AEPD (Spain) - EXP202318430
AEPD - EXP202318430 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 28.09.2022 |
Decided: | 12.01.2025 |
Published: | 14.01.2025 |
Fine: | 200,000 EUR |
Parties: | n/a |
National Case Number/Name: | EXP202318430 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | ao |
The DPA fine a postal service provider €200,000 for failing to implement measures which would have prevented thousands of letters being abandoned in a field.
English Summary
Facts
On 28 September 2022, the local police force of the city of La Palma submitted a report to the Spanish DPA (Agencia – AEPD). The police had discovered 1,404 letters on an abandoned plot of land. The letters should have been delivered by Correo Inteligente Postal, here the controller. The letters had been sent off between February and May 2022.
On the 17 November 2022, the AEPD received another report from the police force of the Balearic islands showing that 5,354 letters were left in two different locations in the city of La Palma. The police had been informed by a citizen who had sent an email to the city stating that they had found letters in the city’s river. The documentation provided by the police that most of the letters were closed and some had been tampered with.
After the AEPD alerted the controller of the reports, the controller stated that they had identified the responsible employees and had issued disciplinary proceedings. Further, the controller stated that the letters found had not been opened and therefore the leaked data was limited to the names and addresses on the envelopes. It therefore concluded that there had been no risk to the rights and freedoms of the data subjects.
The AEPD initiated an ex-officio investigation on the 28 December 2022 assessing the measures implemented by the controller to track shipments and training provided to employees.
Holding
The AEPD found that the controller had violated Article 5(1)(f) GDPR and Article 32 GDPR.
The AEPD highlighted that the controller could only show that its employees had signed a confidentiality agreement but that there were no other organizational measures in place which would have prevented this data breach. In addition, the AEPD criticized that apart from a one-hour training session at the beginning of the employment relationship, employees were not adequately informed on complying with the GDPR in their delivery functions.
As there was no system in place to see whether letters had actually reached the intended address, the AEPD found that the controller’s function as a postal service provider proved an aggravating factor in this case as it requires the controller to have such a system in place.
Therefore, the AEPD imposed a €120,000 fine for the infringement of Article 5(1)(f) GDPR and a fine of €80,000 for the infringement of Article 32 GDPR. Additionally, the AEPD ordered the controller to implement a tracking system and implement training for employees informing on GDPR compliant delivery of letters.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/38 File No.: EXP202318430 SANCTIONING PROCEDURE RESOLUTION From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On September 28, 2022, the Spanish Data Protection Agency received Report No. ***REPORT.1 from the LOCAL POLICE OF THE CITY COUNCIL OF LA PALMA (hereinafter, the LOCAL POLICE). The LOCAL POLICE provides a report dated September 22, 2022 prepared by Local Police officers, which reveals the discovery in a lot of abandoned correspondence with personal data, up to a total of 1,404 letters, with the logo of the company HISPAPOST S.A (hereinafter HISPAPOST), which was contacted by the agents, said entity recognizing that the correspondence found should have been distributed by employees of CORREO INTELIGENTE POSTAL SL (hereinafter CI POSTAL), without understanding the reason why said distribution was not carried out and the correspondence was abandoned. The letters belonged to several sending companies, among others La Caixa, BBVA, Energía XXI and Endesa. That on September 13, 2022, a representative of the company CI POSTAL (A.A.A.) went to the LOCAL POLICE offices and when the letters found were shown to him, he recognized the logo of his company, stating in his statement that he did not know the reason why the correspondence had not been delivered, the letters belonged to the months between February and May 2022. This person claims that this correspondence should have been distributed among four workers, two workers who were no longer working and two who were still working and who had distributed their relevant part, that since it was ordinary correspondence, it is impossible to find out which of the four delivery people stopped doing their job. On September 22, 2022, this same person representing CI POSTAL went to the police station after being summoned again by the police. At this time, the correspondence was delivered to him, a total of 1,404 letters from the sending companies with the following distribution: La Caixa (596 letters), BBVA (57 letters), Naturgy (33 letters), Energia XXI (295 letters), Imagin (59 letters), Endesa (307 letters), MasMovil (1 letter), Telefax (3 letters), Totem (3 letters), Laboral Kutxa (1 letter), PSA (1 letter), Yoigo (1 letter), Orange (6 letters), Pra Group (1 letter), Jazztel (2 letters). Certificate of HISPAPOST September 13, 2022 AFFECTED COMPANY LETTERS FOUND C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/38 LA CAIXA 596 BBVA 57 NATURGY 33 ENERGÍA XXI 295 IMAGIN 59 ENDESA 307 MASMOVIL 1 TELEFAX 3 LABORAL KUTXA 1 PSA FINANCIAL 1 YOIGO 1 ORANGE 6 PRA GROUP 1 JAZZTEL 2 On November 17, 2022, the Spanish Data Protection Agency received a new complaint from the Government Delegation in the Balearic Islands, in which it forwards to us a letter sent by the Superior Police Headquarters of the Balearic Islands. Balearic Islands in relation to the location of a total of 5354 abandoned letters in two different locations in La Palma, and whose management was the responsibility of the HISPAPOST company that managed the distribution through its distributor in La Palma CI POSTAL. - Attached is a report from the Local Police intervention dated October 17, 2022, in which it states: "Commissioners (...), two journalists locate on the Son Hugo road at the height of the Soller train tracks numerous letters from banking entities, mobile phone companies, etc. The vast majority of which were closed and a few manipulated." - Also attached is the report prepared by the Police and addressed to the Court of Instruction, in which it is stated: That HISPAPOST was contacted and they claimed to be the company responsible for the shipments but that it was CI POSTAL that managed the final distribution of the postal mail in La Palma. It includes screenshots with emails exchanged between the Police and the company HISPAPOST itself, from its analysis it is extracted: On October 19, 2022, the National Police group asked HISPAPOST about the delivery company and the number of letters located and the names of the companies to which they belong were transferred. Screenshot of the response email from HISPAPOST to the previous email, dated October 21, 2022, stating that the shipment was by HISPAPOST through its distributor in La Palma (CI POSTAL). That it has not been possible to discern the identity of the author or authors of the abandonment of the correspondence and that the letters were delivered to an authorized representative of the company HISPAPOST. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/38 This is a total count of 5354 letters with the following distribution of affected companies and letters located: Brought to the attention of HISPAPOST on 19 October 2022 COMPANY LETTERS COMPANY LETTERS ENERGY XXI 1420 LEXER 1 ENDESA 1485 EQUIFAX 42 NATURGY 170 TELEFAX 4 GAES 1470 PSA FINANC. 5 VODAFONE 16 INVEST CAPITAL 4 JAZZTEL 51 TR3A 8 YOIGO 5 ZOLVA 29 ORANGE 21 AYTO MADRID (AGENCIA 1 TAX) MASMOVIL 17 AYTO SEVILLA (AGENCIA 5 TAX) BANCO 240 MC ABOGADOS 3 SABADELL CAIXABANK 40 ASISA 2 BBVA 197 Attached is a new official report sent to the Court of Instruction on October 16, 2022, reporting a new intervention carried out by the Police in which about 3,000 usable, unopened letters were seized, and they were collected and stored in plastic bags, leaving others on site that were partially burned or mixed with the garbage. No details are provided about the companies to which these letters belong since they were made available to the Court. In relation to this incident, the following security breaches were reported to this Agency by various data controllers affected by the postal abandonments: 1. The controller BANCO SABADELL SA notified the breach on October 20, 2022. 2. The controller PSA FINANCIAL SERVICES notified the breach on October 21, 2022 and November 16, 2022. 3. The controller ASNEF-EQUIFAX SERVICIOS INFORMACIÓN notified the breach on October 21, 2022 and November 15, 2022. 4. The controller INTRUM SERVICING SPAIN notified the breach on October 24, 2022 and November 21, 2022. 5. The controller VODAFONE ESPAÑA notified the breach on October 27, 2022. of 2022 and 25 November 2022. 6. The controller PRA IBERIA SL notified the breach on 1 November 2022. 7. The controller CABOT FINANCIAL SPAIN SA notified the breach on 3 November 2022 and 1 December 2022. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/38 8. The controller INVESTCAPITAL LTD notified the breach on 18 November 2022. 9. The controller EOS SPAIN SL notified the breach on 17 November 2022 and 7 December 2022. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, on Data Protection Personal and digital rights guarantee (hereinafter LOPDGDD), this claim was forwarded to CI POSTAL, so that it could proceed to analyze it and inform this Agency within a period of one month of the actions taken to comply with the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on November 16, 2022, as stated in the certificate in the file. On December 5, 2022, this Agency received a written response to the previous transfer submitted by the company QUICK LOPD SL as Data Protection Officer of CI POSTAL. From the analysis of the response, the following statements are extracted: - “At CIPOSTAL we became aware of this incident on September 9, 2022, when the company HISPAPOST, for whom we provide the postal mail service in Palma de Mallorca, informed us that the local police had contacted them to inform them that 2 garbage bags of correspondence with their logo had been collected.” - “In relation to the postal code of the documents found, and the dates of them, CIPOSTAL has identified the 2 people in charge of these distribution and disciplinary measures are taken, not currently working for the company.” - “After receiving the notice, the person in charge of CIPOSTAL in Palma de Mallorca appears at the local police station, we verify that there are 2 bags with unopened correspondence and after the local police have counted the letters, they give us a copy of the complaint together with the 1,404 ordinary letters collected, all from the postal code (...) from various clients and dated May 2022.” - “The rest of the staff is immediately informed, as well as the central office, so that details can be given to the COMPLIANCE department, with the aim that in addition to the training sessions already offered previously, new training is carried out to serve as reinforcement for the prevention of similar events. The Data Protection Officer is informed to carry out an initial assessment of the facts and to analyse whether the rights and freedoms of the interested parties have been violated. - “This is a premeditated security incident by internal personnel of the organisation that has posed a risk to the availability and confidentiality of the correspondence that it was supposed to guard and distribute, in breach of internal regulations and the duty of custody of postal legislation. 1,404 sealed letters have been recovered from a population census of the city of Palma de Mallorca of 500,000 people, in which 2,470,632 letters were distributed during the period from January to October 2022. We consider that the percentage of correspondence exposed to third parties without consent, despite being a worrying fact, has been residual due to the amount of correspondence distributed during the period January - October 2022. The data that was exposed to third parties is basic identification data (name and surname) together with contact information such as the postal address; as it is postal correspondence recovered without evidence of manipulation. In contrast with the police, no manipulated letter or empty envelope has been found that suggests that other types of information have been accessed." - "After an evaluation carried out by CIPOSTAL on the incident, it was considered that no damage could be caused to the rights and freedoms of the natural persons whose data were exposed, as it was not considered that there could be a high or very high risk for the rights and freedoms of the affected subjects. There is NO evidence that any of the identified damages have materialized, to the degree indicated in the previous question. Therefore, it is considered UNLIKELY that the above damage will materialize on the affected persons with the indicated severity”. - In relation to the actions and reactive measures adopted by this company, it is stated: “Firstly, the workers involved in the incident were dismissed and the rest of the staff was held to remind them of their obligations regarding the custody of correspondence and the consequences of non-compliance. In addition to the training sessions already offered previously, new training has been carried out to serve as reinforcement for the prevention of similar events. Reminder to all sorting and delivery personnel through individualized meetings and writings of the legal repercussions that the retention, storage, concealment, opening or destruction of any postal item entails. Monitoring of the delivery people of what they work on, asking the streets where they were delivering and we confirmed this with the delivery that we have prepared for them. We have held meetings and discussions with the HISPAPOST Data Protection Officer so that he can inform the ultimate data controllers, who are the clients issuing the recovered correspondence.” - In relation to the preventive measures implemented, he states: “As we are considered a postal delivery company, the measures aimed at avoiding the risks arising from the abandonment or non-delivery of correspondence are focused on the training and commitment of the workforce beyond the implementation of technological solutions.” “In the process of incorporating workers, they are provided with a welcome pack with a compendium of mandatory rules and protocols.” To support this statement, the following documents are provided: A Code of Ethics and Conduct, with an implementation date of 16 April 2018. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/38 Corporate policies with obligations and prohibited conduct, with an implementation date of 16 April 2018. Description of the reporting channel, with an implementation date of 16 April 2018. Disciplinary and sanctioning regime, with an implementation date of 16 April 2018. Protocol for action for delivery drivers, with an implementation date of 20 October 2020.” The employee is asked to sign the confidentiality agreement. To prove it, a template or model of this commitment is attached, however, no signed documents are provided. A document is attached with an informative communication from the general director dated November 19, 2021 transferring information about the responsibility of not delivering notifications or letters and/or misusing them, however, the provision of this communication to employees is not accredited. - The Registry of Treatment Activities (RAT) is provided with the activity "Parcel delivery and postal service" containing the following information: data controller, origin of the data, affected interested parties, categories of personal data, transfers, data processors, legitimacy, deletion deadlines, international transfers. - In relation to the notification of the incident, it is stated: "It was considered not to notify those affected due to the small volume of letters recovered (less than 0.5%) compared to the total distributed and having been recovered without symptoms of improper handling. From the moment the incident became known, as sub-processors, we were informed and collaborated at all times with the data processor (HISPAPOST) so that he could report to the different data controllers, so that they could assess the notification of the security breach. It was considered that no damage could be caused to the rights and freedoms of the natural persons whose data were exposed, which is why the security breach was not communicated to those affected in accordance with art. 34 of the GDPR, as it was not appreciated that there could be a high or very high risk for the rights and freedoms of the affected subjects. However, it is a decision that we understood the Data Controller should take, as we are talking about postal delivery that involves non-automated handling." - Regarding the measures to ensure that the incident does not happen again, it is stated: "We are studying and assessing whether there is any type of technological solution that allows us to have proof that the mail has been deposited in a mailbox. The training and awareness plan for the work team has been strengthened to prevent future incidents. THIRD: As a result of the transfer by the LOCAL POLICE of the complaint of the discovery in a vacant lot of a large amount of abandoned correspondence as well as the discovery in a vacant lot of numerous undelivered letters addressed to individuals, which apparently had been abandoned for several months and, given the media impact, the Director of the Spanish Data Protection Agency, by Internal Note dated December 28, 2022, urged the General Subdirectorate of Data Inspection to initiate ex officio preliminary investigation actions aimed at proving these facts and their authorship. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/38 The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, in accordance with the functions assigned to the control authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section two, of the LOPDGDD, having knowledge of the following: In relation to the security breaches notified to this Agency, it is noted: From the breach notified by the responsible party BANCO SABADELL SA the following is extracted: - The complaint filed by HISPAPOST to the National Police on date 14 is attached. October 2022. - Description of the incident: “Banco de Sabadell, through communication made by its postal service provider (HISPAPOST) on October 18, 2022, becomes aware of the existence of several postal shipments to its customers in Palma de Mallorca found at different points in the municipality thrown away by personnel from the company in charge of distribution (CI POSTAL). Once the documentation was recovered, in different states of deterioration, by the FFCCEE, they were reviewed by Hispapost and they inform us that 252 shipments from Banco Sabadell to its customers were affected. These shipments, pending verification, could include account transactions, information on balances, marketing or any other type of personal and financial information. The events have been reported.” - Volume of affected: 252. - Detection date: October 18, 2022. From the breach notified by the responsible party PSA FINANCIAL SERVICES on October 21, 2022, the following can be extracted: - Description of the incident: “Our data processor, Servinform Sa, is aware through the postal company Hispapost, on 10/10, through a video published on social networks that the correspondence sent by another subcontractor was abandoned on the public highway by its staff in the city of Palma de Mallorca. Based on the type of letters sent, it is identified that approximately 90% correspond to notifications linked to the processes of recovery of unpaid debts”. - Detection date: October 20, 2022. - Volume of affected: 44. The affected persons will not be notified. - Attached is a security incident report dated November 14, 2022, from which the following statements are obtained: “PSA Finance contracts the services of sending correspondence to SERVINFORM, S.A., which acts as data processor. Servinform subcontracts the services to HISPAPOST, S.A., which in turn subcontracts the activity for the Palma de Mallorca region to CI POSTAL, S.L., with these two entities acting as subprocessors of PSA Finance”. On October 18, HISPAPOST received information about the postal shipments that were recovered by the Police, confirming the existence of 5 letters corresponding to PSA FINANCE. The following day, October 19, 2022, SERVINFORM reported the security incident to PSA FINANCE. That 44 shipments have potentially been affected and it is estimated that approximately 90% of them correspond to notifications linked to the processes of recovery of unpaid debts. From the breaches notified by the responsible party ASNEF-EQUIFAX on October 21, 2022 and November 15, 2022, the following can be extracted: - Description of the incident: “ASNEF-EQUIFAX as the controller of the ASNEF Bureau, sends communications to consumers whose data have been included in said file. On 20/10/2022 HISPAPOST notifies that an employee of the company in charge of the distribution of notifications (CI POSTAL, S.L. in Palma de Mallorca) has left abandoned, in various locations in Palma de Mallorca, communications that he was entrusted to deliver. The supplier initially tells us that the number of affected letters is 187, although after the analyses carried out, the notifications total 47 notification letters of inclusion and 1 payment request. The exercise that Equifax has carried out has been (with regard to the treatment for which it is responsible): 1) cancel the operations of the abandoned notifications that were recovered; 2) As a precautionary measure, all operations whose inclusion notifications could have been potentially compromised have been cancelled (from 1/1/22 to 20/10/22 in CPs (...), (…) and (…)) and 3) the registration of these operations has been blocked for 45 days in the ASNEF file”. - Volume of affected people: 47. - Date of breach detection: October 20, 2022. From the breaches notified by the responsible party INTRUM on October 24, 2022 and November 21, 2022, the following can be extracted: - Description: “INTRUM SERVICING SPAIN has contracted with EQUIFAX a notification sending service, which in turn has Hispapost as a subcontractor. On 10/21 at 6pm we were informed of an incident that has caused some of the notifications of Preliminary Requirements and inclusion in the bureau to not be carried out. As measures taken so far by Hispapost, work has been stopped with the company in charge of distributing communications in P. de Mallorca and the appropriate legal actions have been taken. The actions that are being carried out by Equifax and about which we will provide information as they are carried out, are the following: i) determine the number of Intrum mailings and the details of them that have been sent to the postal codes involved in the indicated months ii) determine the recipients of the communications that have been included in the ASNEF file iii) Proceed to the deletion of said data in the ASNEF file, if applicable and the possible blocking of new registration in ASNEF iv) Determine the claims that the recipients of the communications involved may have made about the ASNEF file.” - Volume of affected: 1. - Date of breach detection: October 21, 2022. From the breaches notified by the responsible party VODAFONE on October 27, 2022 and November 25, 2022, the following is extracted: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/38 - Description: “Postal shipments (correspondence) from several clients have been found abandoned in different areas around the city of Palma de Mallorca. Postal distribution in this area was carried out by CI POSTAL, S.L., acting as subcontractor of Hispapost S.A., an entity subcontracted by Equifax Ibérica, S.L, which in turn provides debt collection services to Vodafone as data processor. The affected letters contain information about non-payments by the recipient to Vodafone, including the amount owed. Vodafone was notified by Equifax on October 24, 2022, via email. Vodafone has reviewed the incident and, after an analysis of the provider, it has been concluded that the number of customers who have potentially been affected is 361.” - Detection date: October 24, 2022. From the breach notified by the responsible party PRA IBERIA SL on November 1, 2022, the following is extracted: - Description of the incident: “We received communication on October 21, 2022 from Equifax Ibérica, S.L.U. (Equifax) informing us of an incident with the correspondence regarding the notification letters of inclusion in the Asnef file. After reviewing the files of communication to Asnef, we verified that we do not have any registration record, and this incident cannot affect our clients in relation to the communication to the Asnef file. We subsequently asked Equifax if the service for sending correspondence to PRA Iberia, S.L.U. (PRA) clients has also been affected. On October 28, 2022, we received official confirmation from Equifax of the abandonment of correspondence by an employee of a postal operator subcontracted by Equifax (CI POSTAL, S.L. -CI POSTAL-, through Hispapost, distribution in Palma de Mallorca), which affects the correspondence sent by PRA for the postal codes (...), (…) and (…) from January 1, January 2022 to October 10, 2022. - They state that the date of detection is: October 28, 2022. - The existence of 1,023 potential affected parties is stated. From the breaches notified by the responsible party CABOT FINANCIAL on November 3, 2022 and December 1, 2022, the following can be extracted: - They state that the date of detection is: November 1, 2022. - Volume of affected parties: 326. - They provide a report with the analysis and assessment of the breach, from their analysis the following statements are extracted: “This has been a security breach that has compromised the confidentiality of the data insofar as third parties could have accessed the information contained in the communication of inclusion in the ASNEF file, as well as the availability, insofar as there would be an undetermined number of lost communications that, as of the date of this Closing Report, has not yet been determined.” “EQUIFAX confirms the number of 326 affected letters addressed to debtors”. “Following the criteria of the AEPD, it has been considered that there is a LOW probability that the risks will materialize and that, in any case, the severity of the breach is HIGH”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/38 From the breach notified by the responsible party EOS SPAIN SL on November 17 and December 7, 2022, the following can be extracted: - Detection date: November 15, 2022. - They provide a report of the incident from which the following statements are extracted: “Equifax has received 84 physical letters from Hispapost that have been recovered directly from the places where they were abandoned. The Police also has physical letters that are still being held by the authorities today as they constitute evidence of the investigation initiated by the Investigative Court competent to process the corresponding criminal proceedings. Equifax is unaware of the content of this correspondence in the possession of the Police.” “The affected notifications include both the inclusion notifications made by ASNEF-EQUIFAX to inform debtors of their inclusion in the ASNEF file, as well as notifications of prior payment requests from clients.” - Potential volume affected: 1067. Investigation directed at CI POSTAL SL: On March 29, 2023, a request for information was made to CI POSTAL, the entity in charge of the final distribution of the correspondence and responsible for the abandonment. The request was marked by the following line of investigation: - Obtain a copy of the breach report. - Investigate the technical and organizational measures implemented in the organization to guarantee the confidentiality of affected workers and the security of the treatments in the shipments, specifically for the four workers who may be responsible for the abandonments. - Investigate the security measures implemented to guarantee the security of the treatments carried out in postal shipments. - Investigate the contracts of assignment or subcontractor of the affected treatments. This request expired without having accessed its content on April 9, 2023, and a second reiteration was subsequently carried out by mail on June 5, 2023, with the date of acknowledgment of receipt being recorded as June 5, 2023 after access to the Single Authorized Electronic Address; however, there is no response. On August 23, 2023, it was decided to make a final attempt to request this entity requesting accreditation of the preventive measures that existed to guarantee the confidentiality of employees, the traceability and tracking of shipments, as well as the training and awareness-raising activities carried out prior to the breach. CI POSTAL responded to this last request on August 31, 2023. From the analysis of its response, the following relevant information is extracted: - They provide a document accrediting the confidentiality commitments signed by the two workers who CI POSTAL considered to be responsible C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/38 for abandoning the correspondence in public places and against whom disciplinary measures of dismissal were taken. - Regarding the accreditation of the training actions, they state verbatim: "Having carried out basic 1-hour online information and awareness training to explain the basic concepts of data protection, no training certificates were issued. A 40-hour training for postal delivery personnel with high turnover is not a system adapted to the company's needs, which is why one-hour information sessions are carried out. However, after the incident in 2022, a privacy training manual has been incorporated into the Wellcome Pack that includes basic concepts for their functions, taking into account that in 99% of cases, delivery personnel are processing data for consultation, without the ability to register, modify and delete data." A document with the basic training manual on data protection is attached, but the training session mentioned is not accredited. - Regarding the accreditation of the measures adopted to guarantee the traceability and tracking of shipments, they state: “In ordinary postal delivery, due to the security incident due to the abandonment of correspondence, implementing traceability and tracking measures for delivery involves a very high level of difficulty. To date, no technological solution has been found that allows us to have proof that ordinary mail has been deposited in the mailbox. It is worth remembering that CIPOSTAL receives from its clients large volumes of correspondence to deliver, without any data breakdown. We are only given batches of correspondence where the only data available is the number of letters to be delivered. Creating delivery teams of two people to be able to control whether delivery is carried out or not is an unfeasible solution due to costs.” Investigation directed at the data processor HISPAPOST SA: On March 30, 2023, a request for information is made to HISPAPOST, marked by the following line of investigation: - Investigate the incident log and the log of treatment activities affected by the breach. - Obtain information on the notification of the breach to this Agency and the communication to those affected. - Investigate the notifications of the breach to the affected companies and with which a contract was signed. - Investigate the existence of contract agreements with the affected companies. - Investigate the contract agreement with the sub-processor CI POSTAL SL. - Investigate the possible risk analysis and the accreditation of the preventive measures implemented. On April 24, 2023, a response to the previous request was received, from its analysis the following relevant information is extracted: - The documented record of the security breach is attached, from which the following statements are obtained: A total of 7,924 postal items are claimed to have been recovered. The content of the letters is not considered to have been exposed in any case, so the affected data were “name and surname C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/38 of the recipient and postal delivery address”. They claim that the letters have been found in remote abandoned places, so exposure to a large number of people is ruled out. They claim that the letters are ordinary (non-certified) mailings, so that there are no major consequences for the interested parties arising from the non-receipt of the letter, and that each of their clients (who mostly acted as data controllers) was notified to assess this impact. It was considered that "no damage could be caused to the rights and freedoms of those affected." They provide the following chronology of events (which only refers to the letters found in October, with no reference being made in this chronology to the batch of letters located by the Local Police in September 2022): On October 10 at 5:20 p.m. they receive information about a video posted on the Internet. The correspondence is recovered by HISPAPOST personnel. On October 13, 2022, new mailings are located following an alert from a citizen. On October 14, the incident is reported to the DPO and a complaint is filed with the National Police. On October 17, 2022, the correspondence found arrives at the HISPAPOST facilities in Madrid for the analysis and quantification of affected customers. On this same October 17, 2022, new findings are discovered by the police and the media. On October 19, detailed information is received on the shipments recovered by the police, the letters are returned to the customers or discarded based on their instructions. From October 14 to 21, the incident is notified to the affected customers. It is stated that "the shipments made to the city of Palma de Mallorca do not allow the traceability control that HISPAPOST applies to its ordinary shipments since there is a logistical difficulty due to transport." They provide a list of the reactive measures adopted by the company: Closing distribution in Palma de Mallorca. Increase inspections in the distribution network. Personal reminder about responsibilities in deliveries. Avoid working in Postal Codes where there are no shipments with traceability in order to be able to evaluate the status of these on a daily basis (considering having a minimum number of shipments with traceability). Deployment of internal panelists to follow up on correspondence. Reinforcement of employee training and awareness. - Attached is the complaint filed by HISPAPOST on October 14, 2022. From the analysis of this complaint the following relevant statements are extracted: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/38 It states: “on October 10, 2022, HISPAPOST received a message from CI POSTAL in which they sent them a video taken from Telegram in which a man can be seen commenting and filming thousands of letters scattered in a scrapyard sent from HISPAPOST and which contain personal data of clients (Naturgy and Endesa among others)… that said letters were collected by the distributor in Mallorca on October 11, 2022 and were sent back on October 13, 2022 to the reporting company.” “That on October 13, 2022, a message was received from the company CaixaBank communicating that who turns out to be B.B.B., has found approximately 4,000 letters addressed to Caixabank in perfect condition, which were thrown by an unknown individual from a vehicle at 7:00 p.m. on October 10, 2022”. - The Register of Processing Activities (RAT) of HISPAPOST is provided as the data processor, updated to December 14, 2022. From the analysis of this RAT, it is concluded that HISPAPOST carried out processing on behalf of the following data controllers: For the data controller AMPLIFÓN IBÉRICA SAU: Processing description: Postal distribution service. There is authorization for subcontracting: YES. For the data controller BANCO SABADELL SA: Description of processing: Provision of postal services. Authorisation exists for subcontracting: YES. For the client responsible for processing BBVA SA: Description of processing: Post, Telegram and Burofax, Mail, National and International Courier. Authorisation exists for subcontracting: YES. For the client responsible for processing CAIXABANK FACILITIES MANAGEMENT SA: Description of processing: Collection and home delivery of CaixaBank correspondence. Authorisation exists for subcontracting: YES. For the data controller EQUIFAX IBERICA SL (B80855398): It is stated that this client acts as the Data Controller of the personal data processed. Description of processing: Postal services. Authorization for subcontracting exists: YES. For the client responsible for processing ENDESA SA: Description of processing: postal services. Authorization for subcontracting exists: YES. For the client responsible for processing NATURGY CLIENTES SA: Description of processing: postal services. Authorization for subcontracting exists: YES. For the client SERVINFORM SA: It is stated that this client acts as the Data Processor of personal data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/38 Description of processing: postal distribution for PSA FINANCIAL SERVICES SPAIN, E.F.C., S.A (which acts as Data Controller). Authorization for subcontracting exists: YES. For the client responsible for processing, CITY COUNCIL OF MADRID (General Directorate of Contracting and Services): The client is the Data Controller. Description of processing: Postal distribution for the City Council of Madrid and its Autonomous Organizations. Data: identification data (name, surname and postal address), corresponding to the processing activity “Executive Collection”. There is authorization for subcontracting: YES. For the client responsible for processing, GRUPO MEDINA CUADROS (MC ABOGADOS SL + TELEFAX): The client is the Data Controller. Description of processing: postal services. There is authorization for subcontracting: YES. For the client responsible for processing, CITY COUNCIL OF SEVILLE (Seville Tax Agency): Description of processing: postal services. There is authorization for subcontracting: YES. For the client responsible for the treatment SPANISH ASSOCIATION AGAINST CANCER: Treatment description: postal services. There is authorization for subcontracting: YES. Conservation period 3 months. - In relation to the notification of the breach, it states: “Hispapost as the person in charge of processing the data involved in the incident, informed its clients (Data Controllers) about the incident that occurred so that they could carry out an assessment of the incident and whether it could be considered a security breach, and, if applicable, make the appropriate communication of the security breach to the Data Protection Agency”. - A document is attached with a report written by the DPD of HISPAPOST, the company Ascendia Reingeniería Y Consulting, S.L., signed on April 21, 2023 and containing the assessment of the breach. - In relation to the notification of the breach to all affected companies and that acted as controllers of the affected personal data (HISPAPOST clients), the following are documented: Notification made to the responsible ASOCIACIÓN ESPAÑOLA CONTRA EL CÁNCER (AECC), providing a capture of the email sent on October 20, 2022. Notification made to the SEVILLE TAX AGENCY providing a capture of the email sent on October 20, 2022. Notification made to ASISA providing a capture of the email sent on October 19, 2022. This notification is made in the first C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/38 place to the client SERVINFORM on October 19, 2022, this client acts as the data processor for the controller ASISA, and it is proven that on this same day, October 19, 2022, he sent the notification with the incident report to this controller. Notification sent to BBVA providing a capture of the email sent on October 20, 2022. Notification sent to CAIXABANK providing a capture of the email sent on October 19, 2022. The information provided in relation to this notification included the following statements relevant to the investigation: “10/13/2022 we received a communication from CaixaBank, notifying that a person showed up at the CaixaBank office (…), indicating that they had seen a person throw away correspondence at a location in the municipality. CaixaBank staff removed the shipments. On 10/14/2022 we went to the Caixa Territorial Directorate in Palma de Mallorca, we obtained the phone number of the person who initially informed Caixabank of the location of the discovery of documents, we located the point where the correspondence appeared and we collected the rest of the shipments from other non-Caixabank clients”. “10/17/2022 The recovered correspondence (not in good condition) arrives at the Hispapost Madrid facilities for the analysis and quantification of clients and number of affected shipments. In this analysis, 92 Caixabank communications are identified as being in poor condition”. “10/19/2022 we have received information about shipments recovered by the Police in these days. Shipments corresponding to Caixabank are 40, which as soon as they are sent to us by the authorities, we will send them to your facilities”. Notification sent to ENDESA providing a capture of emails sent on October 13, 2022 and October 20, 2022. Notification sent to EQUIFAX providing a capture of an email sent on October 20, 2022. Attached to this email was a report of the incident that is also provided, from its analysis the following relevant statements are obtained: “There were 92 recovered shipments: 46 letters from Equifax, 2 letters from Sabadell, 22 letters from Intrum, 1 letter from PraGroup, 1 letter from Link Finanzas, 3 letters from BBVA, 1 letter from TEAM4, 2 letters from Procobro, 6 letters from Vodafone”. Notification made to GAES (previously called AMPLIFON IBÉRICA SAU) providing a screenshot of the email sent on October 18, 2022. Notification made to GRUPO MASMOVIL providing a screenshot of the email sent on October 20, 2022. Notification made to NATURGY providing a screenshot of the email sent on October 13, 2022 with a general statement about the incident. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/38 Notification made to GRUPO ORANGE providing a capture of the email sent on October 20, 2022. Notification made to PSA FINANCIAL providing a capture of the email sent from the address ***EMAIL.1 on October 20, 2022. According to the RAT, HISPAPOST acts as the data processor of SERVINFORM, and at the same time acts as the data processor for the postal distribution of the controller PSA FINANCIAL SERVICES. Notification sent to BANCO SABADELL providing a screenshot of the email sent on October 18, 2022. Notification sent to MC ABOGADOS Y TELEFAX providing a screenshot of the email sent on October 21, 2022. Notification sent to TR3A providing a screenshot of the email sent on October 20, 2022, the email is sent from the address ***EMAIL.2 to the recipient ***EMAIL.3. The present inspector confirms that this person in charge is NOT included in the HISPAPOST RAT as a manager. - A copy of the contract for the processing of data between HISPAPOST and CI POSTAL is attached. The following relevant information can be extracted from its analysis: The date of signature of the contract is January 10, 2022, and it details the types of data affected by the order, the categories of interested parties, the processing operations, international transfers, and the data of both DPOs. It is stated that HISPAPOST has the status of data processor, with CI POSTAL being the sub-processor, with HISPAPOST'S CLIENT acting as the data controller of the data affected by the order. The obligations of the CI POSTAL provider as subcontractor of the treatment are detailed, among which the following stand out: Ensuring that the persons authorized to process the personal data expressly and in writing undertake to respect confidentiality and comply with the corresponding security measures, of which they must be duly informed. Ensuring the necessary training in the protection of personal data of the authorized persons. Pursuant to art. 32 RGPD, CI POSTAL undertakes to adopt the necessary measures to prevent the alteration, loss, processing or unauthorized access to the personal data of HISPAPOST customers, taking into account the state of the technology, the nature of the data and the risks exposed, whether they come from human action or from a physical or natural environment. CI POSTAL declares that it has a Privacy Manual in which the technical and organizational measures to be implemented are determined. CI POSTAL will notify HISPAPOST without undue delay and as quickly as possible and in any case within 24 hours, by email at protecciondedatos@servinform.es of any security breaches. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/38 unless it is unlikely to constitute a risk to the rights and freedoms of natural persons. It is HISPAPOST or its client (data controller) who is responsible for notifying the AEPD and the interested parties of any breaches. In accordance with the risk assessment carried out by the HISPAPOST client, and the provisions of art. 28 RGPD, CI POSTAL must implement at least the security measures corresponding to the medium level in accordance with the provisions of the LOPD Development Regulation (RLOPD) RD 1720/2007, unless other measures are specified in its substitution. - Copies of the data processing contracts that existed between HISPAPOST and each of its clients to whom it provided the postal distribution service and who were affected by the breach are provided. The following are accredited: A copy of the data processing contract with the data controller ASISA is provided, with a signature date of January 1, 2022. A copy of the data processing contract with MADRID CITY COUNCIL is provided, with the tender signature date of January 26, 2021. This contract specifies the authorization to subcontract the service with CI POSTAL. A copy of the contract with the data controller BBVA, with a signature date of 13 April 2021, is provided. A copy of the contract with the data controller CAIXABANK, with a signature date of 19 July 2019, is provided. A copy of the contract with EQUIFAX IBERICA SL, with a signature date of 1 April 2019, is provided. A copy of the contract with AMPLIFON IBERICA SAU A59198770 (former name of GAES), with a signature date of 30 March 2021, is provided. Its clauses authorise HISPAPOST to subcontract services with all members of its delivery network where it does not have its own coverage. A copy of the contract with SERVINFORM, signed on January 15, 2019, is provided. A copy of the contract with BANCO SABADELL, with a signature date of 24 February 2022, is provided. A copy of the contract with ENDESA, with a signature date of 1 February 2022, is provided. A copy of the contract with NATURGY CLIENTES SA, with a signature date of 31 March 2022, is provided. The subcontracting of CI POSTAL is expressly authorized in the contract. - In the response to the request, a document is also provided with a report of the Data Protection Impact Assessment (EIPD) on the postal distribution processing activity. - A document containing the list of reactive measures implemented by HISPAPOST after the security breach is provided. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/38 On June 20, 2023, it was decided to make a second request for information to HISPAPOST marked by the following line of investigation: - It is requested that it prove whether there were notifications of the security breach to the responsible parties (clients) affected by the abandonments that the Local Police located in September 2022, and of which they became aware on the same September 13, 2022, according to the police report. - That it clarify some of the measures implemented to guarantee the traceability of the shipments. - That it prove the reactive measure adopted (…), specifically, it is requested to prove the results obtained for the distributor CI POSTAL. On June 29, 2023, a response to the previous request was received, from its analysis the following statements are extracted: - “On September 13, CI Postal personnel went to the police station and identified the letters (1,404 letters from different clients) and on September 22, CI Postal collected the letters from the Palma Local Police station, no letter had been opened or manipulated”. - “After carrying out an evaluation of the factors involved in the incident (during the last week of September and the first week of October, as the information was obtained): the limited number of affected letters, the good condition of the same without opening or manipulating them, the possibility of resuming distribution, the location of the discovery in a remote and inaccessible place (which reduces the probability that they were accessible), the typology of the letters that were ordinary mail (which rules out content that could generate important consequences for those interested), the intentional cause on the part of CI Postal workers; It was considered unlikely that damage could be caused to the rights and freedoms of the individuals whose data were exposed, as it was not considered that there could be a high or very high risk for the rights and freedoms of those affected, and at that time it was not considered necessary to communicate to the affected customers. Communication to said customers was made days later in the new findings that occurred in the month of October (detected on October 11, 2022)”. - “The sensitive postal codes or those with a traceability defect are all those of Palma de Mallorca (the only city in the Balearic Islands that Hispapost distributed), with the company CI Postal being the subcontractor of the treatment, and given the impossibility of carrying out a control of the service, since the occurrence of the incident it was decided not to resume the service”. - “Ordinary shipments do not allow any type of direct traceability to be applied, neither by Hispapost nor by any postal operator. The processing of this type of shipment is done manually (on paper) and the only data that Hispapost handles is the volume of customers and letters. Regarding the traceability control that Hispapost applies to this type of shipment, it is done indirectly through the following channels: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/38 Indirect control through certified shipments Claims control Periodic inspections”. - Evidence of some periodic inspections carried out in distribution centres is accredited, also providing the manual used to carry them out. - In relation to our request for proof of the awareness-raising actions they had obtained from the CI POSTAL subcontractor, they provide: Proof of an informative communication addressed to CI POSTAL workers on November 19, 2021 on the consequences of non-compliance with regulations, the ethical code and the COMPLIANCE program. They provide proof of a training session in December 2021 with the following content, without specifying the duration of the training: Code of Ethics, Confidentiality Agreement, Criminal Risks at Work, Disciplinary Regime and Complaints Channel. FIFTH: According to the report collected from the AXESOR tool, the entity CI POSTAL is a medium-sized company established in 2010, with a turnover of 6,274,271 euros in 2022. SIXTH: On December 22, 2023, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent party, for the alleged violation of article 5.1.f) of the GDPR and article 32 of the GDPR, as defined in article 83.5 of the GDPR and article 83.4 of the GDPR, respectively. SEVENTH: Once the aforementioned initiation agreement has been notified in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) and the period granted for the formulation of allegations has elapsed, it has been noted that no allegations have been received from the respondent party. Article 64.2.f) of the LPACAP - a provision of which the respondent party was informed in the agreement to open the procedure - establishes that if no allegations are made in the period provided for regarding the content of the initiation agreement, when it contains a precise statement regarding the imputed liability, it may be considered a resolution proposal. In the present case, the agreement to initiate the sanctioning procedure determined the facts in which the imputation was specified, the infringement of the RGPD attributed to the respondent and the sanction that could be imposed. Therefore, taking into account that the respondent party has not made any objections to the agreement to initiate the proceedings and in accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement to initiate the proceedings is considered in the present case a resolution proposal. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/38 In view of all the actions taken by the Spanish Data Protection Agency in the present proceedings, the following facts are considered proven: PROVEN FACTS FIRST. The entity HISPAPOST is a company dedicated to the provision of postal or postal distribution services, assuming all the tasks that these services entail, from the collection to the delivery to the recipients of the postal items in question. For this purpose, it has entered into a contract for the provision of postal services with numerous entities, including ASISA, AYUNTAMIENTO DE MADRID, BBVA, CAIXABANK, EQUIFAX IBERICA SL, AMPLIFON IBERICA SAU (GAES), SERVINFORM, BANCO SABADELL, ENDESA and NATURGY CLIENTES SA. From the point of view of personal data protection, in all the contractual relationships mentioned, the entity HISPAPOST intervenes under the condition of data processor, with the entities that are clients of HISPAPOST being responsible for the processing of personal data. SECOND. For the development and execution of these postal services, HISPAPOST subcontracts these services or part of them with other entities, especially for those places where its delivery network does not have its own coverage. In the relationships of this type that HISPAPOST formalizes, the subcontracting entity intervenes, from the point of view of personal data protection, under the condition of subcontractor of the treatment. THIRD. The entity HISPAPOST formalized a contract with the entity CI POSTAL, by virtue of which the latter is obliged to cover the distribution of ordinary mail in the city of Palma de Mallorca. On the occasion of this contract, on 10/01/2022, both entities signed the corresponding contract for the treatment order, which is declared reproduced in this act for evidentiary purposes. In said contract, among other issues, the types of data affected by the order, the categories of interested parties and the treatment operations are detailed. It is also provided that HISPAPOST has the character of data processor, with CI POSTAL being subcontractor of the treatment and the HISPAPOST client acting as the data controller of the data affected by the order. The obligations assumed by CI POSTAL as sub-processor include the following: . Ensure that the persons authorized to process personal data expressly and in writing undertake to respect confidentiality and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/38 comply with the corresponding security measures, of which they must be appropriately informed. . Ensure the necessary training in the protection of personal data for authorized persons. . Pursuant to art. 32 GDPR, CI POSTAL undertakes to adopt the necessary measures to prevent the alteration, loss, processing or unauthorized access to the personal data of HISPAPOST customers, taking into account the state of technology, the nature of the data and the risks exposed, whether they come from human action or from the physical or natural environment. CI POSTAL declares that it has a Privacy Manual that determines the technical and organizational measures to be implemented. . CI POSTAL will notify HISPAPOST without undue delay and as quickly as possible and in any case before 24 hours, via email protecciondedatos@servinform.es of any security breaches unless it is unlikely to constitute a risk to the rights and freedoms of natural persons. . It is HISPAPOST or its client (data controller)'s responsibility to notify the AEPD and interested parties of any breaches. . In accordance with the risk assessment carried out by the HISPAPOST client, and the provisions of art. 28 RGPD, CI POSTAL must implement at least the security measures corresponding to the medium level in accordance with the provisions of the LOPD Development Regulation (RLOPD) RD 1720/2007, as long as no other measures are specified in its substitution. FOURTH: The Local Police of the Palma de Mallorca City Council, through a report dated 09/22/2022, informed this AEPD of the discovery in a lot of abandoned correspondence with personal data, up to a total of 1,404 letters1404 from the sending companies with the following distribution: La Caixa (596 letters), BBVA (57 letters), Naturgy (33 letters), Energía XXI (295 letters), Imagin (59 letters), Endesa (307 letters), MasMovil (1 letter), Telefax (3 letters), Totem (3 letters), Laboral Kutxa (1 letter), PSA (1 letter), Yoigo (1 letter), Orange (6 letters), Pra Group (1 letter), Jazztel (2 letters). These letters belonged to the months between February and May 2022. According to the report, the documentation was found on a plot of land between the MA-30 and the train tracks, as reflected in ***REPORT.1 dated 07/02/2022. In relation to this discovery of documentation, it is reported that the agents of the cited Local Police contacted HISPAPOST, recognizing that the correspondence found should have been distributed by CI POSTAL employees, not knowing the reason why said distribution was not carried out and the abandonment of the correspondence. The letters in question were delivered by the Local Police to a representative of CI POSTAL on 09/22/2022. Previously, on 09/13/2022, this same person went to the Local Police offices and when the letters found were shown to him, he recognized the logo of his company. FIFTH. Through the Delegation of the Government of the Balearic Islands, on 11/17/2022, the AEPD received information prepared by the Superior Headquarters of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/38 Police of the Balearic Islands in relation to the location, on 10/16/2022, of a total of 5,354 letters abandoned in two different locations in Palma de Mallorca, for which the company HISPAPOST was responsible for managing, which carried out the distribution through its subcontracted distributor CI POSTAL. The details of these letters, according to the sending entity, are outlined in the First Background of this act, which is declared reproduced for evidentiary purposes. The discovery of a part of this documentation (approximately 3000 letters) was alerted to the National Police by a citizen, (…), who in turn received an email from a third person informing him of the existence of these communications in one of the city's streams. According to the report, "the usable, unopened letters were collected... leaving others at the site that were totally or partially burned and others that were mixed with the garbage." The documentation provided by the Government Delegation includes another part of the intervention of the National Police, dated 10/17/2022, regarding the discovery of numerous letters, the vast majority of which were closed and some manipulated. They report the statement of a witness, according to which the letters had been in the place for approximately a week. SIXTH. HISPAPOST, for its part, on 10/14/2024, filed a complaint with the National Police stating that “on October 10, 2022, HISPAPOST received a message from CI POSTAL in which they sent them a video taken from Telegram in which a man can be seen commenting and filming thousands of letters scattered in a scrapyard sent from HISPAPOST and which contain personal data of customers... that said letters were collected by the distributor in Mallorca on October 11, 2022 and were sent back on October 13, 2022 to the aforementioned company.” “On October 13, 2022, a message was received from the company CaixaBank communicating that who turns out to be B.B.B., has found approximately 4,000 letters addressed to Caixabank in perfect condition, which were thrown by an unknown individual from a vehicle at 7:00 p.m. on October 10, 2022.” Regarding the last incident reported, in an email dated 10/19/2022, sent by HISPAPOST to CAIXABANK, it is indicated: “10/13/2022 we received a communication from CaixaBank, notifying that a person showed up at the CaixaBank office (…), indicating that he had seen a person throw correspondence at a location in the municipality. Caixabank staff removed the shipments. On 10/14/2022 we went to the Caixa Territorial Directorate in Palma de Mallorca, we obtained the telephone number of the person who initially informed Caixabank of the location of the discovery of documents, we located the point where the correspondence appeared and we collected the rest of the shipment from other non-Caixabank customers”. SEVENTH. In relation to the incident described in the Fourth Proven Fact, on 10/18/2022, the CI POSTAL entity prepared an evaluation report in which, among other circumstances, the following is stated: “1. The incident was intentional. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/38 2. The origin of the incident was internal (delivery personnel)… 4. As a consequence of the incident, persons or organizations that are not authorized, or do not have a legitimate purpose to access the data, have been able to access them. 5. Referring specifically to the affected data (names and postal addresses), they are NOT protected in such a way that they are legible to whoever may have had access and the persons can be identified... 10. It is unknown whether there are minors among the affected persons, as well as vulnerable groups (victims of gender violence or at risk of social exclusion) 11. It is estimated that the number of letters recovered does not exceed 2,000 units.” EIGHTH. The CI POSTAL entity, in its responses to this AEPD, has referred to the preventive measures it had implemented. Among the details provided, the following information is worth highlighting: “As it is considered a postal delivery company, the measures aimed at avoiding the risks arising from the abandonment or non-delivery of correspondence are focused on the training and commitment of the workforce beyond the implementation of technological solutions” (the staff is made to sign a confidentiality agreement), in addition to informative communications about the responsibility of not delivering notifications or letters and/or misusing them (a communication dated 11/19/2021 is provided). “During the process of incorporating workers, they are provided with a welcome pack with a compendium of mandatory rules and protocols” (Code of Ethics and Conduct, with an implementation date of April 16, 2018; corporate policies with obligations and prohibited conduct, with an implementation date of April 16, 2018; description of the Complaints Channel, with an implementation date of April 16, 2018; Disciplinary and sanctioning regime, with an implementation date of April 16, 2018; and Protocol for action for delivery drivers, with an implementation date of October 20, 2020)”. Regarding the accreditation of the measures adopted to guarantee the traceability and tracking of shipments, CI POSTAL reported the following: “In ordinary postal deliveries, the cause of the security incident due to the abandonment of correspondence, implementing traceability and tracking measures for deliveries involves a very high level of difficulty. To date, no technological solution has been found that allows us to have proof that ordinary mail has been deposited in the mailbox. It should be remembered that CIPOSTAL receives large volumes of correspondence from its clients to be distributed, without any breakdown of data. We are only delivered batches of correspondence where the only data available is the number of letters to be distributed. Creating two-person delivery teams to be able to control whether the delivery is carried out or not is an unviable solution due to costs.” NINTH. In its responses to this AEPD, the CI POSTAL entity has referred to the measures and actions of a reactive nature adopted on the occasion of the incidents reported in the previous Proven Facts in order to avoid them in the future: . “First, the workers involved in the incident were dismissed and the rest of the staff was called to remind them of their obligations regarding the custody of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/38 correspondence and the consequences of non-compliance. . New training has been carried out to serve as reinforcement for the prevention of similar incidents. . Reminder to all sorting and delivery staff through meetings and individualised writings of the legal repercussions of retaining, storing, hiding, opening or destroying any postal item. . Monitoring of the delivery people's work, asking the streets where they were delivering and confirming this with the delivery we have prepared for them.” “We are studying and assessing whether there is any type of technological solution that allows us to have proof that the mail has been deposited in a mailbox. The training and awareness plan for the work team has been strengthened to avoid future incidents. “…a privacy training manual has been incorporated that includes basic concepts for their functions, taking into account that in 99% of cases, delivery people process data for consultation, without the ability to register, modify, and delete data.” BASIS OF LAW I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, Article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Preliminary questions Article 4 of the GDPR establishes that: For the purposes of this Regulation, the following definitions shall apply: 1) "personal data": any information relating to an identified or identifiable natural person ("the data subject"); An identifiable natural person is any C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/38 person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; Section 2 of the same article defines the concept of “processing” of personal data. 2) “processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, extraction, consultation, use, communication by transmission, dissemination or any other form of access, alignment or combination, restriction, erasure or destruction; In the present case and in accordance with the LOCAL POLICE report, dated September 22, 2022, the discovery of abandoned correspondence with personal data (name and surname, and postal address) is revealed, up to a total of 1,404 letters, with the logo of the company HISPAPOST, which was contacted by the LOCAL POLICE agents, acknowledging that the correspondence found should have been distributed by CI POSTAL employees, without understanding the reason why said distribution was not carried out and the correspondence was abandoned. Subsequently, a new complaint was received by the Government Delegation in the Balearic Islands, in which a letter was forwarded from the Police Headquarters of the Balearic Islands in relation to the location of a total of 5354 letters abandoned in two different locations in La Palma, and whose management was responsible for the company HISPAPOST that managed the distribution through its distributor in La Palma CI POSTAL SL It is, therefore, pertinent to analyze whether the processing of personal data carried out is in accordance with the provisions of the RGPD. Article 4 of the RGPD, points 7 and 8, specifies what is to be understood by the data controller and the data processor. Thus we have, as: “7) “data controller” or “controller” is the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of the processing; If Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its nomination may be determined by Union or Member State law; 8) “processor” or “processor” is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller...” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/38 In short, the controller is the natural or legal person or public authority, which decides on the processing of personal data, determining the purposes and means of such processing. Under the principle of proactive accountability, the controller must apply technical and organisational measures to comply and be able to demonstrate compliance, taking into account the risk involved in the processing of personal data. The data processor is the natural or legal person, public authority, service or other body that provides a service to the controller that involves the processing of personal data on behalf of the latter. In this sense, the controller is the one who decides the “why” and the “how” regarding personal data and the processor is the one who is in charge of carrying out the processing on behalf of the controller. The figure of the data processor in the GDPR is defined in its article 28, where the requirements that must be met with respect to data protection are established: 1.When processing is to be carried out on behalf of a data controller, the latter will only choose a processor that offers sufficient guarantees to apply appropriate technical and organizational measures, so that the processing is in accordance with the requirements of this Regulation and guarantees the protection of the rights of the interested party. 2.The processor will not use another processor without the prior written authorization, specific or general, of the controller. In the latter case, the processor shall inform the controller of any planned changes in the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. 3. The processing by the processor shall be governed by a contract or other legal act pursuant to Union or Member State law which binds the processor to the controller and sets out the subject matter, duration, nature and purposes of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. Such contract or legal act shall stipulate, in particular, that the processor shall: (a) process personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; In such a case, the processor shall inform the controller of that legal requirement prior to processing, unless such law prohibits processing for important reasons of public interest; b) ensure that persons authorised to process personal data have undertaken to respect confidentiality or are subject to a statutory obligation of confidentiality; c) take all necessary measures in accordance with Article 32; (…). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/38 4. Where a processor uses another processor to carry out certain processing activities on behalf of the controller, the same data protection obligations shall be imposed on that other processor, by means of a contract or other legal act drawn up under Union or Member State law, as those laid down in the contract or other legal act between the controller and the processor referred to in paragraph 3, in particular the provision of sufficient guarantees that appropriate technical and organisational measures are in place so that processing is in compliance with this Regulation. If that other processor fails to comply with its data protection obligations, the initial processor shall remain fully liable to the controller for compliance with the obligations of the other processor. (…). 10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation when determining the purposes and means of processing, he shall be considered a controller with respect to that processing. (…). These specific obligations may be monitored by data protection authorities, without prejudice to any audit that may be carried out in relation to compliance with the GDPR or the LOPDGDD by the controller or processor. From the actions carried out, it has been found that the breach had as its entry vector the negligent action of one or more disloyal employees of the company CI POSTAL, a delivery company that acted as sub-processor of HISPAPOST, which at the same time acted as processor of several other companies responsible (or in charge) for the processing of the personal data contained in the abandoned letters. CI POSTAL has processed personal data in a manner incompatible with the scope of the processing, as determined by HISPAPOST. Therefore, in accordance with Article 28, paragraph 10, of the GDPR, CI POSTAL, as HISPAPOST's data processor, must, in this case, be considered the data controller with respect to the processing of personal data. Within the principles of processing provided for in Article 5 of the GDPR, the integrity and confidentiality of personal data is guaranteed in Section 1.f) of Article 5 of the GDPR. For its part, the security of personal data is regulated in Article 32 of the GDPR, which regulates the security of processing. III Article 5.1.f) of the GDPR The facts revealed are materialised in the existence of several personal data breaches as a result of the abandonment in public spaces, by employees of the CI POSTAL entity, of postal correspondence whose distribution was to be carried out by said entity under the contracts formalised by it C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/38 with HISPAPOST. This enabled unauthorised access by third parties to personal data relating to the recipients of the shipments, specifically their name and full postal address. Regarding these facts, CI POSTAL acts as the data controller, as set out in the previous reason. As such, it is obliged to demonstrate compliance with the GDPR and the LOPDGDD and to apply the technical and organizational measures that guarantee the security of personal data when carrying out the treatment, in accordance with the provisions of article 5.1.f) of the GDPR, according to which: “Article 5 Principles relating to treatment: 1. Personal data will be: (…) f) treated in such a way that adequate security of personal data is guaranteed, including protection against unauthorized or unlawful treatment and against accidental loss, destruction or damage, through the application of appropriate technical or organizational measures («integrity and confidentiality»).” In relation to this principle, Recital 39 of the aforementioned GDPR states that: “[…]Personal data must be treated in a way that ensures appropriate security and confidentiality of the personal data, including to prevent unauthorized access to or use of such data and the equipment used in the processing.” The documentation in the file provides sufficient evidence that CI POSTAL violated article 5.1 of the GDPR, principles relating to processing, when a personal data breach occurred that had as its entry vector the action of one or more disloyal employees of the company CI POSTAL, not properly guaranteeing the confidentiality and integrity of the data. In this sense, the aforementioned art. 5.1.f) of the GDPR provides that personal data will be treated in such a way as to ensure their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organizational measures. The loss of confidentiality poses a risk that may lead to material or immaterial damages and losses for natural persons (recital 85 of the GDPR). In this regard, recital 75 of the GDPR states that: “Risks to the rights and freedoms of natural persons, of varying severity and likelihood, may arise from the processing of data that could cause physical, material or immaterial harm and damage, in particular where the processing may give rise to problems of discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of data subject to professional secrecy, unauthorised reversal of pseudonymisation or any other significant economic or social harm; where data subjects are deprived of their rights and freedoms or are prevented from exercising control over their personal data; …” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/38 Therefore, unauthorized access to personal data means that these may be used for unknown purposes, even fraudulent ones, leading to a total and absolute loss of control over them. In this same sense, article 28.2 of the LOPDGDD, and with respect to the obligations of the data controller within the framework of articles 24 and 25 of the RGPD to guarantee and certify that the processing is in compliance with the RGPD with respect to various risks, provides that: “2. In order to adopt the measures referred to in the previous section, the controllers and processors will take into account, in particular, the greater risks that could occur in the following cases: a) When the treatment could generate situations of discrimination, identity theft or fraud, financial losses, damage to reputation, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of pseudonymization or any other significant economic, moral or social harm for those affected. …”. And the Constitutional Court's ruling (STC) 292/2000 in the seventh FD, states: “… it appears that the content of the fundamental right to data protection consists in a power of disposition and control over personal data that empowers the person to decide which of these data to provide to a third party, be it the State or an individual, or which this third party may collect, and that also allows the individual to know who possesses these personal data and for what purpose, being able to oppose such possession or use. These powers of disposition and control over personal data, which constitute part of the content of the fundamental right to data protection are legally specified in the power to consent to the collection, obtaining and access to personal data, its subsequent storage and processing, as well as its possible use or uses, by a third party, be it the State or an individual.” In the present case, it has been proven that there were several batches of letters that were not delivered to their recipients and, instead, were thrown in public spaces, according to the details that are outlined in the proven facts of this resolution, affecting thousands of shipments. The abandonment of these letters in an open field in which personal data appear (name and surname, and postal address), made possible, in some cases, their unauthorized access by third parties, and in other cases, their unauthorized destruction or accidental damage, violating the principles of confidentiality and integrity, both established in article 5.1.f) of the GDPR. All of this has been recognized by the CI POSTAL entity itself. For all the above reasons, it is considered that the events that occurred constitute an infringement, attributable to CI POSTAL, for violation of article 5.1.f) of the GDPR. IV Classification of the infringement of article 5.1.f) of the GDPR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/38 The aforementioned infringement of article 5.1.f) of the GDPR involves the commission of the infringements classified in article 83.5 of the GDPR which under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions shall be punishable, in accordance with section 2, by administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, whichever is higher: a) the basic principles for processing, including the conditions for consent to tenor of articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that: “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.” For the purposes of the limitation period, article 72 “Infringements considered very serious” of the LOPDGDD indicates: “1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and will be subject to a three-year statute of limitations: a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” V Penalty for infringement of article 5.1.f) of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, it is appropriate to grade the penalty to be imposed according to the following criteria established by article 83.2 of the GDPR. As aggravating factors: - b) the intentionality or negligence in the infringement; In this same sense, the Supreme Court has understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in assessing the degree of diligence, the professionalism or lack thereof of the subject must be especially considered, and there is no doubt that, in the case now examined, when the activity of the appellant is one of constant and abundant handling of personal data, the rigor and exquisite care in complying with the legal provisions in this regard must be insisted upon. [Judgment of the National Court of 17/10/2007 (rec. 63/2006)] C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/38 It is also considered that the sanction to be imposed should be graded in accordance with the criteria established in section 2 of article 76 “Sanctions and corrective measures” of the LOPDGDD: As aggravating factors: - b) The link between the offender's activity and the processing of personal data. CI POSTAL is dedicated to the transport and delivery of all kinds of goods and information, which involves the processing of personal data of clients and recipients. Consequently, and for the purposes of compliance with the legally established requirements, the exercise of said activity necessarily implies knowledge and application of the current regulations regarding the protection of personal data. The balance of the circumstances contemplated in article 83.2 of the GDPR and article 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of article 5.1.f) of the GDPR, allows for a fine of €120,000 (ONE HUNDRED AND TWENTY THOUSAND EUROS) to be set. VI Article 32 of the GDPR With regard to the application of data protection regulations to the case raised, it must be taken into account that the GDPR, in its article 32, requires those responsible for and in charge of processing to adopt the corresponding security measures necessary to guarantee that the processing is in accordance with the regulations in force, as well as to guarantee that any person acting under the authority of the controller or the processor and having access to personal data, may only process them following instructions from the controller. Article 32 of the GDPR, security of processing, establishes the following: “1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which may include, where appropriate, among others: a) the pseudonymization and encryption of personal data; b) the ability to guarantee the permanent confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/38 (d) a regular process of verification, evaluation and assessment of the effectiveness of the technical and organisational measures to ensure the security of the processing. 2. When assessing the adequacy of the level of security, particular account shall be taken of the risks presented by the processing of data, in particular as a result of accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorised disclosure of or access to such data. 3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to Article 42 may serve as an element to demonstrate compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and the processor shall take steps to ensure that any person acting under the authority of the controller or the processor who has access to personal data processes such data only on instructions from the controller, unless he or she is required to do so by Union or Member State law”. The GDPR defines personal data breaches as “any security breach leading to the accidental or unlawful destruction, loss, alteration of, or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The documentation in the file shows a breach of Article 32.1 of the GDPR, as a result of the lack of appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. It should be noted that the GDPR in the aforementioned provision does not establish a list of the security measures that are applicable according to the data that are subject to processing, but rather establishes that the controller and the processor shall apply technical and organizational measures that are appropriate to the risk involved in the processing, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the processing, the risks of probability and severity for the rights and freedoms of the interested parties. Likewise, the security measures must be appropriate and proportionate to the risk detected, indicating that the determination of the technical and organizational measures must be carried out taking into account: pseudonymization and encryption, the capacity to guarantee confidentiality, integrity, availability and resilience, the capacity to restore the availability and access to data after an incident, verification process (not an audit), evaluation and assessment of the effectiveness of the measures. In any case, when assessing the adequacy of the level of security to the risk, particular account will be taken of the risks presented by the processing of data, such as the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to such data, which could cause physical, material or immaterial damage or harm. In this same sense, recital 83 of the GDPR states that: “(83) In order to maintain security and prevent processing infringing the provisions of this Regulation, the controller or processor must assess the risks inherent in the processing and implement measures to mitigate them, such as encryption. These measures must ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the cost of their implementation in relation to the risks and the nature of the personal data to be protected. When assessing the risk in relation to data security, account must be taken of the risks arising from the processing of personal data, such as accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication of or access to such data, which may in particular cause physical, material or immaterial damage or harm. To ensure these security factors, measures of both a technical and organizational nature are necessary that are suitable to achieve a level of security appropriate to the risk. In the present case, it is evident that the security measures that the data controller had implemented in relation to the data being processed were not adequate, regardless of the breach. When referring to the preventive measures that it had implemented at the time when the abandoned letters occurred, CI POSTAL, beyond the confidentiality commitment that it requires of its employees and the information that it provides about its internal protocols or informative communications about its responsibilities, does not include any security measure actually adopted with the aim of avoiding this type of incident as far as possible. In this case, there is evidence of the absence of technical and organizational measures by CI POSTAL to guarantee a level of security appropriate to the risk, as it does not have a system to verify that letters reach their recipients and has not sent its employees any specific instructions on how to deliver letters in order to comply with the regulations on personal data protection, except for a one-hour training course at the start of the employment relationship. There was no subsequent verification, no audits or sampling. On the contrary, in its response to the inspection services of this AEPD, in relation to the accreditation of the measures adopted to guarantee the traceability and tracking of shipments, CI POSTAL admitted not having any control system, justifying this fact as follows: “In ordinary postal delivery, the cause of the security incident due to the abandonment of correspondence, implementing traceability and tracking measures for delivery involves a very high level of difficulty. To date, no technological solution has been found that allows us to have proof that ordinary mail has been deposited in the mailbox. It should be remembered that CIPOSTAL receives from its C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/38 customers large volumes of correspondence to be delivered, without any data breakdown. We are only given batches of correspondence where the only data we have is the number of letters to be delivered. Creating two-person delivery teams to be able to control whether the delivery is carried out or not is an unviable solution due to costs.” The GDPR also requires not only the design of the necessary technical and organizational means, but also their correct implementation and their appropriate use, so that the defendant will also be liable for the lack of diligence in their use, understood as reasonable diligence considering the circumstances of the case. Ultimately, the defendant's liability is determined by the inadequacy of the technical and organizational security measures put in place, since the defendant is responsible for making decisions aimed at effectively implementing appropriate measures to guarantee a level of security appropriate to the risk, and, among them, those aimed at restoring availability and preventing access to data in the event of a physical or technical incident. However, the documentation provided shows that the entity is in breach of this obligation, since the procedures implemented do not verify compliance with the order. It must be stressed that the adequacy of the level of security to the risk must be evaluated by the controller and periodically reconsidered based on the results obtained, taking into account - among other factors - the risks that the treatment may present as a consequence of the unauthorized communication of said data. The technical and organizational security measures that must be applied are those relevant to respond to the existing risk, assessing, among other factors, the state of the art, the costs of application, the nature, scope, context and purposes of the treatment and the risks of probability and severity for the rights and freedoms of the interested parties. One of the requirements established by the GDPR for data controllers and processors who carry out data processing activities is the need to carry out an information security risk analysis in order to establish security and control measures aimed at complying with the principles of protection by design and by default that guarantee the rights and freedoms of individuals. This lack of adequate security measures that causes the violation of article 32.1 constitutes an infringement in itself, considered and independent of the detected security incidents and personal data breaches produced. In accordance with the above, it is considered that the known facts are constitutive of an infringement, attributable to the entity reported, for violation of article 32 of the GDPR. IV Classification of the infringement of article 32 of the GDPR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/38 The aforementioned infringement of article 32 of the GDPR involves the commission of the infringements classified in article 83.4 of the GDPR which under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions shall be punishable, in accordance with section 2, by administrative fines of a maximum of EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total global annual turnover of the previous financial year, whichever is higher: a) the obligations of the controller and the processor pursuant to articles 8, 11, 25 to 30 of the GDPR, 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered serious and will be subject to a two-year statute of limitations: g) The breach, as a result of the lack of due diligence, of the technical and organisational measures that have been implemented in accordance with the requirements of article 32.1 of Regulation (EU) 2016/679. V Penalty for infringement of article 32 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, the penalty to be imposed must be graduated in accordance with the criteria established in article 83.2 of the GDPR. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the criteria established in section 2 of article 76 “Sanctions and corrective measures” of the LOPDGDD: As aggravating factors: - b) The link between the offender's activity and the processing of personal data. CI POSTAL is dedicated to the transport and delivery of all kinds of goods and information, which implies the processing of personal data of clients and recipients. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/38 Consequently, and for the purposes of compliance with the legally established requirements, the exercise of said activity necessarily implies knowledge and application of the current regulations regarding the protection of personal data. The balance of the circumstances contemplated in article 83.2 of the GDPR and article 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of article 32 of the GDPR, allows for a fine of €80,000 (EIGHTY THOUSAND EUROS) to be set. V Adoption of measures Infringements in the matter at hand may give rise to the imposition on the controller of the obligation to adopt appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may “order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”. The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided for in art. 83.2 of the GDPR. Thus, this Agency may require the responsible entity to adapt its actions to the personal data protection regulations, in the period to be determined, to the extent expressed in the Legal Basis of this agreement. This act establishes the infringements committed and the facts that give rise to the violation of the data protection regulations, from which it is clearly inferred what measures to be adopted, without prejudice to the type of procedures, mechanisms or specific instruments to implement them corresponding to the sanctioned party, since it is the person responsible for the treatment who fully knows its organization and must decide, based on proactive responsibility and a risk approach, how to comply with the GDPR and the LOPDGDD. During the actions prior to the start of the sanctioning procedure, CI POSTAL has informed this AEPD of the corrective measures it adopted in connection with the security and confidentiality incidents that are the subject of the file, which include the dismissal of the workers involved, the implementation of new training for the workers, with the preparation of a manual on privacy, or the sending to them of reminders about the legal repercussions of the retention of postal items. The validity of these measures is not questioned, but they are declared insufficient insofar as none of them contemplates the establishment of mechanisms aimed at ensuring the effective delivery of letters to their recipients, preventing them from being deposited in an inappropriate place, except for the measure that contemplates the monitoring of the delivery people, which, on the other hand, is not adequately explained. Consequently, CI POSTAL must be required to adopt, within a period of six months, from the date of enforcement of this sanctioning resolution, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 37/38 the technical and organisational measures of all kinds, including the appropriate security measures to guarantee a level of security appropriate to the risk, so that the provisions of articles 5.1.f) and 32 of the GDPR are complied with. As an indication, the measures to be adopted may include those that aim to guarantee control of postal deliveries, establishing a viable system for checking the traceability of the letters sent, control over returns, monitoring of claims, measurements, carrying out periodic inspections in the delivery network, internal audits, establishing quality management models, circulation of test shipments or the implementation of internal or external panelists. It is noted that failure to comply with the order to adopt measures imposed by this body in the sanctioning resolution may be considered an administrative infringement in accordance with the provisions of the GDPR, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO IMPOSE on CORREO INTELIGENTE POSTAL, S.L., with NIF B95604021, - For the infringement of article 5.1.f) of the GDPR, classified in article 83.5 of said regulation, an administrative fine of 120,000.00 euros. - For the infringement of article 32 of the GDPR, classified in article 83.4 of said regulation, an administrative fine of 80,000.00 euros. SECOND: ORDER CORREO INTELIGENTE POSTAL, S.L., with NIF B95604021, that pursuant to article 58.2.d) of the GDPR, within six months from the date this resolution becomes final and enforceable, it must prove that it has complied with the following security measures: - A system to verify the traceability of the letters they send. - Specific instructions for employees indicating the way to deliver the letters in such a way that compliance with the regulations on personal data is obtained. THIRD: NOTIFY CORREO INTELIGENTE POSTAL, S.L. of this resolution. FOURTH: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration has ended (one month from the day after the notification of this resolution) without the interested party having made use of this faculty. The sanctioned party is hereby warned that he/she must pay the sanction imposed once this resolution becomes enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 38/38 Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period. Once the notification has been received and has become enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the interested party expresses his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a written document addressed to the Spanish Data Protection Agency, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through one of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. He must also transfer to the Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following the notification of this resolution, it will terminate the provisional suspension. 938-16012024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es