AEPD (Spain) - PS/00670/2022
AEPD - PS/00670/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(7) GDPR Article 4(12) GDPR Article 5(1)(f) GDPR Article 32 GDPR Article 58(2) GDPR Article 83(1) GDPR Article 83(2) GDPR Article 83(4) GDPR Article 83(5) GDPR Article 47 LOPDGDD Article 48(1) LOPDGDD Article 63 LPACAP Article 64 LPACAP Article 64(2) LOPDGDD Article 65 LOPDGDD Article 68(1) LOPDGDD Article 71 LOPDGDD Article 73 LOPDGDD Article 76 LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | 15.03.2018 |
Decided: | |
Published: | 03.06.2024 |
Fine: | 55000 |
Parties: | GEOPOST ESPAÑA, S.L. A.A.A. |
National Case Number/Name: | PS/00670/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | isabela.maria.rosal |
The DPA fined a delivery company €55,000 after it left a note with personal data on a data subject's mailbox, accessible by various people, with personal information of the data subject. It found a violation of Articles 5(1)(f) and 32 GDPR.
English Summary
Facts
SEUR was charged with picking up an Amazon return package from the data subject on 29 August 2022. The data subject requested pickup at its address, but Amazon erroneously indicated an incorrect address. On the same day, the data subject requested that Amazon modify the address. However, on 6 September 2022, the data subject learned that an mailperson from SEUR had left a note on a mailbox at a different address than the one requested, within view of any neighbor or visitor, stating their personal data including their name, address and phone number.
On 12 September 2022, the data subject filed a complaint with the Spanish DPA (AEPD). It filed a complaint against SEUR, but by then, SEUR had been absorbed by GEOPOST ESPAÑA, S.L. (the controller) in a merger; thus, the AEPD considered GEOPOST the controller and applied the proceedings to it. The controller stated that the incident had occurred as a result of human error: a mailperson had gone to what they believed to be the data subject's home to pick up the package, but that the data subject was not there, so the mailperson left a note taped to their mailbox. The controller stated that it has data protection materials for its employees and noted that the controller's delivery manual instructs that deliveries and pickups be made to the consignee and, in the even of their absence, a notice of absence should be left under the door, in the door wedge or in the mailbox. It also stated that it makes over 50 million deliveries a year, and that human error is not habitual but is inevitably impossible to completely avoid.
Holding
The AEPD held that the controller breached the data processing principle of integrity and confidentiality (Article 5(1)(f) GDPR) and the security of processing (Article 32 GDPR) and fined it €55,000.
First, the AEPD determined that the initial delivery company was incorporated by GEOPOST, which should be considered as the controller for the procedure.
The AEPD considered that the confidentiality of the data subject's information was not guaranteed in accordance with Article 5(1)(f) GDPR. In fact, it was posted such that any neighbour or visitor could see extensive personal data. With regard to Article 32 GDPR, the AEPD noted that the provision is infringed both if the controller fails to adopt appropriate measures to ensure the security of personal data and if these measures are established but not observed. In this case, even though there were acceptable security practices in place, a personal data confidentiality breach still occurred; thus, the AEPD found, Article 32 GDPR was infringed. The policies were insufficient to defend the infraction and also could not be considered as mitigating measures for the sanction.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/23 File No.: EXP202210818 (PS/00670/2022) RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: Mrs. A.A.A. (hereinafter, the complaining party), on September 12 of 2022, filed a claim with the Spanish Data Protection Agency. The claim is directed against GEOPOST ESPAÑA, S.L. (absorbing company of the extinct SEUR, S.A.), with NIF B85645349, (hereinafter, GEOPOST). The motives on which the claim is based are the following: The complaining party states that GEOPOST was in charge of collecting a Amazon product, at address ***ADDRESS.1, on 08/29/2022. No However, Amazon incorrectly indicated the address since at that time the claiming party was in ***LOCALITY.1. On August 29, 2022, the complaining party requested Amazon to modify the direction. On September 6, 2022, he learned through relatives that They passed by the house, that a delivery man from the claimed company had left a notice on the outside of the mailbox of your home in ***LOCALIDAD.2, in view of any neighbor or visitor to the property, in which your personal data appeared, specifically, your first and last name, postal address, as well as your telephone number. This label was displayed in a transit area until September 6, 2022, date on which he retired. Along with the claim, provide a copy of the message received in your email on the date of collection of the package, sent by the claimed party, mail email sent by Amazon to the complaining party in which it is revealed the correction of the package pick-up address, as well as various images of the label displayed on the outside of the mailbox for your address at ***LOCALITY.2. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was communicated to the claimed party, to proceed with its analysis and report to this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/23 Public Administrations (hereinafter, LPACAP), through electronic notification, was received in date October 17, 2022, as stated in the certificate in the file. On November 14, 2022, this Agency received a written response from the claimed part in which it states the following: - That on August 30, 2022, a GEOPOST delivery person went to the the claimant's address to make a collection. - That the claimant was absent at the time of collection. - That, consequently, the delivery man left an absent notice posted on the outside from the claimant's mailbox In this way, after analyzing the facts, GEOPOST considers that the incidence has been produced as a result of human error on the part of the delivery person, and there must have been left the warning note inside the mailbox or under the door as indicated by the GEOPOST manual and not posted on the outside of the mailbox. In this sense, GEOPOST informs the AEPD that, in compliance of the obligations of the applicable regulations of its transport activity, it has implemented the corresponding procedures and corporate manuals, where They determine the guidelines to follow for the correct delivery or collection of the merchandise. Specifically, it is indicated that GEOPOST has a manual with the operations that delivery drivers must follow the so-called “Delivery Operative Manual”, document that is delivered to them at the time of contracting or beginning of the provision of the service with GEOPOST. In the section “Operation in Route” of said manual specifically specifies the obligation that the delivery of the merchandise must always be made to the recipient and that, in case of absence of the recipient, an absent notice note will be left at the address under the door, on the door wedge or in the mailbox. Screenshots of the manual are included as Annex I. where the obligations of the delivery people for the correct delivery or merchandise collection. In addition, it states that GEOPOST provides regular training to delivery drivers. about the obligations established in the different procedures and manuals corporate, emphasizing the importance of making good use and treating diligently manage the personal data that they manage on a daily basis from the senders, recipients and/or authorized. Specifically, one of the latest training actions carried out consisted of disseminating a video called “Good practices in Privacy". For all this, it confirms that the incident has occurred due to specific malpractice of the delivery person by not following the company's internal protocols. However, and as a result of the incident that occurred, GEOPOST has reiterated the commitment that all delivery drivers comply with what is established in the different procedures, policies and manuals made available to you with the in order to correctly carry out deliveries and returns, as well as, a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/23 diligent action on the personal data they process in compliance with their job functions or service provision. Finally, it indicates that GEOPOST manages a large volume of deliveries daily. and collected, properly following the protocols by the delivery people internal of the company without incidents similar to the object of this claim. In 2021 alone, the volume managed was more than 50 million of deliveries and collections and considers that the malpractice of the delivery person is a fact that It does not resemble normal operations. THIRD: On December 2, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: According to the report collected from the AXESOR tool, the extinct SEUR, S.A. (absorbed by GEOPOST ESPAÑA, S.L.) is a medium-sized company established in 1984, and with a turnover of (…) €, in 2021. FIFTH: On May 22, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), for the alleged violation of Article 5.1.f) of the RGPD, typified in article 83.5 of the RGPD, as well as for the alleged violation of article 32 of the RGPD, typified in article 83.4 of the RGPD. SIXTH: The aforementioned initiation agreement was notified on May 23, 2023 in accordance with the rules established in Law 39/2015, of October 1, on the Procedure Common Administrative System of Public Administrations (hereinafter, LPACAP), GEOPOST presented a written statement of allegations in which, in summary, it stated that the incident has occurred due to poor practice by the delivery person by failing to comply with the instructions and internal company protocols; there was no possibility of commit a violation of article 5.1 f) without the commission, in turn, of an infraction of article 32 of the RGPD, and only the corresponding sanction should be imposed to the most serious infraction committed (art. 29.4 of the LRJSP); understands it is proven that have adopted appropriate measures (protocols, periodic training plan...) in depending on the risk and, finally, with respect to aggravating factors, the volume of orders managed by GEOPOST and the exceptional nature of this type of cases, other circumstances not having been taken into account as mitigating circumstances to reduce sanctions. SEVENTH: On January 31, 2024, the investigating body of the procedure formulated a proposed resolution, in which it proposes that the Director of the AEPD GEOPOST is sanctioned, with NIF B85645349, for a violation of Article 5.1.f) of the RGPD, typified in article 83.5 of the RGPD, with a fine of €40,000 (forty thousand euros), and for the alleged violation of article 32 of the RGPD, typified in the article 83.4 of the RGPD, with a fine of €15,000 (fifteen thousand euros). This proposed resolution, which was notified to GEOPOST in accordance with the rules established in Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (LPACAP), was collected on date 1 of February 2024, as stated in the acknowledgment of receipt in the file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/23 EIGHTH: On February 14, 2024, this Agency receives, on time and form, letter from GEOPOST in which it alleges allegations to the proposed resolution in which, in summary, it manifested the violation of the right to defense due to absence of accreditation of the facts of which he is accused. Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS FIRST: On August 29, 2022, at 10:38 a.m., AMAZON sent the complaining party an email from the address (...)@amazon.es with the following content: “Hello, A.A.A. I hope you are having a great day and have a great week! You talk to B.B.B., Amazon.es customer service agent, who had the pleasure of helping you today. I appreciate the time you have so kindly taken to contact us and so we can do everything necessary to improve the service we provide you. Initially I apologize for the difficulties encountered with your order, please that you deserve quality service and I want you to know that you have nothing to worry since you have our support in all your purchases and the solution that We will always look for the one that benefits you the most. As we agreed today, SEUR will collect the package within 72 business hours. You do not need to print any return labels. SEUR will take care of You provide the label and it will be attached to the package when you arrive to pick up the product. Address: A.A.A. ***ADDRESS.2 Main phone ***PHONE.1 I hope I have solved your request, it was a pleasure to assist you today, I I have done everything in my power to provide you with the best answer, so so you can have the best Customer service experience on Amazon.es. […]” SECOND: On August 29, 2022, at 1:14 p.m., GEOPOST sent to the complaining party an email from the address infoenvios@mail.seur.info with the following content: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/23 “Hello A.A.A. Pickup of your shipment is estimated today between 1:45 p.m. and 2:45 p.m. Collection data Shipping number: (...) Address: ***ADDRESS.1 THIRD: In the photographs in the file (pages 7 to 8), provided by the claiming party next to the claim, the exterior of a mailbox inside a doorway of a building. A note is attached to the mailbox “SEUR”, in which personal data of the complaining party appears, specifically, their name and surname, postal address, as well as your telephone number, and how recipient “AMAZON – returns”. Given the transfer of the claim of October 17, 2022 formulated by this Agency, GEOPOST sent a response on November 14, 2022, which states that: “…after receiving this information request, SEUR, S.A. ha proceeded to investigate the events that occurred and has verified the following: - That on August 30, 2022, a SEUR, S.A. delivery driver went to the claimant's address to make a collection. - That the claimant was absent at the time of collection. - That, consequently, the delivery man left an absent notice posted on the outside from the claimant’s mailbox.” (emphasis is ours) Therefore, GEOPOST recognizes the veracity of the content of the photograph provided by the complaining party. Consequently, it is considered proven that the label was attached to the mailbox by the GEOPOST delivery man. FOURTH: On August 3, 2023, an announcement was published in the BORME merger by absorption of GEOPOST ESPAÑA, S.L. (absorbing company) and SEUR, S.A. (absorbed company). FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), is competent to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/23 initiate and resolve this procedure, the Director of the Spanish Agency for Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous Issues GEOPOST ESPAÑA, S.L. has carried out a corporate merger operation absorption of SEUR, S.A., according to the agreement referred to in the Fourth Proven Fact, acquiring by universal succession all the rights and obligations of SEUR, S.A., which is declared extinct. In this way, the present procedure, initiated against SEUR, S.A. It continues its processing with GEOPOST ESPAÑA as the claimant, S.L. GEOPOST is a leading company in urgent transportation and comprehensive logistics in Spain that processes personal data for the development of its activity, personal data being understood as: “all information about a natural person identified or identifiable.” You carry out this activity in your capacity as data controller, given that it is who determines the purposes and means of such activity, under article 4.7 of the GDPR: "responsible for the treatment" or "responsible": the natural or legal person, authority public, service or other body that, alone or together with others, determines the purposes and means of treatment; whether Union or Member State law determines the purposes and means of the treatment, the person responsible for the treatment or the Specific criteria for their appointment may be established by Union Law. or of the Member States An identifiable natural person is considered one whose identity can be determined, directly or indirectly, in particular through an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the physical, physiological, genetic, psychological identity, economic, cultural or social of said person. Likewise, treatment should be understood as “any operation or set of operations carried out on personal data or sets of personal data, whether whether by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, collating or interconnecting, limiting, deleting or destroying.” Article 4 section 12 of the GDPR broadly defines “violations of security of personal data” (hereinafter security breach) as “all C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/23 those security violations that cause the destruction, loss or accidental or illicit alteration of personal data transmitted, preserved or processed otherwise, or unauthorized communication or access to said data.” The reported facts materialize in access by uninterested third parties to personal data of the complaining party due to malpractice by a delivery person by not Follow internal company protocols. In the present case, there is a personal data security breach in the circumstances indicated above, categorized as a breach of confidentiality, whenever the claimed party has exposed personal information and data without legitimizing legal basis, when a delivery person leaves an absent notice note attached on the outside of the claimant's mailbox (the label only indicated the number and letter of the apartment), in which your personal data appeared: name, surname, address postal address, as well as your telephone number. According to GT29, a “Violation of confidentiality” occurs when an unauthorized or accidental disclosure of personal data, or access to themselves. Within the treatment principles provided for in article 5 of the RGPD, the integrity and confidentiality of personal data is guaranteed in section 1.f) of article 5 of the GDPR. For its part, the security of personal data comes regulated in article 32 of the RGPD, which regulates the security of the treatment. III Response to the allegations made by GEOPOST to the initiation agreement and the allegations adduced to the proposed resolution A) In relation to the allegations alleged to the agreement at the beginning of this sanctioning procedure, we proceed to respond to them according to the order stated by GEOPOST in its writing: “FIRST.- Regarding the issue that is the subject of the sanctioning procedure, the receipt of the request for information from the AEPD by GEOPOST and the response carried out by GEOPOST.” Firstly, the claimed party alleges that the incident occurred due to poor praxis of the delivery person by failing to comply with the instructions and internal protocols of the company, even using a specific document (shipping identification label) for a purpose incompatible with that for which it had been designed by GEOPOST. In response to this allegation, it should be noted that the security measures must be adopted in response to each and every one of the risks present in a processing of personal data, including among them, the factor human. The employee's negligent actions do not exempt the employee from liability. GEOPOST, responsible for the data processing now analyzed, since C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/23 As defined in art 4.7 of the RGPD, it is the entity that determines the purpose and means of the treatments performed. The responsibility of the company in the area of sanctions for the action negligence of an employee that involves non-compliance with the regulations of Data protection has been confirmed by the jurisprudence of the Supreme Court. In this regard, it is worth mentioning the Supreme Court Ruling no. 188/2022 (Litigation Chamber, Section 3), of February 15, 2022 (rec. 7359/2020), whose Fourth Legal Basis provides: “The fact that it was the negligent action of an employee does not exempt him from his responsibility as the person in charge of the correct use of safety measures security that should have guaranteed the proper use of the security system designed data record. As we already stated in STS No. 196/2020, of December 15, February 2021 (rec. 1916/2020) the person in charge of the treatment is also responsible for the performance of its employees and cannot excuse itself in its diligent performance, separately from the actions of its employees, but rather it is the "guilty" action of these, as a consequence of the violation of existing security measures, which bases the responsibility of the company in the area of sanctions for acts “own” by their employees or positions, not third parties.” The sentence continues arguing about the responsibility of the legal entities in our system: “…It simply happens that, being admitted in our Administrative Law the direct responsibility of people legal, which are therefore recognized as infringing capacity, the subjective element of the infringement is reflected in these cases in a different way than what happens with respect to of natural persons, so that, as indicated by the constitutional doctrine that We have previously reviewed -SsTC STC 246/1991, December 19 (F.J. 2) and 129/2003, of June 30 (F.J. 8) - direct blameworthiness derives from the legal good protected by the rule that is violated and the need for said protection to be truly effective and for the risk that, consequently, the legal entity that is subject must assume to compliance with said standard." (emphasis added) For all the above reasons, this allegation is rejected. “SECOND.- Regarding the Agreement to Start the Sanctioning Procedure and the infractions proposed by the AEPD” Regarding the Agreement to Start Sanctioning Procedures and the infractions established by this Agency, GEOPOST considers that in this case, faced with a single conduct (the deliveryman mistakenly affixed the package label to the outside of the mailbox), did not there would be a possibility of committing a violation of article 5.1 f) without the commission, at its discretion. time, of a violation of Article 32 of the GDPR, since Article 32 of the GDPR is a more concrete and detailed specification of the general principle established in the article 5.1 f) of the RGPD, which is why it requests that, in the event that assess an infringement on the part of GEOPOST, article 29.5 of the LRJSP which states that: “When the commission of an infraction results C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/23 necessarily the commission of another or others, only the sanction should be imposed corresponding to the most serious infraction committed.” Well, the guarantee of confidentiality and the security of the treatment have their fundamentally reflected in two independent precepts of the GDPR: in the article 5.1.f) and in article 32 of the RGPD, respectively. Article 5.1.f) of the RGPD includes the principle of integrity and confidentiality and determines that personal data will be processed in such a way as to guarantee adequate security of personal data, including protection against unauthorized or illicit treatment and against its loss, destruction or accidental damage, through the application of technical or organizational measures. On the other hand, article 32 of the GDPR establishes how security must be articulated of the processing in relation to the specific security measures that must be implement, in such a way that taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the processing, as well as risks of varying probability and severity to the rights and freedoms of natural persons, the person responsible and the person in charge of the treatment will apply measures appropriate technical and organizational measures to guarantee a level of security appropriate to the risk that includes, among other issues, the ability to guarantee the data confidentiality. From the examination of the proven facts and the documentation in the file, two violations can be clearly differentiated based on facts and foundations different. The following specifies what conduct constitutes a violation of the article 5.1.f) of the RGPD and which constitutes a violation of article 32 of the RGPD: A) Violation of article 5.1.f) of the RGPD. As we can see, article 5.1.f) of the RGPD strictly requires that it be guaranteed confidentiality and integrity, and requires a loss of confidentiality and/or integrity. We may encounter cases in which inadequate measures exist without there being a loss of integrity and confidentiality. The European legislator has imposed an obligation of result to guarantee the compliance with this principle. In addition, article 5.1.f) of the RGPD mentions the application of technical measures or organizational measures without restricting it to technical or organizational measures of security. The measures referenced in art. 5.1.f) of the GDPR can be anything type, encompassing all those that serve to guarantee confidentiality and integrity. In the present case, the confidentiality of personal data has not been guaranteed of the complaining party, which represents a violation of article 5.1.f) of the RGPD, all time that the delivery person left data visible to any neighbor or visitor to the property. personal details of the complaining party, specifically, his name and surname, address postal address, as well as his telephone number, which were seen, at least, by the persons who informed the complaining party that the label was attached to their mailbox when she was absent from her home. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/23 B) Violation of article 32 of the RPGD. The facts proven in the procedure show that the claimed party exposed information and personal data, when a delivery person leaves a warning note absent affixed to the outside of the claimant's mailbox (on whose label only indicated the number and letter of the apartment), in which his personal data appeared: name, surname, postal address, as well as your telephone number. The breach of technical and organizational measures is evident, since that GEOPOST is responsible for making decisions aimed at implementing effectively implement appropriate technical and organizational measures to ensure security level appropriate to the risk to ensure the confidentiality of the data, restoring their availability and preventing access to them in the event of an incident physical or technical, as required by article 32 of the GDPR. From all this, a lack of due diligence is deduced both in compliance with the established security measures, as well as in the supervision or verification of their observance and/or suitability of these. In this regard, it is noted that article 32 of the RGPD is violated whether the responsible party does not adopt appropriate measures. appropriate technical and organizational measures to ensure data security personal, as if, once these are established, they are not observed. That said, article 32.1 includes an obligation of means and not an obligation of result. In effect, it indicates that “the person responsible and the person in charge of the treatment Appropriate technical and organizational measures will be applied to ensure a level of security appropriate to the risk”, that is, it imposes the obligation to establish a level of security, and that level must be a function of the risk analysis that everything responsible must carry out in accordance with section 2 of said article: "2. When evaluating the adequacy of the security level, particular consideration will be given to takes into account the risks presented by data processing, in particular as consequence of accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data.” The technological evolution and sophistication of unauthorized access systems to data systems means that regulations cannot unconditionally impose a total assurance of the absence of integrity or confidentiality breaches. But it does require that those responsible for the treatments must carry out an analysis of risks and the implementation of an “adequate security level” for them. This duty is therefore characterized as an obligation of means. So it has declared the Supreme Court in its recent ruling of February 15, 2022: “The obligation to adopt the necessary measures to guarantee the safety of the personal data cannot be considered an obligation of result, which implies If a personal data leak occurs to a third party, there is liability regardless of the measures adopted and the activity carried out by the responsible for the file or processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/23 In the obligations of means the commitment that is acquired is to adopt the technical and organizational means, as well as deploying diligent activity in its implementation and use that tends to achieve the expected result with means that can reasonably be classified as suitable and sufficient for its achievement, For this reason, they are called "diligence" or "behavioral" obligations. The difference lies in the responsibility in both cases, because while in the obligation of result is responded to in the event of a harmful result due to the failure of the security, whatever its cause and the diligence used, in the obligation to means it is enough to carry out a risk analysis, establish measures technically appropriate, implement them correctly and use them with reasonable diligence. In the latter, the sufficiency of the security measures that the person responsible must establish must be put in relation to the state of technology at all times and the level of protection required in relation to the personal data processed, but a result is not guaranteed. As established in art. 31 of the Union Regulation European Parliament and Council 2016/679 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data and which repeals Directive 95/46/EC, by establishing regarding the security of the processing that the technical and organizational measures appropriate are "Taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the processing, as well as risks of varying probability and severity to the rights and freedoms of Physical persons […]". We have already reasoned that the obligation that falls on the person responsible for the treatment regarding the adoption of necessary measures to guarantee the safety of the personal data is not an obligation of result but of means, without the infallibility of the measures adopted is required. Only the adoption and implementation of technical and organizational measures, which in accordance with the state of the technology and in relation to the nature of the processing carried out and the data personal data in question, reasonably allow to avoid its alteration, loss, unauthorized treatment or access. Having established the above, the obligation of means imposed by article 32 of the RGPD consists of adopting security measures in the treatment, aimed at avoiding production of a personal data breach therein. These obligations must be established based on the risks that have been analyzed, and taking into account takes into account the state of technology at all times and the level of protection required in relation to the personal data processed. For all the above reasons, this allegation is rejected. “THIRD.- Regarding the alleged violation of article 5.1 f) of the RGPD and/or article 32 of the RGPD indicated by the AEPD” In this allegation, GEOPOST maintains that it has adopted appropriate measures (protocols, periodic training plan...) depending on the risk. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/23 In response to this argument, GEOPOST's commitment to compliance with current regulations on data protection, guaranteeing security and confidentiality of the processing of personal data through the application of technical and organizational security measures, although it reflects positive behavior, does not distort the verified facts. For all the above reasons, this allegation is rejected. “FOURTH.- Regarding the classification of the infraction and the possible sanction to be imposed for part of the AEPD.” GEOPOST considers that the amount of the penalty is excessive, on the one hand, with respect to to the aggravating factors, the volume of orders it manages has not been taken into account GEOPOST and that it is an exceptional event, and, on the other hand, they have not been assessed a series of mitigating circumstances, such as lack of intentionality, due diligence or the rapid action by GEOPOST. In contrast to what was expressed by GEOPOST, it is worth highlighting the classification of the infractions and sanctions established in the initiation agreement, which article 83.5 of the RGPD establishes that the violation of article 5 of the RGPD can be sanctioned “with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the business volume overall annual total of the previous financial year, opting for the highest amount”, Therefore, a significant reduction of this is already applied. The STS, 3rd Chamber, of December 16, 2003 (Rec. 4996/98) already indicated that the principle of proportionality of sanctions requires that "the discretion that is grants the Administration for the application of the sanction to be developed by weighing in any case the concurrent circumstances, in order to achieve the due proportionality between the alleged facts and the responsibility demanded." Principle of proportionality that is not understood to be violated, considering the sanction proposed to the entity, for the proven facts and weighed the concurrent circumstances, which are detailed below, taking into account, in addition, the maximum limit of the amount of sanctions established in art 83.4 RGPD. Regarding the fact that no extenuating circumstance has been considered since There are a series of behaviors on the part of GEOPOST that, by virtue of the interpretation criteria of articles 83.2 RGPD and 76.2 LOPD, there should be been taken into account as mitigating factors to graduate, thus, in a way appropriate, the sanction proposed by the AEPD, it is worth noting that the RGPD provides expressly the possibility of graduation, through the provision of fines susceptible to modulation, taking into account a series of circumstances of each case individual. All these circumstances have been taken into account when set the sanction. The claimed party is an entity that manages a large volume of deliveries and collection of packages from customers whose personal data is processed in a manner systematically in the exercise of its powers. This circumstance determines a greater C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/23 degree of demand and professionalism and, consequently, of responsibility of the entity in relation to the processing of personal data. Consequently, the arguments presented do not distort the content essential of the infraction that is declared committed nor do they constitute a cause for justification or sufficient exculpation. For all the above reasons, this allegation is rejected. B) In relation to the allegations alleged in the proposed resolution herein sanctioning procedure, the answer is given: “First and only.- Infringement of the right to defense due to lack of accreditation of the facts that are charged.” According to GEOPOST, it cannot be assured, without reasonable doubt, that it was the delivery person from this company who left a note attached to the party's mailbox claimant with her personal data, which could have been attached to the mailbox by a third party. He adds that the claim was initiated by an indirect witness, without the claimant party affirmed in his claim before the AEPD that he was the distributor of the Company who attached the document to your mailbox. In short, to the extent that The authorship of the act from which this procedure originates has not been proven, the violation of the right of defense is evident, as no evidence has been carried out to prove these facts. In response to the argument made by GEOPOST, which questions who left the note attached to the complaining party's mailbox, it appears in the Proven Fact Third of this resolution that, given the transfer of the claim of 17 October 2022 formulated by this Agency, GEOPOST sent a response on October 14 November 2022, in which it is said that: “…after receipt of this information requirement, SEUR, S.A. has proceeded to investigate the facts occurred and has verified the following: - That on August 30, 2022, a SEUR, S.A. delivery driver went to the claimant's address to make a collection. - That the claimant was absent at the time of collection. - That, consequently, the delivery man left an absent notice posted on the outside from the claimant’s mailbox.” (emphasis is ours) As can be seen, in the response sent by GEOPOST regarding the transfer of the claim was attributed, according to their own investigations, to the distributor of this company for having left the warning note (that is what it is literally named in its writing) affixed to the outside of the complaining party's mailbox. Furthermore, these events were ratified in the allegations to the initiation agreement presented by GEOPOST: “As reported in the response letter, the SEUR delivery person went to the claimant's home to make a collection, but the claimant was absent at the time of collection so which, consequently, the delivery man taped on the outside of the mailbox of the claimant the label of the package, as can be seen in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/23 images included in the claim, skipping the instructions and SEUR internal protocols” (emphasis added). On the other hand, GEOPOST must preserve the confidentiality of its data. clients, so, given the circumstance that the note, as stated GEOPOST, could have been posted by a third party in the mailbox of the party claimant, also implies the existence of responsibility attributable to GEOPOST, since the fact that an unauthorized third party accesses the personal data of the complaining party being in possession of the sticky note or sticker, assumes in itself a violation of the confidentiality of the data of the complaining party, due to lack of diligence in the custody of the sticky note. There is no reason that justify that the sticky note with the personal data of the complaining party that the GEOPOST delivery person was carrying, it could be in the hands of a third party, sticker that was not going to be used, due to the impossibility of collecting the package that was going to be returned, due to the absence of the complaining party at his home; absence that duly communicated as stated in the First Proven Fact. Regarding security measures, GEOPOST points out that the sticky note with the data of the complaining party was not a “notice of absenteeism at home”, since that type of notices are usually sent to the client's email, but are This is the sticker that is attached to the package in case of collecting a return. GEOPOST does not justify that the technical and organizational measures are appropriate for ensure a level of security appropriate to the risk, to protect data your existing customers' personal information on return collection labels a package, which poses a risk to the rights and freedoms of people physical, as has been revealed in this case. Article 32 of the GDPR establishes how the security of processing must be articulated in relation to the specific security measures that must be implemented, in such a way way that taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk that include, among other issues, the ability to guarantee the confidentiality of the data. The Court of Justice of the European Union has ruled on the application of the Article 32 of the GDPR in the exercise of its power to rule, with preliminary nature on the validity and interpretation of the acts adopted by the institutions, bodies or agencies of the Union, in accordance with the provisions of article 267 of the Treaty on the Functioning of the European Union. In a ruling dated 14 December 2023, in case C-340/21, resolves a preliminary question raised by a jurisdictional body regarding “whether the principle of liability of the controller, set out in Article 5(2) of the GDPR and developed in article 24 of this, must be interpreted in the sense that, … the controller bears the burden of proof of the appropriateness of the security measures that it has adopted in accordance with article 32 of the aforementioned Regulation”, establishing the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/23 “In accordance with Articles 5, paragraph 2, 24, paragraph 1, and 32, paragraph 1, of the GDPR It follows unequivocally that the burden of proof that the personal data are treated in such a way as to ensure adequate security, in the sense of the Articles 5, paragraph 1, letter f) and 32 of said Regulation, it is the responsibility of the person responsible for treatment in question [see, by analogy, the rulings of May 4, 2023, Bundesrepublik Deutschland (Judicial electronic mailbox), C-60/22, EU: C:2023:373, sections 52 and 53, and of July 4, 2023, Meta Platforms and others (Conditions of the service of a social network), C-252/21, EU:C:2023:537, paragraph 95].” (paragraph 52 of the judgment) Consequently, in the response to the transfer of the claim, GEOPOST stated that the note was posted by the delivery person and, in any case, GEOPOST is responsible for that the data of its clients is not made available to third parties not authorized to access those. Regarding the application of technical and organizational measures adopted by GEOPOST in the collection of returned packages, in the This case has shown that they do not guarantee a level of security appropriate to the risk to protect your customers' personal data (name, surnames, address and telephone number) existing on the return collection labels of a package. Therefore, the first of the measures to be considered by GEOPOST is, taking into account the state of the art and the costs of application, if It is necessary that all these personal data of your clients appear in the Returned package collection stickers. For all the above reasons, this allegation is rejected. IV Confidentiality principle Article 5.1.f), “Principles relating to processing”, of the GDPR establishes: "1. The personal data will be: to) (…) f) processed in such a way as to ensure adequate data security personal data, including protection against unauthorized or unlawful processing and against its loss, destruction or accidental damage, through the application of technical measures or organizational arrangements (“integrity and confidentiality”).” In relation to this principle, Recital 39 of the aforementioned GDPR states that: “[…]Personal data must be processed in a way that guarantees security and appropriate confidentiality of personal data, including to prevent access or unauthorized use of said data and the equipment used in the treatment.” The documentation in the file offers clear indications that the claimed violated article 5.1 f) of the GDPR, principles relating to processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/23 In the present case, it is clear that the personal data of the complaining party, such as such as your name, surname, postal address and telephone number recorded in the note notice posted on the outside of the mailbox were improperly exposed to third parties, violating the principle of confidentiality, when also on the mailbox label Only the number and letter of the apartment were indicated. In accordance with the evidence available at the present time resolution of the sanctioning procedure, it is considered that the known facts are constituting an infraction, attributable to GEOPOST, for violation of article 5.1.f) of the RGPD. V Classification of the violation of article 5.1.f) of the RGPD The aforementioned violation of article 5.1.f) of the RGPD implies the commission of one of the violations classified in article 83.5 of the RGPD that under the heading “Conditions general rules for the imposition of administrative fines” provides: “Infractions of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 72 “Infringements considered very “serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe violations that involve three years a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” SAW Unfulfilled obligation. Data security. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/23 Article 32 of the GDPR, security of processing, establishes the following: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to takes into account the risks presented by data processing, in particular as consequence of accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data. 3. Adherence to a code of conduct approved under Article 40 or to a certification mechanism approved pursuant to article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or in charge and has access to personal data can only process said data following instructions of the person responsible, unless it is obliged to do so by virtue of the Law of the Union or the Member States.” From the documentation in the file, there are clear indications that the claimed has violated article 32 of the RGPD, when an incident of security when disclosing personal information and data to third parties, when leaving a deliveryman an absent notice note taped to the outside of the claimant's mailbox, in which your personal data appeared: name, surname, postal address, as well such as your telephone number, visible to any neighbor or visitor to the property, when the mailbox label only indicated the number and letter of the apartment. As stated in the response letter dated November 14, 2022, the claimed party considers that the incident has occurred as a consequence of an error on the part of the delivery person, who must have left the warning note inside the mailbox or under the door as indicated in the GEOPOST manual and not glued to the outside from the mailbox. In this sense, it should be noted that security measures must be adopted in response to each and every one of the risks present in a treatment of personal data, including among them, the human factor. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/23 It should be noted that the RGPD in the aforementioned provision does not establish a list of the security measures that are applicable in accordance with the data that is the subject of treatment, but establishes that the person responsible and the person in charge of the treatment They will apply technical and organizational measures that are appropriate to the risk involved. the treatment, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the processing, the probability risks and seriousness for the rights and freedoms of the interested parties. Likewise, security measures must be appropriate and proportionate to the detected risk, pointing out that the determination of the technical measures and organizational measures must be carried out taking into account: pseudonymization and encryption, ability to guarantee confidentiality, integrity, availability and resilience, the ability to restore availability and access to data after an incident, process verification (not audit), evaluation and assessment of the effectiveness of the measures. In any case, when evaluating the adequacy of the security level, the particularly taking into account the risks presented by data processing, such as consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data and that could cause damages and losses physical, material or immaterial. In this same sense, recital 83 of the GDPR states that: “(83) In order to maintain security and prevent processing from violating the provisions of this Regulation, the controller or processor must assess the risks inherent to the processing and apply measures to mitigate them, such as encryption. Are measures must ensure an adequate level of security, including the confidentiality, taking into account the state of the art and the cost of its application regarding the risks and the nature of the personal data that must be protect yourself. When assessing risk in relation to data security, take into account the risks arising from the processing of personal data, such as accidental or unlawful destruction, loss or alteration of personal data transmitted, preserved or otherwise processed, or the communication or access is not authorized to such data, which may in particular cause damage and harm physical, material or immaterial.” The responsibility of the defendant is determined by the breach of the technical and organizational measures, since it is responsible for making decisions aimed at effectively implementing technical and organizational measures appropriate to guarantee a level of security appropriate to the risk to ensure the confidentiality of the data, restoring its availability and preventing access to the themselves in the event of a physical or technical incident. In accordance with the evidence available at the present time resolution of the sanctioning procedure, it is considered that the known facts are constituting an infringement, attributable to GEOPOST, for violation of article 32 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/23 VII Classification of the violation of article 32 of the GDPR The aforementioned violation of article 32 of the RGPD implies the commission of one of the violations classified in article 83.4 of the RGPD that under the heading “Conditions general rules for the imposition of administrative fines” provides: “Infractions of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented as required by article 32.1 of Regulation (EU) 2016/679.” VIII Sanctions to impose In order to determine the administrative fine to impose, the following must be observed: provisions of articles 83.1 and 83.2 of the RGPD, provisions that indicate: "1. Each supervisory authority will ensure that the imposition of fines administrative sanctions under this article for violations of this Regulations indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/23 individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been implemented under of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58(2) have been previously ordered against the person responsible or the person in charge in question related to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with article 42, k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement.” For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD has: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of treatments of personal data. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infraction. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when it is not mandatory, a delegate for the protection of data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/23 h) Submission by the person responsible or in charge, with character voluntary, to alternative conflict resolution mechanisms, in those cases in which there are disputes between them and any interested." Penalty for violation of article 5.1.f) of the RGPD In accordance with the transcribed precepts, in order to set the amount of the penalty for violation of article 5.1 f) of the RGPD, to the party claimed as responsible for the cited infraction classified in article 83.5 of the RGPD, the fine should be graduated given: As a circumstance taken into account as an aggravating circumstance: Article 76.2 b) LOPDGDD: “The linking of the offender's activity with the carrying out personal data processing” It is a known fact that the claimed party is an entity that manages a large volume of deliveries and collections of packages from customers whose personal data are treated systematically in the exercise of their powers. This circumstance determines a higher degree of demand and professionalism and, consequently, of responsibility of the entity in relation to the treatment of Personal information. As a circumstance taken into account as mitigating: Article 76.2.e) of the LOPDGDD: “The existence of a fusion process by absorption after the commission of the infraction, which cannot be attributed to the entity absorbent." The merger by absorption process, in which GEOPOST ESPAÑA, S.L. (society absorbent) has merged with SEUR, S.A. (absorbed company), producing the extinction of the latter, allows the application of this circumstance as a mitigating factor the responsibility of the absorbing entity. Considering the exposed factors, the assessment that reaches the amount of the fine is €40,000.00 (forty thousand euros) for the violation of article 5.1 f) of the RGPD, regarding the violation of the principle of confidentiality. Penalty for violation of article 32 of the GDPR In accordance with the transcribed precepts, in order to set the amount of the penalty for violation of article 32 of the GDPR, to the party claimed as responsible for the cited infraction classified in article 83.4 of the RGPD, the fine should be graduated given: As a circumstance taken into account as an aggravating circumstance: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 22/23 Article 76.2 b) LOPDGDD: “The linking of the offender's activity with the carrying out personal data processing” It is a known fact that the claimed party is an entity that manages a large volume of deliveries and collections of packages from customers whose personal data are treated systematically in the exercise of their powers. This circumstance determines a higher degree of demand and professionalism and, consequently, of responsibility of the entity in relation to the treatment of Personal information. As a circumstance taken into account as mitigating: Article 76.2.e) of the LOPDGDD: “The existence of a fusion process by absorption after the commission of the infraction, which cannot be attributed to the entity absorbent." The merger by absorption process, in which GEOPOST ESPAÑA, S.L. (society absorbent) has merged with SEUR, S.A. (absorbed company), producing the extinction of the latter, allows the application of this circumstance as a mitigating factor the responsibility of the absorbing entity. Considering the exposed factors, the assessment that reaches the amount of the fine is €15,000.00 (fifteen thousand euros) for violation of article 32 of the RGPD, regarding to the lack of diligence when implementing appropriate security measures. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE on GEOPOST ESPAÑA, S.L., with NIF B85645349: - For a violation of article 5.1.f) of the RGPD, classified in accordance with the provisions of article 83.5 of the RGPD, an administrative fine of 40,000.00 euros. - For a violation of article 32 of the RGPD, classified in accordance with the provisions of the article 83.4 of the RGPD, an administrative fine of 15,000.00 euros. SECOND: NOTIFY this resolution to GEOPOST ESPAÑA, S.L. THIRD: This resolution will be enforceable once the deadline to file the optional resource for replacement (one month counting from the day following the notification of this resolution) without the interested party having made use of this power. The sanctioned person is warned that he must make effective the sanction imposed once This resolution is executive, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Real Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/23 December, through your entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000, opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected during the executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative means if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative procedure within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-16012024 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es