AEPD (Spain) - EXP202208230
From GDPRhub
| AEPD - PS-00243-2023 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 28(2) GDPR Article 28(3) GDPR |
| Type: | Complaint |
| Outcome: | Other Outcome |
| Started: | 29.06.2022 |
| Decided: | |
| Published: | 21.08.2023 |
| Fine: | 96000 EUR |
| Parties: | FOURTH PARTY LOGISTICS, S.L. Data Subject |
| National Case Number/Name: | PS-00243-2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | isabela_maria_rosal |
The Spanish DPA sanctioned a processor for violating GDPR Articles 28(2) and 28(3). This was despite the fact that no written contract existed between the processor and the subprocessors and the controller had not been told of the subprocessors' involvement in data processing activities.
English Summary
Facts
A package from Carrefour was to be delivered to the data subject's address. In case the data subject was not at home, they gave the permission to deliver their package to their neighbour. However, the package was delivered to someone else.
As the controller, Carrefour has a contract with a processor responsible for deliveries, Fourth Party Logistics SL. In this contract, it is established that the processor should notify the controller in case of contracting a subprocessor. Even though a subprocessor did the delivery, Carrefour was not notified of the existence of any subprocessor.
The processor (Fourth Party Logistics SL) explained that there were two subprocessors involved in the delivery, Envialiva World SL. and The Bee Logstics SL, however no contract between these parties was presented to the DPA. The processor Fourth Party Logistics SL did not comply with their contract with the controller and there were no formal agreements with the subprocessors.
Holding
The DPA held that there was enough evidence to start a sanctioning procedure. Especially considering the lack of legally binding instruments between the processor and the subprocessors involved in the delivery of a package to the data subject. Considering that the subprocessor had to process personal data controlled by Carrefour, there was a breach of the GDPR.
With this, the Spanish DPA established that a possible fine of €90,000 could be imposed for the breach of Articles 28(2) and 28(3) of the GDPR. The data processor decided to finalize the procedure by paying the reduced fine of €72,000, which implies admitting the breach of the data protection rules.
Comment
This case shows how processors (and not only controllers) can be held responsible for their failure to comply with Article 28 GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/15
File No.: EXP202208230
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
VOLUNTEER
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: On June 16, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against FOURTH PARTY
LOGISTICS, S.L. (hereinafter, the claimed party), through the Agreement that is
transcribes:
<<
File No.: EXP202208230
AGREEMENT TO START SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following
FACTS
FIRST: Ms. A.A.A. (hereinafter, the complaining party) dated June 29,
2022 filed a claim with the Spanish Data Protection Agency. The
The claim is directed against “Envialia”.
The claim is stated:
“Today, June 28 at 2:30 p.m., the messenger with telephone number ***TELÉFONO.1 calls me to
give me a package from Carrefour. Not being at home, I told him to leave it to him.
my neighbor on the first left, B.B.B.. He told me it was perfect. When 20 arrived
Minutes later, at home, my neighbor tells me that they haven't delivered anything. He called the
transporter and tells me that a boy with a cap came through the portal and told him that it was him and
He gave it to her without further ado. I have complained to the transport company and they tell me that they have
carried by a certain C.C.C. and search among the neighbors, when they should do it.
It is no longer just the lack of a solution for the literal theft of my package, but in the
In addition to my merchandise, all my personal information, ID, telephone number,
address, name, surname and an invoice for what was purchased with my bank details,
data that I have not at any time authorized them to give to a
unknown that can be used illicitly, causing me great harm. For the
I pray you intercede.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/15
Along with the claim, a thread of emails exchanged with “Envialia” is provided.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to ENVIALIA WORLD (in
hereinafter, EW) to proceed with its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on July 28, 2022 as
It is stated in the certificate that is in the file.
On August 25 of that same year, this Agency received a letter of
response indicating that "...has not been aware of it until the notification
received from the AEPD, therefore it has not been possible to respond to the claimant, since
We did not have the claim or their contact information. It proceeds to give
response to the e-mail that appears in Annex 1 (***USUARIO.1@hotmail.com) and
Attached is a copy of the response given.
b) Regarding the decision adopted regarding this claim: It is necessary
understand the roles of the various companies involved in the delivery process:
Client: Hire the services of the cargo agency.
Charge agency: Acts as Data Controller, has a contract with
Envialia World that makes the Envialia Network made up of other agencies available to you
with whom you have a contract.
Envialia World: Acts as Data Processor.
Cargo Agency: Acts as sub-processor
Recipient: It is the interested party and in this case harmed by the malpractice of the
cargo agency courier
At Envialia World we consider this fact as a theft and in this situation we
Inform the responsible agencies to file the corresponding complaint.
On the other hand, whether it is the Cargo agency, such as ENVIALIA WORLD or the
destination are only responsible for the data that appears on the label that accompanies
the package to be delivered, in no case can they be responsible for the data that may
be inside the package (such as the invoice mentioned by the interested party with their data
banking) since none of the ENVIALIA companies or agencies involved
access nor should access and does not even know what is inside the package.
We understand that if there is any type of violation of the rights of the
interested is on the part of the sub-in-charge of treatment, which is the processing agency.
destination. For this reason, we proceed to inform you of the claim received and
analyze the reasons that gave rise to the poor delivery practice and demand the
application of measures to prevent the problem from recurring…”
THIRD: On August 30, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/15
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:
On April 12, 2023, information was requested from EW to provide:
"1. Description of all parties involved in the business relationship and the process
collection/delivery of shipments.
2. Documentation that proves the relations of ENVIALIA WORLD S.L. with the
subjects that you describe in your answer, and in particular the commission contract of the
data processing, since point 2.b) of your answer defines ENVIALIA
WORLD S.L. as the person in charge of the treatment.”
On April 27, 2023, a response to it was received, in the following
terms:
- Respond in the FIRST point to point 1 of the requirement: "Client:
SHOPPING CENTERS CARREFOUR, S.A., with NIF A28425270, and
domiciled in P.I. "Las Mercedes", Calle Campezo 16, 28022 Madrid. Agency
of charge; FOURTH PARTY LOGISTICS, S.L., with NIF B86496007 and with
address at Avenida Switzerland 2, 28821, Coslada, Madrid. FOURTH PARTY
LOGISTICS SL, operates under the ENVIALIA brand, within a national network of
transportation. FOURTH PARTY LOGISTICS subcontracts the services of
FOURTH PARTY SERVICES, S.L., a company from the same network, which maintains
relations with ENVIALIA WORD, S.L., established in a contract of
transportation and courier. ENVIALIA WORLD SL, puts its transport network at
available to FOURTH PARTY SERVICES SL, to carry out the
management and provision of services. In this case, courier shipping
was carried out directly by FOURTH PARTY SERVICES SL, through the
company THE BEE LOGISTICS, SLU, which was the one who had to deliver the package
to Ms. A.A.A.. The courier delivered the package to the neighbor indicated by Ms.
A.A.A., a fact not disputed by the complainant, what happens is that she
indicates that his name is B.B.B. and the package is delivered to C.C.C., who picks it up and
Provide your ID. On the other hand, the data available only
FOURTH PARTY SERVICES SL, are those that appear on the package,
only identifying information, and in no case are there bank details, nor
national identity document or equivalent. In any case, after
occurred, FOURTH PARTY SERVICES SL, requested THE BEE LOGISTICS,
SLU. to adopt preventive and reactive measures, and to review with its
workers the Envialia Operations Manual, for its proper
compliance. The collection and delivery process is as follows:
1. The customer buys at Carrefour, through its online platform, and the latter, once
completed the purchase process, gives the order to your transport provider and
courier, FOURTH PARTY LOGISTICS SL, to carry out the delivery. The
daily communication of the list of shipments that will travel through the Envialia network,
It is done through a SOAP Service, where an XML is extracted, with the data
necessary for the correct management and delivery of the same (address, type of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/15
service, observations, etc.). The label is generated from a ZPL code, with a
barcode in CODE 128.
2. FOURTH PARTY LOGISTICS, through FOURTH PARTY SERVICES, carries out
carry out the delivery of this package, with the collaboration of the transport company
THE BEE LOGISTICS, contracted for this service.
3. THE BEE LOGISTICS SLU, makes the delivery to the person indicated by the
buyer - Mrs. A.A.A.-.”
- Respond in point SECOND to point 2 of the requirement: “Responding
To this question, we attach the current contract, formalized between
CARREFOUR AND FOURTH PARTY LOGISTICS SL. The contract between FOURTH
PARTY LOGISTICS and THE BEE LOGISTICS SLU, is a verbal contract, for
Since RD-Law 3/2022 did not come into force until September 2022, which
established the obligation that continuous transportation contracts
were in writing, also giving full validity to the contracts of
sporadic transportation only the corresponding consignment note.”
EW provides a copy of a service provision contract between FOURTH
PARTY LOGISTICS S.L. and CARREFOUR S.A. SHOPPING CENTERS
for the distribution, home delivery and delivery of the merchandise sold.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Possible administrative violation.
Article 4 of the GDPR, points 7 and 8, specifies what should be understood by
responsible for the treatment and in charge of the treatment. So we have, like:
“7) “responsible for the treatment” or “responsible” is the natural person or
legal entity, public authority, service or other body that, alone or together with others,
determine the purposes and means of the processing; If the law of the Union or of the
Member States determine the purposes and means of the processing, the controller
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/15
of the treatment or the specific criteria for its appointment may
establish them by the law of the Union or of the Member States;
8) "processor" or "processor" is the natural or legal person,
public authority, service or other body that processes personal data for
account of the person responsible for the treatment;..”
In short, the person responsible for the treatment is the natural or legal person or authority
public, which decides on the processing of personal data, determining the
purposes and means of said processing.
Under the principle of proactive responsibility, the data controller
must apply technical and organizational measures to, in response to the risk that
involves the processing of personal data, complying with and being able to demonstrate the
compliance.
For its part, the person in charge of the treatment is the natural or legal person, authority
public, service or other body that provides a service to the person responsible that entails
the processing of personal data on its behalf.
In this sense, the person responsible is the one who decides the “why” and “how” relative to the
personal data and the person in charge is the one who is responsible for carrying out the processing
position of the person responsible.
The figure of the person in charge of treatment in the RGPD is defined in its article 28, where
The requirements that must be met regarding data protection are established:
1.When treatment is to be carried out on behalf of a person responsible for the
treatment, this will only choose a manager who offers sufficient guarantees
to apply appropriate technical and organizational measures, so that the
treatment complies with the requirements of this Regulation and ensures the
protection of the rights of the interested party.
2.The person in charge of the treatment will not resort to another person in charge without prior authorization
in writing, specific or general, from the person responsible. In the latter case, the manager
will inform the person responsible of any planned change in the incorporation or
replacement of other managers, thus giving the person in charge the opportunity to oppose
to these changes.
3.The treatment by the processor will be governed by a contract or other legal act with
under the law of the Union or of the Member States, binding the person in charge
regarding the person responsible and establishes the object, duration, nature and
purpose of the processing, the type of personal data and categories of interested parties, and the
obligations and rights of the person in charge. Said contract or legal act shall stipulate, in
particular, that the person in charge:
a) will process personal data only following documented instructions from the
responsible, including with respect to transfers of personal data to a
third country or an international organization, unless obliged to do so under
of Union or Member State law applicable to the processor; in
In such case, the person in charge will inform the person responsible of that legal requirement prior to the
treatment, unless such Law prohibits it for important reasons of interest
public;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/15
b) will ensure that the persons authorized to process personal data have
committed to respecting confidentiality or are subject to an obligation to
confidentiality of a statutory nature;
c) take all necessary measures in accordance with article 32;
d) will respect the conditions indicated in sections 2 and 4 to resort to another
treatment manager;
e) will assist the person responsible, taking into account the nature of the treatment, through
appropriate technical and organizational measures, whenever possible, so that this
can fulfill its obligation to respond to requests that are intended
the exercise of the rights of interested parties established in Chapter III;
f) will help the person responsible to ensure compliance with obligations
established in articles 32 to 36, taking into account the nature of the treatment
and the information available to the person in charge;
g) at the discretion of the controller, delete or return all personal data once
once the provision of treatment services is completed, and will delete copies
existing unless the retention of personal data is required under
of the law of the Union or of the Member States;
h) will make available to the person responsible all the information necessary to demonstrate
compliance with the obligations established in this article, as well as
to enable and assist in the performance of audits, including inspections, by
part of the person in charge or of another auditor authorized by said person in charge.
In relation to the provisions of letter h) of the first paragraph, the person in charge shall inform
immediately to the controller if, in their opinion, an instruction violates this
Regulation or other provisions on data protection of the Union or of
the member states.
4. When a person in charge of the treatment uses another person in charge to carry out
certain treatment activities on behalf of the person in charge, will be imposed on
this other person in charge, by means of a contract or other legal act established in accordance with the
Law of the Union or of the Member States, the same obligations of
data protection than those stipulated in the contract or other legal act between the
responsible and the person in charge referred to in section 3, in particular the provision
of sufficient guarantees of application of appropriate technical and organizational measures
so that the treatment is in accordance with the provisions of this
Regulation. If that other person in charge breaches his data protection obligations,
the initial processor will remain fully accountable to the controller
treatment with regard to the fulfillment of the obligations of the other
in charge. (…).
These specific obligations may be supervised by the enforcement authorities.
data protection, without prejudice to the control that may be carried out in relation to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/15
with compliance with the RGPD or the LOPDGDD by the person in charge or the
treatment manager.
In accordance with the provisions of article 28 GDPR, the person in charge and the person in charge
of data processing must regulate the processing of data in a contract or act
legal linking the person in charge with respect to the person in charge; that contract or legal act
must establish the object, duration, nature and purpose of the treatment, the
type of personal data and categories of interested parties, the obligations and rights of the
responsible etc
The person in charge of the treatment, in turn, may resort to another person in charge
(“sub-processor”) provided that you have the prior written authorization of the
responsible for the treatment, either a specific or general authorization. In these
cases, the person in charge is obliged to inform the person responsible for the
changes in the incorporation or substitution of other managers, so that said
person responsible can oppose such changes.
The relationship that links the person responsible for the treatment and the person in charge, or the latter and another
commissioned, must be formalized in writing, including in electronic format. In
Both cases must be imposed on the person in charge or “sub-processor” the same
obligations referred to in section 3 of article 28 transcribed.
In the present case, EW explains that:
“- Envialia World has a transport and courier contract with Fourth Party
Logistics. - Fourth Party Logistics subcontracts the services of Fourth Party Services.
- Envialia World puts its transportation network at the service of Fourth Party Services to
that carries out the provision of the service.
- Fourth Party Logistics has a verbal courier contract with The Bee Logistics,
company that it identifies as a "charging agency" and that would be responsible for the
delivery of the package.”
A copy of a service contract between SHOPPING CENTERS is provided
CARREFOUR SA with NIF A28425270 (as a client, although his signature does not appear) and
FOURTH PARTY LOGISTICS SL with NIF B86496007 (as carrier), for
delivery of goods at home, in whose section on data protection
declares that the first is responsible, and the second in charge, of the treatment of the
personal information.
Said contract expressly establishes that "...In those cases in which the
subcontracted service involves access or processing of personal data
owned by CARREFOUR by the subcontracted company on
CARRIER must guarantee that the subcontracting is carried out in
compliance with the provisions of the applicable legislation and, in particular, with the provisions
in the Personal Data Protection regulations.
In the event that authorized subcontractors have access to personal data
responsibility of CARREFOUR, will act as sub-manager of the treatment,
the following being applicable:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/15
• The CARRIER will notify CARREFOUR of the identity of the sub-manager before
to proceed with subcontracting;
• The processing of data by the sub-processor must comply with the
CARREFOUR instructions; and
• The CARRIER and the sub-manager will sign a contract/clause that
in accordance with the provisions of the Data Protection regulations.
The CARRIER will notify CARREFOUR of the execution of this contract with the
sub-manager and will provide you with a copy if you so request..."
EW states that between FOURTH PARTY LOGISTICS SL and THE BEE LOGISTICS SL
there is a verbal service contract, but it is not accredited.
It is evident that between ENVIALIA WORLD SL, FOURTH PARTY SERVICES SL and
FOURTH PARTY LOGISTICS SL there are contractual relationships; although it has not been
provided documentation thereof.
Consequently, FOURTH PARTY LOGISTICS SL, ENVIALIA WORLD SL, FOURTH
PARTY SERVICES SL, and THE BEE LOGISTICS SL would necessarily have to
also process personal data; although, FOURTH PARTY
LOGISTICS SL would do so in its capacity as data processor and ENVIALIA
WORLD S.L., FOURTH PARTY SERVICES SL and THE BEE LOGISTICS SL., as
sub-managers thereof.
Analyzing the relationship of the different participants, it is evident that the
subcontracting does not comply with the provisions of data protection regulations
in force, due to the lack of formalization of contracts or legal acts, as well as the
lack of authorizations prior to their formalization.
In accordance with the evidence available in this agreement of
initiation of the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the known facts could constitute a
infringement, attributable to FOURTH PARTY LOGISTICS SL for violation of the
articles 28.2 and 28.3 of the GDPR.
IV.
Classification of the infringement of article 28.2 of the GDPR
If confirmed, the aforementioned infringement of article 28.2 of the GDPR could lead to the
commission of the offenses typified in article 83.4 of the GDPR that under the
The heading "General conditions for the imposition of administrative fines" provides:
Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 10,000,000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the largest amount:
a) the obligations of the controller and the person in charge under articles 8, 11, 25 to
39, 42 and 43;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/15
(…)”
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that
"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”
For the purposes of the limitation period, article 73 "Infractions considered serious"
of the LOPDGDD indicates:
"Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
l) The contracting by a person in charge of the treatment of other managers without counting
with the prior authorization of the person in charge, or without having informed him about the changes
produced in subcontracting when legally required. (…)”.
V
Penalty for violation of article 28.2 of the GDPR
For the purposes of deciding on the imposition of an administrative fine and its amount,
it is appropriate to graduate the sanction to be imposed according to the following criteria that
Article 83.2 of the GDPR establishes:
As aggravating factors:
- b) The link between the offender's activity and the performance of processing
of personal data.
The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which,
with respect to entities whose activity involves continuous data processing
of clients, indicates that "...the Supreme Court has understood that there is
recklessness whenever a legal duty of care is neglected, that is, when the
offender does not behave with the required diligence. And in assessing the degree of
diligence, the professionalism or not of the subject must be specially considered, and not
there is no doubt that, in the case now examined, when the activity of the appellant
is of constant and abundant handling of personal data, it must be insisted on
the rigor and exquisite care to comply with the legal provisions in this regard.”
FOURTH PARTY LOGISTICS SL is a company that is dedicated to Transportation of
goods by rail traffic by normal and narrow track, freight transport
by road, other land transport, maritime transport of goods
international (except crude oil and gases), cabotage and road transport
inland waterways (except for crude oil and gases).
Transport companies handle a very significant amount of data, both
data of the clients, the respective ones to their shipments, as well as that of the employees as
suppliers.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/15
FOURTH PARTY LOGISTICS SL is registered in the Mercantile Registry of Madrid, it is
a small-sized company whose share capital is in the range of 50,001 -
€100,000, with a number of employees between 11 and 50 and a sales amount of
between €3,000,001 and €50,000,000.
The balance of the circumstances contemplated in article 83.2 of the RGPD and the
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the
established in article 28.2 of the RGPD, allows initially setting a sanction of
€60,000 (SIXTY THOUSAND EUROS).
SAW
Classification of the violation of article 28.3 of the RGPD
If confirmed, the aforementioned violations of article 28.3 of the RGPD could mean the
commission of the infractions classified in article 83.4 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:
“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
a) the obligations of the controller and the processor in accordance with articles 8, 11, 25 a
39, 42 and 43;
(…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”
For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:
“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
k) Entrust the processing of data to a third party without the prior formalization of a
contract or other written legal act with the content required by article 28.3 of the
Regulation (EU) 2016/679. (…)”.
VII
Penalty for violation of article 28.3 of the GDPR
For the purposes of deciding on the imposition of an administrative fine and its amount,
The sanction to be imposed should be graduated according to the following criteria:
Article 83.3 of the GDPR establishes:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/15
As aggravating factors:
- b) The linking of the offender's activity with the performance of treatments
of personal data.
The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which,
with respect to entities whose activity involves continuous data processing
of clients, indicates that "...the Supreme Court has understood that there is
recklessness whenever a legal duty of care is neglected, that is, when the
offender does not behave with the required diligence. And in the assessment of the degree of
diligence, the professionalism or otherwise of the subject must be especially considered, and not
There is no doubt that, in the case now examined, when the activity of the appellant
is constant and abundant handling of personal data, it must be insisted on
the rigor and exquisite care to comply with the legal preventions in this regard.”
FOURTH PARTY LOGISTICS SL is a company dedicated to transportation of
goods by rail traffic on normal and narrow gauge, transport of goods
by road, other land transport, maritime transport of goods
international (except for crude oil and gases), cabotage transport and by routes
inland navigable vessels (except crude oil and gases).
Transport companies handle a very important amount of data, both the
customer data, those corresponding to their shipments, as well as that of employees such as
suppliers.
FOURTH PARTY LOGISTICS SL is registered in the Commercial Registry of Madrid, it is
a small-sized company whose share capital is in the range of 50,001 -
€100,000, with a number of employees between 11 and 50 and a sales amount of
between €3,000,001 and €50,000,000.
The balance of the circumstances contemplated in article 83.2 of the RGPD and the
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the
established in article 28.3 of the RGPD, allows initially setting a sanction of
€60,000 (SIXTY THOUSAND EUROS).
VIII
Adoption of measures
If the infraction is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified term…”. The imposition of this measure is compatible with the sanction
consisting of an administrative fine, as provided in art. 83.2 of the GDPR.
It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the sanctioning resolution may be considered as a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/15
administrative offense in accordance with the provisions of the RGPD, classified as
infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.
Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
FIRST: START SANCTIONING PROCEDURE for FOURTH PARTY
LOGISTICS, S.L., with NIF B86496007, for the alleged violation of articles 28.2
and 28.3 of the RGPD, both typified in article 83.4 a) of the RGP.
SECOND: APPOINT D.D.D. and, as secretary, to E.E.E.,
indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).
THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the
documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.
FOURTH: THAT for the purposes provided for in article 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), the sanction that may apply, without prejudice to what
result of the instruction, would be:
SIXTY THOUSAND EUROS (€60,000) for alleged violation of article 28.2 typified in
Article 83.4 a) GDPR.
SIXTY THOUSAND EUROS (€60,000) for alleged violation of article 28.3 typified in
Article 83.4 a) GDPR.
FIFTH: NOTIFY this agreement to FOURTH PARTY LOGISTICS, S.L., with
NIF B86496007, granting a hearing period of ten business days so that
formulate the allegations and present the evidence you consider appropriate. In its
written allegations must provide your NIF and the procedure number that appears
at the top of this document.
If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/15
reduction, the penalty would be established at 96,000.00 euros, resolving the
procedure with the imposition of this sanction.
Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
The penalty would be established at 96,000.00 euros and its payment will imply termination
of the procedure, without prejudice to the imposition of the corresponding measures.
The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. Voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 72,000.00 euros.
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (96,000.00 euros or 72,000.00 euros), you must make it effective
by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of
Data Protection in the banking entity CAIXABANK, S.A., indicating in the
concept the reference number of the procedure appearing in the heading
of this document and the reason for the reduction of the amount to which it applies.
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of twelve months from the date
of the initiation agreement. After this period, its expiration will occur and, in
consequently, the file of actions; in accordance with the provisions of the
Article 64 of the LOPDGDD.
Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.
935-290523
Sea Spain Martí
Director of the Spanish Data Protection Agency
>>
SECOND: On July 3, 2023, the claimed party has proceeded to pay
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/15
the penalty in the amount of 72,000 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.
THIRD: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the renunciation of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."
II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter, LPACAP), under the heading
"Termination in disciplinary proceedings" provides the following:
"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/15
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.
The reduction percentage provided for in this section may be increased
“regularly.”
According to what has been stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DECLARE the termination of the procedure EXP202208230, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to FOURTH PARTY LOGISTICS, S.L..
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
936-040822
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
