation is rejected.



“SECOND.- Regarding the Agreement to Start the Sanctioning Procedure and the
infractions proposed by the AEPD”

Regarding the Agreement to Start Sanctioning Procedures and the infractions established by

this Agency, GEOPOST considers that in this case, faced with a single conduct (the
deliveryman mistakenly affixed the package label to the outside of the mailbox), did not
there would be a possibility of committing a violation of article 5.1 f) without the commission, at its discretion.
time, of a violation of Article 32 of the GDPR, since Article 32 of the GDPR is
a more concrete and detailed specification of the general principle established in the

article 5.1 f) of the RGPD, which is why it requests that, in the event that
assess an infringement on the part of GEOPOST, article 29.5 of the
LRJSP which states that: “When the commission of an infraction results


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/23








necessarily the commission of another or others, only the sanction should be imposed
corresponding to the most serious infraction committed.”


Well, the guarantee of confidentiality and the security of the treatment have their
fundamentally reflected in two independent precepts of the GDPR: in the article
5.1.f) and in article 32 of the RGPD, respectively.

Article 5.1.f) of the RGPD includes the principle of integrity and confidentiality and
determines that personal data will be processed in such a way as to guarantee

adequate security of personal data, including protection against
unauthorized or illicit treatment and against its loss, destruction or accidental damage,
through the application of technical or organizational measures.

On the other hand, article 32 of the GDPR establishes how security must be articulated

of the processing in relation to the specific security measures that must be
implement, in such a way that taking into account the state of the art, the costs of
application, and the nature, scope, context and purposes of the processing, as well as
risks of varying probability and severity to the rights and freedoms of
natural persons, the person responsible and the person in charge of the treatment will apply measures
appropriate technical and organizational measures to guarantee a level of security appropriate to the

risk that includes, among other issues, the ability to guarantee the
data confidentiality.

From the examination of the proven facts and the documentation in the file,
two violations can be clearly differentiated based on facts and foundations

different. The following specifies what conduct constitutes a violation of the
article 5.1.f) of the RGPD and which constitutes a violation of article 32 of the RGPD:

A) Violation of article 5.1.f) of the RGPD.


As we can see, article 5.1.f) of the RGPD strictly requires that it be guaranteed
confidentiality and integrity, and requires a loss of
confidentiality and/or integrity. We may encounter cases in which
inadequate measures exist without there being a loss of integrity and
confidentiality.
The European legislator has imposed an obligation of result to guarantee the

compliance with this principle.

In addition, article 5.1.f) of the RGPD mentions the application of technical measures
or organizational measures without restricting it to technical or organizational measures of
security. The measures referenced in art. 5.1.f) of the GDPR can be anything

type, encompassing all those that serve to guarantee confidentiality and integrity.

In the present case, the confidentiality of personal data has not been guaranteed
of the complaining party, which represents a violation of article 5.1.f) of the RGPD, all
time that the delivery person left data visible to any neighbor or visitor to the property.

personal details of the complaining party, specifically, his name and surname, address
postal address, as well as his telephone number, which were seen, at least, by the
persons who informed the complaining party that the label was attached to their
mailbox when she was absent from her home.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/23









B) Violation of article 32 of the RPGD.


The facts proven in the procedure show that the claimed party exposed
information and personal data, when a delivery person leaves a warning note
absent affixed to the outside of the claimant's mailbox (on whose label only
indicated the number and letter of the apartment), in which his personal data appeared:
name, surname, postal address, as well as your telephone number.


The breach of technical and organizational measures is evident, since
that GEOPOST is responsible for making decisions aimed at implementing
effectively implement appropriate technical and organizational measures to ensure
security level appropriate to the risk to ensure the confidentiality of the data,
restoring their availability and preventing access to them in the event of an incident

physical or technical, as required by article 32 of the GDPR.

From all this, a lack of due diligence is deduced both in compliance with the
established security measures, as well as in the supervision or verification of their
observance and/or suitability of these. In this regard, it is noted that article 32
of the RGPD is violated whether the responsible party does not adopt appropriate measures.

appropriate technical and organizational measures to ensure data security
personal, as if, once these are established, they are not observed.

That said, article 32.1 includes an obligation of means and not an obligation
of result. In effect, it indicates that “the person responsible and the person in charge of the treatment

Appropriate technical and organizational measures will be applied to ensure a level of
security appropriate to the risk”, that is, it imposes the obligation to establish a level of
security, and that level must be a function of the risk analysis that everything
responsible must carry out in accordance with section 2 of said article:


"2. When evaluating the adequacy of the security level, particular consideration will be given to
takes into account the risks presented by data processing, in particular as
consequence of accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.”


The technological evolution and sophistication of unauthorized access systems to
data systems means that regulations cannot unconditionally impose
a total assurance of the absence of integrity or confidentiality breaches.
But it does require that those responsible for the treatments must carry out an analysis of
risks and the implementation of an “adequate security level” for them.


This duty is therefore characterized as an obligation of means. So it has
declared the Supreme Court in its recent ruling of February 15, 2022:

“The obligation to adopt the necessary measures to guarantee the safety of the

personal data cannot be considered an obligation of result, which implies
If a personal data leak occurs to a third party, there is liability
regardless of the measures adopted and the activity carried out by the
responsible for the file or processing.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/23









In the obligations of means the commitment that is acquired is to adopt the
technical and organizational means, as well as deploying diligent activity in its

implementation and use that tends to achieve the expected result with means
that can reasonably be classified as suitable and sufficient for its achievement,
For this reason, they are called "diligence" or "behavioral" obligations.

The difference lies in the responsibility in both cases, because while in the
obligation of result is responded to in the event of a harmful result due to the failure of the

security, whatever its cause and the diligence used, in the obligation to
means it is enough to carry out a risk analysis, establish measures technically
appropriate, implement them correctly and use them with reasonable diligence.

In the latter, the sufficiency of the security measures that the person responsible must

establish must be put in relation to the state of technology at all times
and the level of protection required in relation to the personal data processed, but
a result is not guaranteed. As established in art. 31 of the Union Regulation
European Parliament and Council 2016/679 on the protection of
natural persons with regard to the processing of personal data and the free
circulation of these data and which repeals Directive 95/46/EC, by establishing

regarding the security of the processing that the technical and organizational measures
appropriate are "Taking into account the state of the art, the costs of
application, and the nature, scope, context and purposes of the processing, as well as
risks of varying probability and severity to the rights and freedoms of
Physical persons […]".


We have already reasoned that the obligation that falls on the person responsible for the treatment
regarding the adoption of necessary measures to guarantee the safety of the
personal data is not an obligation of result but of means, without
the infallibility of the measures adopted is required. Only the

adoption and implementation of technical and organizational measures, which in accordance with the state
of the technology and in relation to the nature of the processing carried out and the data
personal data in question, reasonably allow to avoid its alteration, loss,
unauthorized treatment or access.

Having established the above, the obligation of means imposed by article 32 of the RGPD

consists of adopting security measures in the treatment, aimed at avoiding
production of a personal data breach therein. These obligations must
be established based on the risks that have been analyzed, and taking into account
takes into account the state of technology at all times and the level of protection required
in relation to the personal data processed.


For all the above reasons, this allegation is rejected.


“THIRD.- Regarding the alleged violation of article 5.1 f) of the RGPD and/or article

32 of the RGPD indicated by the AEPD”

In this allegation, GEOPOST maintains that it has adopted appropriate measures (protocols,
periodic training plan...) depending on the risk.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/23









In response to this argument, GEOPOST's commitment to compliance with
current regulations on data protection, guaranteeing security and

confidentiality of the processing of personal data through the application of
technical and organizational security measures, although it reflects positive behavior,
does not distort the verified facts.

For all the above reasons, this allegation is rejected.



“FOURTH.- Regarding the classification of the infraction and the possible sanction to be imposed for
part of the AEPD.”

GEOPOST considers that the amount of the penalty is excessive, on the one hand, with respect to

to the aggravating factors, the volume of orders it manages has not been taken into account
GEOPOST and that it is an exceptional event, and, on the other hand, they have not been assessed
a series of mitigating circumstances, such as lack of intentionality, due diligence or the
rapid action by GEOPOST.

In contrast to what was expressed by GEOPOST, it is worth highlighting the classification

of the infractions and sanctions established in the initiation agreement, which article 83.5
of the RGPD establishes that the violation of article 5 of the RGPD can be sanctioned
“with administrative fines of a maximum of EUR 20,000,000 or, in the case of a
company, of an amount equivalent to a maximum of 4% of the business volume
overall annual total of the previous financial year, opting for the highest amount”,

Therefore, a significant reduction of this is already applied.

The STS, 3rd Chamber, of December 16, 2003 (Rec. 4996/98) already indicated that the
principle of proportionality of sanctions requires that "the discretion that is
grants the Administration for the application of the sanction to be developed by weighing

in any case the concurrent circumstances, in order to achieve the due
proportionality between the alleged facts and the responsibility demanded." Principle of
proportionality that is not understood to be violated, considering the
sanction proposed to the entity, for the proven facts and weighed the
concurrent circumstances, which are detailed below, taking into account, in addition,
the maximum limit of the amount of sanctions established in art 83.4 RGPD.


Regarding the fact that no extenuating circumstance has been considered since
There are a series of behaviors on the part of GEOPOST that, by virtue of the
interpretation criteria of articles 83.2 RGPD and 76.2 LOPD, there should be
been taken into account as mitigating factors to graduate, thus, in a way

appropriate, the sanction proposed by the AEPD, it is worth noting that the RGPD provides
expressly the possibility of graduation, through the provision of fines
susceptible to modulation, taking into account a series of circumstances of each case
individual. All these circumstances have been taken into account when
set the sanction.


The claimed party is an entity that manages a large volume of deliveries and
collection of packages from customers whose personal data is processed in a manner
systematically in the exercise of its powers. This circumstance determines a greater

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/23








degree of demand and professionalism and, consequently, of responsibility of the
entity in relation to the processing of personal data.


Consequently, the arguments presented do not distort the content
essential of the infraction that is declared committed nor do they constitute a cause for justification or
sufficient exculpation.

For all the above reasons, this allegation is rejected.



B) In relation to the allegations alleged in the proposed resolution herein
sanctioning procedure, the answer is given:

“First and only.- Infringement of the right to defense due to lack of accreditation of

the facts that are charged.”
According to GEOPOST, it cannot be assured, without reasonable doubt, that it was the
delivery person from this company who left a note attached to the party's mailbox
claimant with her personal data, which could have been attached to the mailbox
by a third party. He adds that the claim was initiated by an indirect witness, without the
claimant party affirmed in his claim before the AEPD that he was the distributor of

the Company who attached the document to your mailbox. In short, to the extent that
The authorship of the act from which this procedure originates has not been proven,
the violation of the right of defense is evident, as no evidence has been carried out
to prove these facts.


In response to the argument made by GEOPOST, which questions who
left the note attached to the complaining party's mailbox, it appears in the Proven Fact
Third of this resolution that, given the transfer of the claim of 17
October 2022 formulated by this Agency, GEOPOST sent a response on October 14
November 2022, in which it is said that: “…after receipt of this

information requirement, SEUR, S.A. has proceeded to investigate the facts
occurred and has verified the following:
- That on August 30, 2022, a SEUR, S.A. delivery driver went to
the claimant's address to make a collection.
- That the claimant was absent at the time of collection.
- That, consequently, the delivery man left an absent notice posted on the outside

from the claimant’s mailbox.” (emphasis is ours)

As can be seen, in the response sent by GEOPOST regarding the transfer
of the claim was attributed, according to their own investigations, to the distributor of this
company for having left the warning note (that is what it is literally named in its writing)

affixed to the outside of the complaining party's mailbox. Furthermore, these events were
ratified in the allegations to the initiation agreement presented by GEOPOST:

“As reported in the response letter, the SEUR delivery person
went to the claimant's home to make a collection, but the

claimant was absent at the time of collection so
which, consequently, the delivery man taped on the outside of the mailbox of the
claimant the label of the package, as can be seen in the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/23








images included in the claim, skipping the instructions and
SEUR internal protocols” (emphasis added).


On the other hand, GEOPOST must preserve the confidentiality of its data.
clients, so, given the circumstance that the note, as stated
GEOPOST, could have been posted by a third party in the mailbox of the party
claimant, also implies the existence of responsibility attributable to GEOPOST,
since the fact that an unauthorized third party accesses the personal data of
the complaining party being in possession of the sticky note or sticker, assumes in

itself a violation of the confidentiality of the data of the complaining party,
due to lack of diligence in the custody of the sticky note. There is no reason that
justify that the sticky note with the personal data of the complaining party that
the GEOPOST delivery person was carrying, it could be in the hands of a third party, sticker
that was not going to be used, due to the impossibility of collecting the package that was going to be

returned, due to the absence of the complaining party at his home; absence that
duly communicated as stated in the First Proven Fact.

Regarding security measures, GEOPOST points out that the sticky note with
the data of the complaining party was not a “notice of absenteeism at home”, since that

type of notices are usually sent to the client's email, but are
This is the sticker that is attached to the package in case of collecting a return.
GEOPOST does not justify that the technical and organizational measures are appropriate for
ensure a level of security appropriate to the risk, to protect data
your existing customers' personal information on return collection labels
a package, which poses a risk to the rights and freedoms of people

physical, as has been revealed in this case.

Article 32 of the GDPR establishes how the security of processing must be articulated
in relation to the specific security measures that must be implemented, in such a way
way that taking into account the state of the art, the application costs, and the

nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk that
include, among other issues, the ability to guarantee the confidentiality of the

data.

The Court of Justice of the European Union has ruled on the application of the
Article 32 of the GDPR in the exercise of its power to rule, with
preliminary nature on the validity and interpretation of the acts adopted by the
institutions, bodies or agencies of the Union, in accordance with the provisions of article

267 of the Treaty on the Functioning of the European Union. In a ruling dated 14
December 2023, in case C-340/21, resolves a preliminary question raised
by a jurisdictional body regarding “whether the principle of liability of the
controller, set out in Article 5(2) of the GDPR and
developed in article 24 of this, must be interpreted in the sense that, … the

controller bears the burden of proof of the appropriateness of
the security measures that it has adopted in accordance with article 32 of the aforementioned
Regulation”, establishing the following:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/23








“In accordance with Articles 5, paragraph 2, 24, paragraph 1, and 32, paragraph 1, of the GDPR
It follows unequivocally that the burden of proof that the personal data
are treated in such a way as to ensure adequate security, in the sense of the

Articles 5, paragraph 1, letter f) and 32 of said Regulation, it is the responsibility of the person responsible for
treatment in question [see, by analogy, the rulings of May 4, 2023,
Bundesrepublik Deutschland (Judicial electronic mailbox), C-60/22, EU: C:2023:373,
sections 52 and 53, and of July 4, 2023, Meta Platforms and others (Conditions
of the service of a social network), C-252/21, EU:C:2023:537, paragraph 95].”
(paragraph 52 of the judgment)


Consequently, in the response to the transfer of the claim, GEOPOST stated that
the note was posted by the delivery person and, in any case, GEOPOST is responsible for
that the data of its clients is not made available to third parties not authorized to
access those. Regarding the application of technical and organizational measures

adopted by GEOPOST in the collection of returned packages, in the
This case has shown that they do not guarantee a level of security
appropriate to the risk to protect your customers' personal data (name,
surnames, address and telephone number) existing on the return collection labels
of a package. Therefore, the first of the measures to be considered by

GEOPOST is, taking into account the state of the art and the costs of application, if
It is necessary that all these personal data of your clients appear in the
Returned package collection stickers.

For all the above reasons, this allegation is rejected.




                                           IV
                              Confidentiality principle


Article 5.1.f), “Principles relating to processing”, of the GDPR establishes:

"1. The personal data will be:
to) (…)


f) processed in such a way as to ensure adequate data security
personal data, including protection against unauthorized or unlawful processing and against
its loss, destruction or accidental damage, through the application of technical measures
or organizational arrangements (“integrity and confidentiality”).”

In relation to this principle, Recital 39 of the aforementioned GDPR states that:


“[…]Personal data must be processed in a way that guarantees security and
appropriate confidentiality of personal data, including to prevent access
or unauthorized use of said data and the equipment used in the treatment.”


The documentation in the file offers clear indications that the
claimed violated article 5.1 f) of the GDPR, principles relating to processing.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/23








In the present case, it is clear that the personal data of the complaining party, such as
such as your name, surname, postal address and telephone number recorded in the note
notice posted on the outside of the mailbox were improperly exposed to third parties,

violating the principle of confidentiality, when also on the mailbox label
Only the number and letter of the apartment were indicated.

In accordance with the evidence available at the present time
resolution of the sanctioning procedure, it is considered that the known facts are
constituting an infraction, attributable to GEOPOST, for violation of article

5.1.f) of the RGPD.



                                           V

                Classification of the violation of article 5.1.f) of the RGPD

The aforementioned violation of article 5.1.f) of the RGPD implies the commission of one of the
violations classified in article 83.5 of the RGPD that under the heading “Conditions
general rules for the imposition of administrative fines” provides:


“Infractions of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:


       a) the basic principles for the treatment, including the conditions for the
       consent under articles 5, 6, 7 and 9; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that

“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”

For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:


"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe violations that involve three years
a substantial violation of the articles mentioned therein and, in particular, the
following:


       a) The processing of personal data violating the principles and guarantees
           established in article 5 of Regulation (EU) 2016/679. (…)”




                                           SAW
                    Unfulfilled obligation. Data security.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/23








Article 32 of the GDPR, security of processing, establishes the following:

 "1. Taking into account the state of the art, the application costs, and the

nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:


       a) pseudonymization and encryption of personal data;
       b) the ability to guarantee the confidentiality, integrity, availability and
       permanent resilience of treatment systems and services;
       c) the ability to restore availability and access to data
       personnel quickly in the event of a physical or technical incident;

       d) a process of regular verification, evaluation and assessment of effectiveness
       of the technical and organizational measures to guarantee the security of the
       treatment.

2. When evaluating the adequacy of the security level, particular consideration will be given to
takes into account the risks presented by data processing, in particular as

consequence of accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.

3. Adherence to a code of conduct approved under Article 40 or to a

certification mechanism approved pursuant to article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
present article.

4. The controller and the person in charge of the treatment will take measures to ensure that

any person acting under the authority of the person responsible or in charge and
has access to personal data can only process said data following
instructions of the person responsible, unless it is obliged to do so by virtue of the Law of
the Union or the Member States.”

From the documentation in the file, there are clear indications that the

claimed has violated article 32 of the RGPD, when an incident of
security when disclosing personal information and data to third parties, when leaving a
deliveryman an absent notice note taped to the outside of the claimant's mailbox,
in which your personal data appeared: name, surname, postal address, as well
such as your telephone number, visible to any neighbor or visitor to the property,

when the mailbox label only indicated the number and letter of the apartment.

As stated in the response letter dated November 14, 2022, the
claimed party considers that the incident has occurred as a consequence of
an error on the part of the delivery person, who must have left the warning note inside the mailbox or

under the door as indicated in the GEOPOST manual and not glued to the outside
from the mailbox. In this sense, it should be noted that security measures must
be adopted in response to each and every one of the risks present in a treatment
of personal data, including among them, the human factor.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/23









It should be noted that the RGPD in the aforementioned provision does not establish a list of the
security measures that are applicable in accordance with the data that is the subject
of treatment, but establishes that the person responsible and the person in charge of the treatment
They will apply technical and organizational measures that are appropriate to the risk involved.

the treatment, taking into account the state of the art, the costs of application, the
nature, scope, context and purposes of the processing, the probability risks
and seriousness for the rights and freedoms of the interested parties.

Likewise, security measures must be appropriate and proportionate to the
detected risk, pointing out that the determination of the technical measures and

organizational measures must be carried out taking into account: pseudonymization and encryption,
ability to guarantee confidentiality, integrity, availability and resilience, the
ability to restore availability and access to data after an incident, process
verification (not audit), evaluation and assessment of the effectiveness of the
measures.


In any case, when evaluating the adequacy of the security level, the
particularly taking into account the risks presented by data processing, such as
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data and that could cause damages and losses

physical, material or immaterial.

In this same sense, recital 83 of the GDPR states that:

“(83) In order to maintain security and prevent processing from violating the provisions of
this Regulation, the controller or processor must assess the risks

inherent to the processing and apply measures to mitigate them, such as encryption. Are
measures must ensure an adequate level of security, including the
confidentiality, taking into account the state of the art and the cost of its application
regarding the risks and the nature of the personal data that must be
protect yourself. When assessing risk in relation to data security,
take into account the risks arising from the processing of personal data,

such as accidental or unlawful destruction, loss or alteration of personal data
transmitted, preserved or otherwise processed, or the communication or access is not
authorized to such data, which may in particular cause damage and harm
physical, material or immaterial.”

The responsibility of the defendant is determined by the breach of the

technical and organizational measures, since it is responsible for making decisions
aimed at effectively implementing technical and organizational measures
appropriate to guarantee a level of security appropriate to the risk to ensure the
confidentiality of the data, restoring its availability and preventing access to the
themselves in the event of a physical or technical incident.


In accordance with the evidence available at the present time
resolution of the sanctioning procedure, it is considered that the known facts are
constituting an infringement, attributable to GEOPOST, for violation of article 32
of the GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/23












                                           VII
                  Classification of the violation of article 32 of the GDPR

The aforementioned violation of article 32 of the RGPD implies the commission of one of the
violations classified in article 83.4 of the RGPD that under the heading “Conditions
general rules for the imposition of administrative fines” provides:


“Infractions of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for

the largest amount:

       a) the obligations of the controller and the processor pursuant to Articles 8,
           11, 25 to 39, 42 and 43; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that

“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”

For the purposes of the limitation period, article 73 “Infringements considered serious”

of the LOPDGDD indicates:

“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the

following:

g) The breach, as a consequence of the lack of due diligence, of the
technical and organizational measures that have been implemented as required
by article 32.1 of Regulation (EU) 2016/679.”




                                           VIII
                                  Sanctions to impose


In order to determine the administrative fine to impose, the following must be observed:
provisions of articles 83.1 and 83.2 of the RGPD, provisions that indicate:

"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this

Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.

2. Administrative fines will be imposed, depending on the circumstances of each

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/23








individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:


a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;

c) any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person responsible or in charge of the treatment,
taking into account the technical or organizational measures that have been implemented under
of articles 25 and 32;

e) any previous infringement committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what

extent; i) when the measures indicated in Article 58(2) have been
previously ordered against the person responsible or the person in charge in question
related to the same matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with article 42,

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or
indirectly, through infringement.”

For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD

has:

"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

       a) The continuous nature of the infringement.
       b) The linking of the offender's activity with the performance of treatments

       of personal data.
       c) The benefits obtained as a consequence of the commission of the infraction.
       d) The possibility that the conduct of the affected person could have induced the
       commission of the infraction.
       e) The existence of a merger by absorption process after the commission

       of the infringement, which cannot be attributed to the absorbing entity.
       f) The impact on the rights of minors.
       g) Have, when it is not mandatory, a delegate for the protection of
data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/23








       h) Submission by the person responsible or in charge, with character
       voluntary, to alternative conflict resolution mechanisms, in those
       cases in which there are disputes between them and any

       interested."

Penalty for violation of article 5.1.f) of the RGPD

In accordance with the transcribed precepts, in order to set the amount of the penalty for
violation of article 5.1 f) of the RGPD, to the party claimed as responsible for the

cited infraction classified in article 83.5 of the RGPD, the fine should be graduated
given:

As a circumstance taken into account as an aggravating circumstance:


Article 76.2 b) LOPDGDD: “The linking of the offender's activity with the
carrying out personal data processing”

It is a known fact that the claimed party is an entity that manages a large
volume of deliveries and collections of packages from customers whose personal data are
treated systematically in the exercise of their powers.


This circumstance determines a higher degree of demand and professionalism and,
consequently, of responsibility of the entity in relation to the treatment of
Personal information.



As a circumstance taken into account as mitigating:

Article 76.2.e) of the LOPDGDD: “The existence of a fusion process by absorption
after the commission of the infraction, which cannot be attributed to the entity

absorbent."

The merger by absorption process, in which GEOPOST ESPAÑA, S.L. (society
absorbent) has merged with SEUR, S.A. (absorbed company), producing the
extinction of the latter, allows the application of this circumstance as a mitigating factor
the responsibility of the absorbing entity.


Considering the exposed factors, the assessment that reaches the amount of the fine
is €40,000.00 (forty thousand euros) for the violation of article 5.1 f) of the RGPD,
regarding the violation of the principle of confidentiality.


Penalty for violation of article 32 of the GDPR

In accordance with the transcribed precepts, in order to set the amount of the penalty for
violation of article 32 of the GDPR, to the party claimed as responsible for the
cited infraction classified in article 83.4 of the RGPD, the fine should be graduated

given:

As a circumstance taken into account as an aggravating circumstance:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 22/23








Article 76.2 b) LOPDGDD: “The linking of the offender's activity with the
carrying out personal data processing”


It is a known fact that the claimed party is an entity that manages a large
volume of deliveries and collections of packages from customers whose personal data are
treated systematically in the exercise of their powers.

This circumstance determines a higher degree of demand and professionalism and,
consequently, of responsibility of the entity in relation to the treatment of

Personal information.

As a circumstance taken into account as mitigating:

Article 76.2.e) of the LOPDGDD: “The existence of a fusion process by absorption

after the commission of the infraction, which cannot be attributed to the entity
absorbent."

The merger by absorption process, in which GEOPOST ESPAÑA, S.L. (society
absorbent) has merged with SEUR, S.A. (absorbed company), producing the
extinction of the latter, allows the application of this circumstance as a mitigating factor

the responsibility of the absorbing entity.

Considering the exposed factors, the assessment that reaches the amount of the fine
is €15,000.00 (fifteen thousand euros) for violation of article 32 of the RGPD, regarding
to the lack of diligence when implementing appropriate security measures.



Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE on GEOPOST ESPAÑA, S.L., with NIF B85645349:

- For a violation of article 5.1.f) of the RGPD, classified in accordance with the provisions of
article 83.5 of the RGPD, an administrative fine of 40,000.00 euros.


- For a violation of article 32 of the RGPD, classified in accordance with the provisions of the
article 83.4 of the RGPD, an administrative fine of 15,000.00 euros.

SECOND: NOTIFY this resolution to GEOPOST ESPAÑA, S.L.


THIRD: This resolution will be enforceable once the deadline to file the
optional resource for replacement (one month counting from the day following the
notification of this resolution) without the interested party having made use of this power.
The sanctioned person is warned that he must make effective the sanction imposed once
This resolution is executive, in accordance with the provisions of art. 98.1.b)

of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Real
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/23








December, through your entry, indicating the NIF of the sanctioned person and the number of
procedure that appears in the heading of this document, in the account

restricted IBAN number: ES00-0000-0000-0000-0000-0000, opened in the name of the
Spanish Data Protection Agency in the banking entity CAIXABANK, S.A..
Otherwise, it will be collected during the executive period.

Once the notification is received and once enforceable, if the enforceable date is

between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative means if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through

of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative procedure within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.


                                                                               938-16012024
Sea Spain Martí
Director of the Spanish Data Protection Agency









C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es