Banner2.png

AEPD (Spain) - EXP202304094

From GDPRhub
AEPD - EXP202304094
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started: 23.02.2023
Decided: 24.03.2025
Published: 24.03.2025
Fine: 70000 EUR
Parties: Telefonico Servicios Integrales de Distribucion
National Case Number/Name: EXP202304094
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

A delivery company was fined €70,000 for delivering a parcel to a third party resulting in the improper disclosure of personal data.

English Summary

Facts

The data subject ordered a mobile phone which was to be delivered by Telefonico Servicios Integrales de Distribucion (data controller). The package label contained details relating to the complainant, including their ID card number and phone number, and was marked as only being supposed to be delivered to the data subject.

When the company tried to deliver the package, the data subject was not home and the parcel was delivered to a neighbor in the same building with whom the data subject had a poor relationship. This occurred in spite of the controller's internal policy requiring delivery only to the intended addressee and the data subject's personal data visible on the package label.

The data subject filed a complaint with the AEPD (Spanish DPA) on 23rd February 2023.

Holding

The DPA found that controller, in delivering the parcel to the incorrect recipient, had infringed the requirement to implement appropriate technical and organisational security measures in Article 5(1)(f). This infringement, the DPA noted, resulted in the improper disclosure of the data subject’s personal data.

The DPA issued a fine of €70,000 for this infringement. In setting the amount, the DPA had regard to the fact that the delivery of parcel was the core business activity of the controller, and that they handled the personal data of a large number of data subjects.

The controller was also ordered to establish further technical and organisational measures to ensure that deliver drivers comply with the internal procedure to only deliver parcels to the addressee.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 

1/38

 File No.: EXP202304094

SANCTIONING PROCEDURE RESOLUTION

From the procedure initiated by the Spanish Data Protection Agency and based

on the following

FACTS

FIRST: A.A.A. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on February 23, 2023.

The complaint is filed against TELEFÓNICA SERVICIOS INTEGRALES DE
DISTRIBUCIÓN, S.A. with NIF A82261280 (hereinafter, ZELERIS). The grounds for the claim are as follows:

The claimant states that they were the recipient of a package whose delivery was the responsibility of ZELERIS and that ZELERIS delivered the aforementioned package, which contained a mobile device, which was only to be delivered to the claimant, to (...) of the property where the claimant's home is located, all without their consent, making their personal data available to a third party.

They provide a copy of the telephone contract they hold, messages sent by the respondent regarding the delivery of the package with the mobile device, dated September 13 and 23, and a copy of the delivery note for the package, dated September 23, 2022, which bears a signature other than the claimant's and, among other information, the claimant's ID number.

The complainant resides (as stated in the telephone contract) at ***ADDRESS 1; the delivery note states ***ADDRESS 2.

SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), this complaint was forwarded to ZELERIS so that it could analyze it and inform this Agency within one month of the actions taken to comply with the requirements set forth in the data protection regulations.

The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was recorded on March 30, 2023, as recorded in the acknowledgment of receipt included in the file.

On April 28, 2023, this Agency received a response letter stating the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/38

Attached as Annex Document No. 1 is the internal operations circular dated
February 21, 2022, designed and implemented by the ZELERIS security team, which has been delivered to all affected employees. It details the specific procedures to be followed for the type of delivery affected by this specific claim, which is internally referred to as "delivery to owner," as well as the consequences that may arise from a possible non-compliance.

ZELERIS informs that, upon receiving the file, the claim was analyzed internally. To this end, among other things, the system that records the delivery of the order subject to the claim was reviewed.

In this case, they report that ZELERIS is aware that this delivery was carried out correctly at the delivery location; that the person in charge of making the delivery carried it out following the implemented procedures, without any incidents to report.

ZELERIS, in light of what happened in this matter, has informed the internal work team in charge of distributing the drivers who make the deliveries in order to issue the relevant reminders about the obligation to work according to the procedures.

Furthermore, internal work procedures regarding deliveries to the owner have also been strengthened.

THIRD: On May 9, 2023, in accordance with Article 65 of the LOPDGDD (Spanish Data Protection Act), the claim filed by the complainant was admitted for processing.

FOURTH: According to the report collected from the AXESOR tool, the entity
TELEFÓNICA SERVICIOS INTEGRALES DE DISTRIBUCIÓN, S.A. is a company

established in 1999, with a sales volume of (...) euros in 2022.

FIFTH: On February 9, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent,
in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1,
on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of the provisions of Articles 5.1.f) and 32 of the GDPR, defined, respectively, in Articles 83.5 and 83.4 of the GDPR.

SIXTH: On February 20, 2024, ZELERIS submitted a document requesting an extension of the deadline for submitting its arguments.

SEVENTH: On February 22, 2024, the investigating body of the procedure agreed to the requested extension of the deadline up to a maximum of five days, in accordance with the provisions of Article 32.1 of Law 39/2015, of October 1.

The aforementioned agreement was notified to ZELERIS on February 26, 2024, as recorded in the acknowledgment of receipt in the file.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/38

EIGHTH: On March 1, 2024, this Agency received a document from ZELERIS in which it submitted its arguments.

NINTH: On November 6, 2024, the investigating body of the procedure agreed to open a period for the collection of evidence, considering the claim filed and its documentation, the documents obtained and generated during the claim admission phase, the allegations to the agreement initiating this sanctioning procedure, and the accompanying documentation to be incorporated into the evidence.

That same day, this Agency requested ZELERIS to submit the following information within 10 business days:

- provide a copy of the label printed on the package delivered to the complainant, or failing that, a copy of the label template attached to the packages delivered by the company.

- provide a copy of the transport and handling service contract signed with TELEFÓNICA DE ESPAÑA S.A.U.

On November 21, 2024, ZELERIS submitted a response letter to this Agency, including the required documentation.

TENTH: On December 20, 2024, a resolution proposal was issued, responding to the allegations raised and proposing:

- That the Director of the Spanish Data Protection Agency sanction TELEFÓNICA SERVICIOS INTEGRALES DE DISTRIBUCIÓN, S.A., with NIF A82261280, for a violation of Article 5.1.f) of the GDPR, as defined in Article 83.5 of said regulation, with an administrative fine of 70,000 euros.

- That the Director of the Spanish Data Protection Agency file a complaint against TELEFÓNICA SERVICIOS INTEGRALES DE DISTRIBUCIÓN, S.A., with NIF A82261280, for a violation of Article 32 of the GDPR, as defined in Article 83.4 of the GDPR.

-That the Director of the Spanish Data Protection Agency order
TELEFÓNICA SERVICIOS INTEGRALES DE DISTRIBUCIÓN, S.A., with NIF A82261280, pursuant to Article 58.2.d) of the GDPR, within a period of 6 months, to prove the adoption of appropriate measures in accordance with the GDPR to ensure that its delivery personnel do not violate established protocols and do not deliver a package to an address other than that of the recipient of the package in question, nor make deliveries without reliably verifying the identity of the person to whom the package is delivered.

ELEVENTH: On December 24, 2024, a letter was submitted requesting
an extension of the deadline for submitting allegations, which was granted on January 9, 2025.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/38

TWELFTH: On January 16, 2025, this Agency received a letter from ZELERIS in which it presented allegations. In these allegations, in summary, it stated that:

ZELERIS reiterates the allegations presented to the initiation agreement, considering that this Agency has not taken into account all the circumstances that occurred in the events that are intended to be sanctioned, and that the allegations made by ZELERIS have not been refuted.

It adds that ZELERIS has not committed the typical violation charged by this Agency,
and that it does have the necessary security measures in place, as determined by the Agency.

I. ON THE FACTS THAT MOTIVATE THE INITIATION OF THIS SANCTIONING PROCEEDING.

First. Non-existence of the violation. Disagreement with the proposed Resolution.

ZELERIS states that this Agency questions in the proposed resolution both the

due diligence in delivering the package that is the subject of this
proceeding, as well as the personal data contained on the label of the package to be delivered, considering the complaining party's telephone number to be excessive, and that it would have violated the principle of confidentiality.

a). Regarding due diligence in deliveries.

ZELERIS wishes to state that the incident that led to this disciplinary action is an isolated case, resulting from the fact that the address provided by TELEFÓNICA DE ESPAÑA, S.A.U., or TELEFÓNICA, was incorrect, meaning that ZELERIS did not collect this information.

Thus, ZELERIS, despite the error and firmly convinced that the address was correct, made the delivery to the address it had provided. It would like to add that the complaining party did not respond to the SMS text message sent to confirm its information. Therefore, ZELERIS wishes to emphasize the end customer's own responsibility, understanding that its actions cannot be considered a "lack of due diligence."

b). Regarding security measures, updated operations, and reinforcement of employees and suppliers.

ZELERIS wishes to state that it has appropriate technical and organizational measures in place regarding the processing of personal data, given that the Agency has proposed closing the violation of Article 32.

It believes that these measures are appropriate and guarantee a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of individuals.

ZELERIS wishes to highlight the following measures it has implemented, among others:

i) the continuous updating of internal operations carried out by the security and operations team, which is sent to all employees through circulars and is attached to the written statement of allegations to the proposed resolution.

ii) inclusion of clauses in parcel and courier distribution contracts with suppliers.

iii) Once the incident was detected, ZELERIS informed the collaborating company that had provided this service to identify the employee who performed this service and reprimand them.

ZELERIS wishes to emphasize that this action would demonstrate that it had acted with due diligence.

c) obligation of means, not results.

ZELERIS understands that, with the proposed resolution, this Agency is imposing an objective obligation of results, and that its security measures are infallible, based on the results of operations that employees or couriers must follow beyond the requirement of means established in Articles 25 and 32 of the GDPR and confirmed by case law. In this regard, Supreme Court Ruling 188/2022 of February 15 states:

ZELERIS believes that, despite the design and implementation of security measures for shipments, there are times when, for reasons not attributable to ZELERIS, it is not possible to follow the established procedures, the employee is deceived into not following the procedures, or directly, of his or her own free will, deviates from them.

It also wishes to state that it has never been sanctioned by this Agency since its establishment in 1999, which demonstrates the due diligence it employs in its activities.

d) Volume of deliveries.

At this point, ZELERIS wishes to state that:

-almost 80% of its shipments are to individuals,

-on the day the incident that led to this sanctioning procedure occurred, 3,063 shipments were made in the same province, and there were no incidents similar to this one.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/38

Therefore, it understands that the percentage of incidents in proportion to the volume of shipments is very low and would not have given rise to privacy claims.

2. Regarding the inclusion of the contact telephone number on the label.

ZELERIS wishes to state that the inclusion of the customer's contact telephone number on the label does not constitute a breach of the data minimization principle, as it is necessary for the proper provision of the service.

Therefore, it wishes to inform this Agency of the need for the contact telephone number to be included on said label, due to the volume of large customers who entrust it with deliveries, which implies the need to have a large number of subcontractors throughout the national territory, and therefore, it is necessary for it to be included in order to ensure proper delivery of packages.

a) Requirements from large clients who have their own labeling system.

ZELERIS states that:

i) some clients automatically upload the data to ZELERIS's systems, and ZELERIS only has to print and affix the labels to the package. Therefore, the responsible party determines what data is included on the label.

ii) some clients contractually require the courier to contact the end customer by phone, so it is necessary for the courier to have a quick and easy contact number.

iii) to resolve incidents in real time and avoid unnecessary returns, which negatively affect senders and recipients.

b) Not all collaborators have the same technical resources.

Sometimes, these collaborating companies do not have PDAs and, therefore, do not have the digitalized delivery note with the delivery details. Therefore, in the event of an unexpected situation, they have no way of contacting the customer.

On other occasions, there is a lack of coverage and connectivity, so the telephone number is immediately extracted from the label.

It insists that the fact that the telephone number appears on the label has led to a high success rate for deliveries, shorter delivery times, and that to date, there have been no significant complaints regarding data protection that have resulted in sanctions by this Agency.

c) scope of dissemination of the data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/38

ZELERIS indicates that this Agency claims that the contact mobile telephone number has been exposed to a third party, resulting in a breach of confidentiality, due to two circumstances:

i) that said information was included on the package label

ii) that the delivery was made without following the internal protocol for delivery to the owner.

ZELERIS insists on this point that the inclusion of the telephone number on the label

is by no means excessive, as it is necessary to properly provide the delivery service.

However, it wishes to emphasize that any possible dissemination of the contact telephone number information has been very limited, minimal, limited, restricted, and controlled, as only one neighbor had access to it. It believes that it would have been much more serious if the information had been exposed in publicly accessible information sources or on the internet or social media.

d) time at which the event occurred.

ZELERIS wishes to state that the events occurred in 2022, and therefore considers that the risks existing in that year are not the same as those existing today.

This statement is made so that this Agency is aware that, until a few years ago, the sensitivity of personal data, such as in this case, being exposed was not the same as it is today.

e) corrective measures.

Over the last two years, ZELERIS has reportedly been implementing changes in its way of working. Thus, it mentions the following measures:

i) implemented: inclusion of (…).

(…).

ii) in the process of implementation:

(…).

(…).

II. ON THE LEGAL BASIS.

First. Regarding the alleged violation committed by ZELERIS: lack of legality, unlawfulness, and culpability.

ZELERIS reiterates the allegations it presented regarding the initial agreement and states that,
for conduct to be criticized, it must be typical, unlawful, and culpable, and

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/38

At this point, it understands that the principle of typicality would be violated to the extent that ZELERIS's conduct is not subsumed under the provision whose violation is alleged.

Thus, ZELERIS understands that the action cannot be considered typical to the extent that the delivery took place at the address provided by TELEFONICA, and without the complaining party changing the data when advised by ZELERIS to confirm its delivery data.

Furthermore, it considers that there has been no confidential security breach because the data provided in the order is necessary for the proper provision of the service, as previously stated.

It insists that the data appearing on the package label is the minimum essential, and that the third party does not have access to the data on the delivery note.

Furthermore, it considers that the conduct cannot be considered unlawful, to the extent that ZELERIS acted in good faith and with a well-founded belief that excludes culpability, and with the objective of ensuring the proper delivery of the shipments. Thus, it considers that the unlawfulness of the conduct, as an element constituting an administrative offense, formally requires that there be a conflict between the behavior and the infringed rule, such that if the behavior is supported by the legal system, it cannot be considered unlawful conduct.

Finally, ZELERIS wishes to state that the element of culpability is not present, insofar as its conduct reveals an unequivocal intention to proceed in accordance with the law, with a willingness to comply, and due diligence is unquestionable.

It also wishes to state that it is well-established doctrine that the principles inspiring the criminal system are applicable to sanctioning law, noting that one of the main components of an administrative offense is the element of culpability, which presupposes that the act or omission must in any case be attributable to its perpetrator due to malice, recklessness, negligence, or inexcusable ignorance.

On this point, ZELERIS recalls STC 76/90, of April 26, and adds that it is necessary in an administrative proceeding to verify ZELERIS's culpable involvement, and that, in this case, it would not have occurred.

Second. Failure to comply with the principle of proportionality in sanctions.

ZELERIS wishes to state that it has already been established that there are no facts that justify the charge of the violation, but, in the event that this
Agency does not decide to proceed with the dismissal of this sanctioning procedure,

it understands that the principle of proportionality would also be violated.

To this end, it refers to:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/38

- the Supreme Court ruling of June 2, 2003, according to which the principle of proportionality "tends to adapt the sanction, by establishing its specific gradation within the possible limits, to the seriousness of the act constituting the infraction, both in its unlawfulness and culpability aspects, weighing as a whole the objective and subjective circumstances that comprise the sanctionable act and, in particular, as stated in Article 131.3 of Law 30/92, the intentionality or repetition, the nature of the damages caused, and recidivism."

- the judgment of October 30, 2020, in administrative appeal number

948/2018 of the National Court, which recalls that "the margin of appreciation granted to the Administration in imposing sanctions within the legally established limits must always be developed by weighing the concurrent circumstances, in order to achieve the necessary and due proportion between the alleged acts and the liability required, given that any sanction must be determined in accordance with the magnitude of the violation committed and according to a criterion of proportionality in relation to the circumstances of the act. Therefore, proportionality constitutes a normative principle imposed on the Administration and reduces the scope of its sanctioning powers."

-National and European legislative bodies that have also taken this legal principle into account when shaping data protection regulations, such as recitals 4, 129, and 148, as well as Article 83 of the GDPR.

ZELERIS's reasons for considering that the principle of proportionality has been violated are as follows:

i) this is the first sanctioning procedure since 1999.

ii) the proportion of the volume of shipments in a year and the number of complaints for privacy violations demonstrate that the security measures implemented are effective.

iii) the exposed data affected only one person and occurred in (...).

iv) ZELERIS has adopted the appropriate measures to reduce the risk of data being exposed in the event of an incident.

For all these reasons, it believes that the amount of the sanction should be considerably reduced.

Third. Regarding the criteria for graduating the sanction.

ZELERIS reiterates its arguments submitted to the initiation agreement and expresses its disagreement with the application of the following aggravating factors:

i) The nature, severity, and duration of the violation, which are reiterated in the

arguments submitted to the initiation agreement. It also requests this Agency to assess all the circumstances outlined, as this was a one-off, isolated error, in which no harm was caused to the complainant, and the personal data was minimally disseminated.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/38

ii) Intentionality/Negligence. ZELERIS states that it acted in a manner that would reveal
an unequivocal intention to proceed in accordance with the law, with no intention of violating the

law and, in any case, a willingness to comply. It adds that it has the necessary and appropriate technical measures in place to manage shipments to the owner, and that, as has been established, it was the courier who decided to deviate from these measures, and in this case, there can be no question of intentionality.

It adds that the offender would, in and of itself, assume the culpable element of the negligence being prosecuted, and therefore, given that there is no additional or greater intensity of the conduct of the person sanctioned, it should not have been taken into account as an aggravating factor for the purposes of imposing the sanction. To this end, it cites the ruling of the National Court of June 1, 2024, which states:

"The complaint alleges that two aggravating circumstances have been taken into account: the plaintiff's negligence in modifying the contract without being certain that the person who called requesting the power change was acting on behalf of the contract holder (Article 83.2.b) GDPR (EDI 2016/48900). And the connection between the offender's activity and the processing of personal data (Article 76.2.b of Organic Law 3/2018 (EDI 2018/128249).

Regarding the proportionality of sanctions, this is understood as the adequacy, according to criteria of justice and equity, between the facts that constitute the type of infringement and the determination of the applicable sanction, taking into account the intensity of the negligence involved, that is, the degree of intentionality, carelessness, or negligence

revealed by the conduct. And of course, a reasoning is required for the judgment of the intensity of the negligence involved. This connects us with the first of the aggravations discussed.

It is evident that these sanctions at hand can only be imposed if there is

guilt or negligence; thus, without the existence of the element of culpability,
the existence of any type of violation cannot be established. This leads us to consider that said element of culpability is embedded in the nature of the violation. Therefore, this Court understands that as long as the existence of excessive intent, or an excess of culpability in the conduct of the sanctioned party, is not demonstrated, accredited, and justified, the guilt or negligence must be considered part of the type of violation without elevating it to the category of an aggravated sanction. In this case, there is no evidence of intent or negligence greater than or exceeding the type that could be considered to increase the severity of the act sanctioned in either of the two infractions, so this aggravating factor is excluded, resulting in a reduction in the financial penalty.

iii) the connection between the offender's activity and the processing of personal data.

ZELERIS understands that this aggravating factor should not be applied to the extent that it would be a specific and exceptional case, which has not generated controversy or sanctions in the area of data protection prior to this case. This would be equivalent to assuming that in any type of infraction that it were decided to impose on ZELERIS, this aggravating factor would be considered. It considers this aggravating factor to be disproportionate and senseless, violating the principles of Justice and equity.

It considers that this aggravating factor should be applied when there is a large number of data subjects affected by the potential infringement, since, otherwise, any company that handles a large amount of personal data will find its conduct aggravated by the Agency. It understands that the European Data Protection Board also considers this to be the case in the Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, adopted by the Article 29 Working Party on October 3, 2017, which clearly state that the factors provided for in Article 83.2 of the GDPR must be assessed in a combined manner, that is, in what concerns us now, the number of data subjects together with the potential impact on them.

Recital 75 of the GDPR would also rule in this direction, stating that, in order to determine the degree of damages that a potential data protection violation may cause, one must take into account, among other aspects, "that the processing involves a large amount of personal data and affects a large number of data subjects."

ZELERIS also believes that the following mitigating factors should have been applied:

a) the degree of cooperation with the supervisory authority to remedy the violation and mitigate the potential adverse effects of the violation, to the extent that all requests for information from the Agency were answered.

b) any other aggravating or mitigating factors applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the violation, to the extent that no benefit was obtained from the commission of the violation, but rather the possible imposition of a penalty.

ZELERIS believes that, taking into account the circumstances already outlined in this written statement, this Agency should adjust the penalty and set it at its minimum level of €40,001, as this is the first sanctioning procedure it has been notified of.

Therefore, it requests that this Agency declare no liability, order the closing of the sanctioning procedure, and, alternatively, in the event that it is not closed, that the initially proposed penalty be reduced by virtue of the mitigating circumstances provided for in Article 83 of the GDPR.

From the actions taken in this proceeding and the documentation in the file, the following have been established:

PROVEN FACTS

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/38

FIRST: It is established that the complainant was the recipient of a product (mobile terminal) ordered from TELEFÓNICA DE ESPAÑA in September 2022.

SECOND: It is established that the product was delivered by the company ZELERIS, with which TELEFÓNICA MÓVILES ESPAÑA SAU has a contract for the provision of transportation and handling services, which was modified to include services derived from the marketing of the Movistar Fusión Service with the leasing of mobile terminals to end customers. As specified in the contract, three phases were planned for the operation to be carried out by ZELERIS for the new Fusión+ Terminal service. Phase III of the contract begins on August 1, 2021, or, failing that, the date the integration process is completed. The carrier will verify the cardholder's identity, sign the contract, and send an SMS notification.

THIRD: It is established that the complainant's address is ***ADDRESS.1, as stated in the complainant's telephone service contract with TELEFONICA DE ESPAÑA, S.A.U., dated July 20, 2020, and provided by the complainant in their claim.

FOURTH: It is stated that the product was only to be delivered to the merger holder, as stated in the text message provided by the complaining party, sent by

(…)”.

FIFTH: There is an operations circular dated February 21, 2022, provided by ZELERIS, with the subject line “REMINDER: DELIVERY TO HOLDER OF TME SHIPMENTS” which reads:

“REMEMBER THE MANDATORY REQUEST FOR IDENTIFICATION AND DNI VERIFICATION IN ALL SHIPMENT DELIVERIES AND/OR DELIVERIES MARKED AS “DELIVERY TO HOLDER”. IF IDENTIFICATION OF THE HOLDER OF THE SHIPMENT IS NOT POSSIBLE, DELIVERY WILL NOT BE MADE.”

SIXTH: It is established that the product was delivered to ***ADDRESS.2, as shown on the delivery note provided by the complainant. The delivery note contains the complainant's name and surname, as well as their telephone number and ID number.

SEVENTH: It is established that the package label contains the following personal data: name, surname: A.A.A.; postal address: ***ADDRESS.1; and the complainant's contact telephone number.

LEGAL BASIS

I
Jurisdiction

In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) and as established in Articles 47, 48.1, 64.2, and 68.1 of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/38

Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter, LOPDGDD), the Presidency of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

Furthermore, Article 63.2 of the LOPDGDD establishes that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development, and, insofar as they do not contradict them, in a subsidiary capacity, by the general rules on administrative procedures."

II
Preliminary Questions

In this case, in accordance with Articles 4.1 and 4.2 of the GDPR, personal data processing is established, since TELEFONICA SERVICIOS INTEGRALES DE DISTRIBUCIÓN collects and stores, among others, the following personal data of natural persons: first and last name, address, telephone number, ID number, among other processing options.

Article 4, section 12 of the GDPR broadly defines "personal data security breaches" (hereinafter "security breaches") as "any security breach that results in the accidental or unlawful destruction, loss, or alteration of personal data transmitted, stored, or otherwise processed, or in unauthorized communication of or access to such data."

In the present case, there is a personal data security breach under the circumstances indicated above, categorized as a breach of confidentiality, as the complainant's personal data was improperly accessed as a result of the delivery of a package containing, on a label located in a visible part of the package, his personal data, consisting of his first and last name and telephone number, to a person who lived on the same floor as the complainant, but in different handwriting, and who was not the holder of the Fusion line.

In this regard, the complainant has provided a screenshot of the message sent to communicate the shipment, which shows:

"Hello! Your device is on its way (...) remember that we can only deliver it to the holder of the Fusion line."

The delivery note and the package label contain an incorrect address, with

all the details of the complaining party except for the letterhead, and a signature that
does not appear to correspond to the signature on the telephone contract.

As part of the processing principles set forth in Article 5 of the GDPR, the
integrity and confidentiality of personal data is guaranteed in Section 1.f)

of Article 5 of the GDPR. The security of personal data is regulated in Article 32 of the GDPR.

III

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/38

Response to the allegations made regarding the initiation agreement

In response to the allegations presented by the respondent entity, the following should be noted:

1. NO INFRINGEMENT COMMITTED

a) In relation to the violation of Article 5.1.f of the GDPR attributed to ZELERIS, ZELERIS states that the data it processes are those provided by

TELEFONICA DE ESPAÑA, and that it does not have access to the contract that the customer signs with
TELEFONICA DE ESPAÑA.

The petitioner adds that the information ZELERIS has includes the complainant's name and surname, address, telephone number, and ID number, as can be seen in the document it provides, which, it states, is an image from the ZELERIS system in which the order placed by TELEFÓNICA was generated.

In any case, it states that the order was delivered to the address provided, and that it acted with due diligence and in accordance with the information it had, without any negligence whatsoever.

Regarding this statement made by ZELERIS, it is important to note that this Agency considers that due diligence was not exercised, contrary to what ZELERIS stated, insofar as, as stated in the SMS sent to the complainant, and which the complainant provides with its claim, the order could only be delivered to the merger owner, which, in this case, was not confirmed in any way, as the order was delivered to a person other than the merger owner.

In this regard, the AN in its SAN of June 27, 2024, rec. 102/2022. "It is well known

that liability may be incurred for the violation we are examining
whether intentionally or maliciously, or through carelessness, negligence, or even simple non-compliance (Article 28 of Law 40/2015, of October 1). It is now appropriate
to recall that, as the Supreme Court stated in its Judgment of January 23, 1998, "... although the culpability of the conduct must also be subject to proof,
it must be considered, in order to assume the corresponding burden, that
ordinarily the volitional and cognitive elements necessary to assess
it are part of the proven typical conduct, and that their exclusion requires
proving the absence of such elements, or, in its normative aspect, that the diligence required by the person claiming their absence has been exercised; In short, the invocation of the absence of fault is not sufficient to exonerate oneself from typically unlawful conduct."

Therefore, in this case, in accordance with what has already been stated, it cannot be understood that ZELERIS acted with due diligence.

ZELERIS also stated that the information appearing on the label is the name, surname, and address, and is typically the same information that appears on the mailbox of any apartment in a homeowners' association. Therefore,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/38

understands that, under no circumstances, would any information not known to the building's residents have been exposed.

This statement by ZELERIS would assume that all the information of the complaining party included on the labels of the shipments appears in the mailbox of its homeowners' association. However, this is not true considering that the package labels contain more personal information about the recipients of the shipments than is usually found in such mailboxes; in this case, it includes the contact telephone number of the complaining party.

ZELERIS adds that the delivery note does contain more personal data, but this document is not provided to the person who collected the shipment, so the third party has not been able to view it.

In this regard, it should be noted that this sanctioning procedure does not refer to the person who collected the package having access to the data on the delivery note. Rather, what is being questioned is the fact that the delivery note included an address, which has already been proven to be incorrect, but that the package was still delivered to that address, without indicating who received the shipment. The data included is that of the complaining party, who was precisely claiming that the package had not been delivered to them. Therefore, there was a violation of the confidentiality principle, as the complaining party's personal data included on the label was exposed to third parties.

Finally, the complainant wishes to state that there was a lack of diligence on the part of the complainant when confirming his shipping address, insofar as he was sent an SMS on September 13, 2023, informing him that his order could not be delivered and asking him to confirm the delivery details, which he failed to do.

In relation to this issue, it should be noted that the violation attributed to ZELERIS is precisely that it failed to follow its own instructions when proceeding to deliver the shipment without verifying that it was the intended recipient and that it should be the holder of the merger agreement.

b) ZELERIS states that it conducts studies on security measures appropriate to the risk and has implemented specific procedures for all its employees regarding this type of delivery. Furthermore, it has already provided a circular detailing these measures, which included, among others:

- The employee in charge of the delivery is required to identify and verify the identity of all deliveries.

- Delivery may not be made to an address other than the one indicated on the shipment.

- Penalties for serious breaches of the required service.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/38

In relation to these statements, the case file has established that ZELERIS did not follow the security measures it had implemented, having delivered the shipment without verifying that the person collecting it was the holder of the merger contract and the person who was supposed to collect it. This resulted in a breach of confidentiality, insofar as ZELERIS's personal data, particularly his contact telephone number, was exposed to a third party.

In other words, it is understood that ZELERIS had implemented measures but did not act

with sufficient diligence, having delivered the shipment to a person
who was not the holder of the merger contract and without verifying who the person who received the shipment was. The delivery note does not include the
information of the person who collected the shipment, but only the information of the complaining party. It seems clear that the complaining party was not the one who collected

the shipment, since, furthermore, it has already been proven throughout this sanctioning procedure that the address was incorrect.

Furthermore, it should be remembered that the circular of February 21, 2022, expressly states that "if the identification of the holder of the shipment is not possible, delivery will not be made" and that the service provision contract submitted by ZELERIS to the procedure states that the identity must be verified.

ZELERIS adds, at this point, that, as a postal operator, it must comply with the obligations of Law 43/2010, of December 30, on the universal postal service, user rights, and the postal market.

In this regard, it states that Article 24 of this Law establishes that:

"it will endeavor to deliver those postal items whose address, even if incomplete, allows the identification of the recipient" (...) "Items, depending on the type, will be delivered to the recipient or to the person they authorize, or they will be placed in individual or collective mailboxes or home mailboxes. Any person present at their home who provides proof of identity and takes charge of them will be deemed authorized by the recipient to receive items at their home, unless the recipient expressly objects in writing to the designated operator providing the universal postal service."

And therefore, it states that the law allows any person who is at the address and identifies themselves to pick up the shipment, and in this case, the delivery took place at the address ZELERIS had listed as the delivery address. The courier identified the person who was at the address, and that person signed the delivery note, and therefore the delivery was made. This is why the signature does not match. However, such claims are not proven in this case. It should be noted that the regulations referred to by ZELERIS require:

- that shipments be delivered to the recipient or to the person authorized by them.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/38

- the person present at the address will be considered authorized by the recipient to receive shipments at their home, and

- that they prove their identity and take charge of the shipment.

- unless the recipient expressly objects in writing.

In this case, the identity of the person taking charge of the shipment is not stated, since, as can be seen on the delivery note, it only includes the details of the complaining party and a signature, which does not correspond to the signature of the complaining party. This is also acknowledged by ZELERIS, which states that the person collecting the shipment is identified, when it is evident that this is not the case, since their details are not included on the delivery note.

In this case, the SMS sent to the complaining party expressly states that the shipment can only be delivered to the holder of the merger contract, which is also not the case in this case.

Finally, and as already mentioned, the operations circular dated February 21, 2022, expressly states that "if it is not possible to identify the holder of the shipment, delivery will not be made."

Therefore, in accordance with all the above, the claim presented by ZELERIS cannot be taken into account.

2. LACK OF TYPICALITY, UNLAWFULNESS, AND GUILT OF TELEFÓNICA-ZELERIS.

ZELERIS asserts that the action cannot be considered typical since the delivery was made to the address provided by TELEFÓNICA, and believes that a breach of confidentiality cannot be attributed to the fact that the data provided in the order is minimal and the third party has not had access to it.

However, this assertion cannot be taken into account since, although ZELERIS states that the personal data contained on the shipping label is minimal, it is still the personal data of the complaining party, and the third party collecting the package does have access to it. In the present case, it has been established that the label included the complaining party's telephone number. ZELERIS continues to state that it cannot be accused of failing to adopt security measures and insists that the information appearing on the label is the minimum required, and that the third party receiving the shipment does not have access to the delivery note, and therefore cannot be considered as evidence.

In this regard, it has been established that ZELERIS did not follow the security measures it had implemented, having proceeded with the delivery of the shipment without verifying that the person collecting the shipment was the holder of the merger contract and the person who was supposed to collect it. This resulted in a breach of confidentiality, insofar as its personal data, particularly its contact telephone number, was exposed to a third party.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/38

Furthermore, the statement that the personal data collected on the shipping label is the minimum required cannot be taken into account, as there is no minimum personal data, but rather it is, in any case, the personal data of the claimant.

Furthermore, in relation to the statement regarding the delivery note, it should be noted that the delivery note proves that the delivery was not carried out in accordance with the conditions of the regulations and the measures implemented by ZELERIS, since the delivery was made to a different address than the complainant's and was collected by a third party. It was not delivered to the actual recipient of the shipment, who is the holder of the merger contract and the complaining party, nor is the person who collected the shipment identified. The delivery of the shipment without verifying that the person collecting it was the holder of the merger contract, as stated in the instructions implemented by ZELERIS, resulted in a loss of confidentiality, as the complaining party's personal data was exposed to a third party.

ZELERIS acknowledges this when it states that the signature does not match the signature provided by the complaining party in its contract with TELEFONICA DE ESPAÑA because it is not the party collecting the shipment. It asserts that the courier would have identified the person collecting the package, but this document shows that the person collecting the shipment is not identified on the delivery note.

It should be remembered that the shipment was to be delivered to the owner of the shipment, and according to ZELERIS's own circular, if the owner of the shipment cannot be identified, delivery cannot be made.

Regarding ZELERIS's statement that it believes the conduct was not unlawful, as it acted in good faith and with a well-founded belief excluding culpability, it is necessary to take into account the provisions of the AN, SAN judgment of June 27, 2024, rec. 102/2022 "It is well known that liability may be incurred for the violation we are examining both intentionally or willfully, as well as through carelessness, negligence, or even simple non-compliance (Article 28 of Law 40/2015, of October 1). It is now appropriate to recall that, as the Supreme Court stated in its ruling of January 23, 1998, "... although the culpability of the conduct must also be subject to proof, it must be considered, in order to assume the corresponding burden, that ordinarily the volitional and cognitive elements necessary to assess it are part of the proven typical conduct, and that their exclusion requires proof of the absence of such elements, or, in its normative aspect, that the due diligence required by the person claiming their absence has been exercised; In short, the invocation of the absence of fault is not sufficient to exonerate a person in the face of typically unlawful conduct.

Therefore, it is up to ZELERIS to prove that it exercised the due diligence required to exclude fault, which, in the present case, is not the case, since it has been established that the package was delivered to a person other than the holder of the merger agreement, thereby creating a breach of confidentiality.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/38

Furthermore, the delivery of the shipment took place without taking into account the measures communicated by ZELERIS to its employees, insofar as they did not ensure that the person receiving the shipment was the intended recipient.

Therefore, the allegation put forward by ZELERIS cannot be taken into account.

3: ON THE CRITERIA FOR GRADUATING THE PENALTY.

In this allegation, ZELERIS wishes to express its disagreement with the aggravating factors

included in the initiation agreement. Thus:

- in relation to the circumstance relating to the nature, severity, and duration of the violation, taking into account the nature, scope, or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damages they have suffered (section a): in the present case, the measures indicated in the circular dated February 21, 2022, were not followed, as stated in document 1 attached to the response to the complaint.

At this point, ZELERIS states that this would be a unique and exceptional case that has not caused any harm to the complainant, and therefore, the penalty of 100,000 euros for committing two violations would be disproportionate.

In relation to this circumstance, it should be noted that, when the delivery was made, the company's own measures that it had implemented, which it provided in its response to the transfer of the complaint, were not taken into account, which led to a loss of confidentiality of the complainant's data and a loss of control over its own data.

In any case, this Agency considers that the penalty is not disproportionate.

For all the above reasons, this claim cannot be taken into account.

-Regarding the circumstance of intentionality/negligence in the violation (section b). In this regard, the Supreme Court has held that negligence exists whenever a legal duty of care is disregarded, that is, when the offender fails to behave with the required diligence. In assessing the degree of diligence, the professionalism of the individual must be especially considered. There is no doubt that, in the case under review, when the appellant's activity involves constant and extensive handling of personal data, rigor and exquisite care must be emphasized to comply with the legal provisions in this regard. [National Court Ruling of 10/17/2007 (rec. 63/2006)]

Regarding this circumstance, ZELERIS states:

a) ZELERIS does have security measures appropriate to the risk.

b) the sectoral regulations applicable to the case were complied with, since the person collecting the package identified themselves.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/38

c) the complaining party was able to confirm and/or modify the delivery address because the first attempt failed.

d) whether internal measures were adopted, as indicated in the letter sent to this Agency dated April 27, 2023, which indicated that internal operations for this type of delivery would be strengthened for all employees.

e) It appears that ZELERIS was aware from the outset of an error in the delivery address, which was in no way attributable to ZELERIS.

Regarding these statements, it should be noted that they have already been addressed throughout this document, insofar as the violation attributed to ZELERIS is precisely that, during the delivery, the measures implemented were not followed.
In addition, the person who collected the package did not identify themselves,

since they are not listed on the delivery note.

Regarding the error referred to, it must be taken into account, as previously stated, that the delivery of the shipment was to be made to the holder of the merger agreement, and not to any person present at the address, who was not even identified. Therefore, these statements made by ZELERIS cannot be taken into account.

Finally, regarding the issue regarding the complaining party's failure to confirm the delivery address, it is necessary to point out that the infringement attributed to ZELERIS is precisely that it failed to follow its own instructions when proceeding

with the delivery of the shipment without verifying that it was the recipient and that it should be the holder of the merger agreement.

- Regarding the aggravating circumstance related to the connection between the offender's activity and the processing of personal data (section b):

TELEFÓNICA SERVICIOS INTEGRALES DE DISTRIBUCIÓN routinely and continuously processes personal data. ZELERIS wishes to express its disagreement to the extent that it considers that there was no lack of security measures during the delivery.

This question has also been answered several times throughout the proposed resolution, since it was precisely the failure to comply with the measures ZELERIS has implemented for delivering shipments that was not taken into account in the present case. These measures included, among others, that the delivery worker is required to identify and verify the identity of all deliveries, and if it is not possible to identify the owner of the shipment, the delivery will not be made.

In this case, as already stated, there is no record in the file that the delivery was made to the holder of the merger contract, which is what had been agreed upon with the client in this delivery.

ZELERIS adds that this aggravating factor, in this case, is applied without taking into account that this is a specific and exceptional case, which means that any type of infringement decided to impose on ZELERIS would always be considered as aggravating factor, something it considers disproportionate and completely senseless, contravening the principles of justice and equity.

This Agency considers that this statement cannot be taken into account since the development of ZELERIS's business activity requires continuous and large-scale processing of clients' personal data, which is why it is required to exercise greater diligence in the processing of personal data.

Finally, it should be added that the legislator foresaw the possibility of using this aggravating circumstance, and the Agency merely applies it.

On the other hand, ZELERIS believes that the following mitigating circumstances should be applied, with a consequent reduction in the amount:

f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the potential adverse effects of the infringement.

ZELERIS believes that this mitigating circumstance should be applied to the extent that all requests for information from the Agency have been answered, in order to collaborate as much as possible with the Agency's investigative work.

This claim cannot be taken into account insofar as responding to requests for information sent from this Agency is an obligation of the data controller, as set forth in the LOPDGDD (Spanish Data Protection Act).

k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the violation.

ZELERIS understands that, in the present case, no benefit has been obtained from the commission of the alleged violations. Quite the contrary, if the sanction were ultimately imposed, this party would incur an economic loss.

This allegation cannot be considered a mitigating factor, in accordance with the ruling of the National Court of 05/05/2021, rec. 1437/2020, which states:
“It also considers that the non-commission of a prior violation should be considered as a mitigating factor. However, Article 83.2 of the GDPR establishes that, for the imposition of the administrative fine, the following must be taken into account, among others:

"e) any prior violation committed by the controller or processor." This is an aggravating circumstance; the fact that the grounds for its application are not met means that it cannot be taken into consideration, but it does not imply or allow, as the plaintiff claims, its application as a mitigating factor;
"Applied to the case under trial, the lack of grounds for its application with respect to
Article 76.2.c) of the LOPDGDD, that is, obtaining benefits as a result of the violation, does not allow its application as a mitigating factor.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/38

Thus, in accordance with the provisions of Article 83.1 of the GDPR, accepting the absence of benefits as a mitigating factor is not only contrary to the factual assumptions contemplated in Article 76.2.c), but also contrary to the provisions of Article 83.2.k) of the GDPR and the aforementioned principles.

Thus, considering the absence of benefits as a mitigating factor would nullify the deterrent effect of the fine, to the extent that it lessens the effect of the circumstances that actually affect its quantification, giving the person responsible a benefit that they have not deserved. This would be an artificial reduction of the penalty that could lead to the understanding that violating the law without obtaining benefits, financial or otherwise, will not have a proportional negative effect. the severity of the infringing act.

In any case, the administrative fines established in the GDPR, in accordance with Article 83.2, are imposed based on the circumstances of each individual case, and the absence of benefits is not considered an appropriate and determining factor for assessing the severity of the infringing conduct. Only if this absence of benefits is relevant for determining the degree of unlawfulness and culpability present in the specific infringing act may it be considered a mitigating factor, pursuant to Article 83.2.k) of the GDPR, which refers to "any other aggravating or mitigating factor applicable to the circumstances of the case."

4: THE PENALTY IS DISPROPORTIONATE AND ARBITRARY.

Regarding this issue, ZELERIS points out that the GDPR and the LOPDGDD assign this Agency, as a supervisory authority, the responsibility to ensure compliance with data protection regulations by deploying its investigative functions. In this case, no investigation has been conducted, and the reasoning for opening the sanctioning procedure would be found in the complaint filed and in the document submitted by ZELERIS, assuming assumptions such as that the delivery note containing personal data has been delivered to the person who received the package, when this may not have been the case. In this regard, Article 47 of the LOPDGDD, referring to the "Functions and Powers of the Spanish Data Protection Agency," establishes in its first section:

"The Spanish Data Protection Agency is responsible for supervising the application of this Organic Law and Regulation (EU) 2016/679 and, in particular, exercising the functions established in Article 57 and the powers provided for in Article 58 of the same regulation, in this Organic Law, and in its implementing provisions."

Thus, Article 58 of the GDPR, referring to "Powers," establishes, in its
section 2:

"Each supervisory authority shall have all of the following corrective powers

indicated below:

(…)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/38

d) order the controller or processor to ensure that processing operations comply with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

(…)

i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each particular case;"

Likewise, Article 64 of the LOPDGDD, referring to "the manner of initiating the procedure and its duration," establishes in its section 2:

"When the procedure is intended The purpose of determining the possible existence

of a violation of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, and this Organic Law, shall be initiated by an initiation agreement, adopted on its own initiative or as a result of a complaint, which shall be notified to the interested party.

If the procedure is based on a complaint filed with the Spanish Data Protection Agency, the latter shall decide on its admission for processing, in accordance with the provisions of Article 65 of this Organic Law.

Once the complaint is admitted for processing, as well as in cases where the Spanish Data Protection Agency acts on its own initiative, prior to the initiation agreement, there may be a phase of preliminary investigation actions, which shall be governed by the provisions of Article 67 of this Organic Law.

Therefore, in accordance with the foregoing paragraphs, the functions assigned to this Agency include the possibility of initiating sanctioning procedures and imposing the corresponding fines and measures. Furthermore, investigation activities may or may not be carried out, in accordance with the provisions of Article 64 of the LOPDGDD (Organic Law on the Protection of Personal Data). Therefore, this allegation cannot be taken into account.

Furthermore, regarding the statement that the delivery note containing personal data was delivered to the person who received the package, when this was not the case, it is necessary to reiterate that, as previously noted, this sanctioning procedure did not question the fact that the delivery note was delivered to the person who collected the package, but rather that it served to determine that the violation had been committed, insofar as it proves that the shipment was not delivered to the complaining party. No charges are made in this case. ZELERIS case, a
breach of confidentiality due to the delivery of the delivery note to a third party, but rather due to the delivery of a package along with a label containing the complainant's personal data.

Regarding the breach of the principle of proportionality, it is necessary to state that the GDPR expressly provides for the possibility of gradation, by establishing fines that can be adjusted, taking into account a series of circumstances in each individual case that are effective, proportionate, and dissuasive.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/38

(Article 83.1 and 2 GDPR), general conditions for the imposition of administrative fines that have been analyzed by this Agency, to which must be added the gradation criteria provided for in the LOPDGDD.

It should be noted that the agreed administrative fine will be effective because it will lead the company to implement technical and organizational measures that guarantee the rights and freedoms of data subjects, taking into account the critical nature of the processing.

It is also proportional to the identified violation, in particular its severity, the circle of individuals affected, the risks incurred, and the company's financial situation.

And finally, it is deterrent. A deterrent fine is one that has a genuine deterrent effect. In this regard, the judgment of the CJEU of June 13, 2013, Versalis Spa v Commission, C-511/11, ECLI:EU:C:2013:386, states:

“94.Regarding, first of all, the reference to the aforementioned Showa Denko v Commission judgment, it should be noted that Versalis interprets it incorrectly. Indeed, the Court of Justice, in stating in paragraph 23 of that judgment that the deterrent factor is assessed by taking into account a multitude of elements and not only the particular situation of the undertaking in question, was referring to points 53 to 55 of the Opinion presented in that case by Advocate General Geelhoed, who had essentially stated that the deterrent factor may be intended not only to provide "general deterrence," defined as an action to discourage all undertakings in general from committing the infringement in question, but also to provide "specific deterrence," consisting of discouraging the specific defendant from infringing the rules again in the future. Therefore,

the Court of Justice merely confirmed, in that judgment, that the Commission was not required to limit its assessment to factors related
solely to the particular situation of the undertaking in question.

“102. According to settled case-law, the objective of the deterrent multiplier factor and of taking into account, in this context, the size and overall resources of the undertaking in question lies in the desired impact
on the undertaking in question, since the penalty must not be insignificant,
particularly in relation to the undertaking's financial capacity (to this effect, see, in particular, Case C-413/08 P Lafarge v Commission [2010] ECR I-5361, paragraph 104, and the order of 7

February 2012 in Total and Elf Aquitaine v Commission [2012] ECR, paragraph 82).

The Judgment of May 11, 2006, issued in the appeal for cassation
7133/2003 establishes that: “It must also be taken into account that one of the criteria governing the application of this principle of the administrative sanctioning regime (criterion included under the heading of “principle of proportionality” in section 2 of Article 131 of the aforementioned Law 30/1992) is that the imposition of financial penalties should not imply that the commission of the classified infractions is more beneficial to the offender than compliance with the infringed rules.”

Also important is the jurisprudence resulting from the Judgment of the Third Chamber

of the Supreme Court, issued on May 27, 2006. 2003 (rec. 3725/1999) which states: Proportionality, which pertains specifically to the scope of sanctions, constitutes one of the principles governing sanctioning administrative law and represents an instrument for controlling the exercise of the sanctioning power by the Administration, even within the limits that, in principle, the applicable law establishes for such exercise. It certainly represents a concept that is difficult to determine a priori, but it tends to adapt the sanction, by establishing its specific gradation within the indicated possible margins, to the seriousness of the act constituting the offense, both in terms of unlawfulness and culpability, weighing the overall objective and subjective circumstances that comprise the punishable factual premise—and, in particular, as stated in Article 131.3 of the LRJ and PAC, intentionality or repetition, the nature of the harm caused, and recidivism. (Supreme Court Judgments of July 19, 1996, February 2, 1998, and December 20, 1999, among many others).

Furthermore, when ZELERIS points out that the initial agreement does not justify the calculation of the amount of the penalties, without explanation and merely mentioning that there are aggravating factors, and that the principle of proportionality would therefore be violated, it should be noted that this is not the case, insofar as it specifies that the penalty for violating Article 5.1.f) of the GDPR amounts to €70,000, and the penalty for violating Article 32 of the GDPR is €30,000, and the application of concurrent circumstances is clearly explained, as can be seen in the initial agreement and in this document.

Therefore, this claim cannot be taken into account.

5. ADOPTION OF MEASURES

ZELERIS disagrees with the imposition of corrective measures in the event that the alleged violations are confirmed, since, as stated throughout the written statement of objections to the initiation agreement, ZELERIS has provided a reasoned explanation of its corrective action based on the data at its disposal, following strict procedures and complying with both industry regulations and data protection regulations.

In relation to this matter, as previously noted, this Agency's functions include the possibility of imposing corrective measures.

The measures included in the initiation agreement refer to the possibility of ordering ZELERIS to demonstrate, within a period of 6 months, the adoption of appropriate measures in accordance with the GDPR, to ensure that its delivery drivers do not violate established protocols and do not make deliveries without reliably verifying the identity of the person to whom the package is being delivered.

ZELERIS has stated that internal measures have been adopted to strengthen internal operations for this type of delivery to all employees, but these have not been substantiated. Therefore, this claim cannot be taken into account. The proposal to order the application of the measures in the resolution that ends this sanctioning procedure is maintained, without prejudice to the possibility of submitting them throughout this sanctioning procedure.

IV
Response to the allegations regarding the proposed resolution of the sanctioning procedure

Regarding the allegations presented regarding the proposed resolution of this sanctioning procedure, the following are addressed in the order set forth by ZELERIS:

I. ON THE FACTS THAT GIVE RISE TO THE INITIATION OF THIS SANCTIONING PROCEEDING.

First. No violation has been committed. Disagreement with the proposed Resolution.

a) Regarding due diligence in deliveries.

This question was already addressed in the allegations to the initiation agreement, in section 1 regarding the "no violation has been committed," to which we refer.

b) Regarding security measures, updated operations, and reinforcement for employees and

suppliers.

At this point, ZELERIS wishes to state that it has appropriate technical and organizational measures in place regarding the processing of personal data, given that this Agency has proposed closing the violation of

Article 32 of the GDPR.

In relation to this matter, it is important to highlight that the violation attributed to ZELERIS is a violation of Article 5.1.f) of the GDPR, which also requires the implementation of appropriate technical and organizational measures to ensure the adequate security of personal data, including protection against unauthorized or unlawful processing.

Furthermore, it would like to highlight the following measures implemented:

i) the continuous updating of internal operations by the security and operations team, which is sent to all employees through circulars and is attached to the written statement of objections to the proposed resolution.

ii) the inclusion of clauses in parcel and courier distribution contracts with suppliers.

iii) once the incident was detected, ZELERIS informed the collaborating company that had performed this service to identify the employee who performed it and reprimand them.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/38

ZELERIS wishes to emphasize that this action would demonstrate that it acted with due diligence.

The question regarding whether ZELERIS's actions would demonstrate that it acted with due diligence has already been answered, and it should be added that, despite these measures, the delivery of the shipment was carried out without taking into account the measures implemented.

c) obligation of means and not of results.

With this statement, ZELERIS affirms that, with the proposed resolution, this Agency would be imposing an obligation of results, and that the security measures must be infallible, based on the results of operations that workers and couriers must follow beyond the requirement established in Articles 32 and 25 of the GDPR.

However, in relation to this issue, reference must be made to the San (National Supreme Court) of October 29, 2024, Rec. 1824/2021, which provides that

“…it should be emphasized, in relation to technical and organizational measures, that this is not

a merely formal requirement, but rather a material one. In this sense, and in line
with the above, as stated in the Supreme Court of February 15, 2022 (Rec.
7359/2020) "It is not enough to design the necessary technical and organizational means; their correct implementation and appropriate use are also necessary, so that the person will also be liable for the lack of due diligence in their use, understood as reasonable diligence considering the circumstances of the case," which does not imply that an obligation of result is required.

Likewise, it is worth mentioning Constitutional Court ruling 94/1998, of May 4, in which the Constitutional Court stated that we are faced with a fundamental right to data protection, which guarantees the individual control over their data, any personal data, and over its use and purpose, to prevent illicit trafficking of such data or data that is harmful to the dignity and rights of those affected.
In this way, the right to data protection is configured as a right of the citizen to object to certain personal data being used for purposes other than that for which they are intended. justified its acquisition.

In this sense, the risk approach and the flexible risk model imposed by the GDPR—based on the dual configuration of security as a principle related to processing and an obligation for the controller or processor—do not, in any case, impose the infallibility of the measures, but rather their constant adaptation to the risk.

Thus, in the case at hand, it has been established that the delivery of the shipment was carried out without taking into account its own instructions since, as stated in the SMS sent to the complaining party, the shipment could only be collected by the holder of the merger contract. Throughout this case, it has been established that the delivery was made without confirming who was collecting the shipment, which represents a clear breach of the measures contained in the aforementioned instructions, which were not diligently followed by ZELERIS.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/38

Therefore, this claim must be rejected.

d) volume of deliveries.

ZELERIS wishes to state that, since 1999, the date the company was established, it has not received any privacy complaints, despite the fact that the vast majority of its shipments are to individuals.

This Agency wishes to state that, in this proceeding, it has been proven that there has been a violation of Article 5.1.f) GDPR, although the fact that this is the first data protection violation alleged against it is not a reason for assessment.

2. Regarding the inclusion of the contact telephone number on the label.

ZELERIS presents a series of reasons why it considers it necessary to include the telephone number on the package label. However, what is being assessed in this case and the facts that constitute the violation is that there has been a loss of confidentiality, insofar as an unauthorized person has accessed the complaining party's personal data, which they have no reason to know, due to improper action by ZELERIS, that is, as a result of a package being delivered to an unauthorized third party, without having verified their identity, at an incorrect address, and because its internal protocol clearly indicates that this cannot be done.

The Court also states that the events that led to the opening of the sanctioning procedure occurred in 2022, and considers that the risks existing in that year are no longer the same as they are today. It adds that it makes this statement because it understands that the sensitivity of personal data being exposed is not the same as it is today.

In relation to these statements, it should be noted that the violation of Article 5.1.f) of the GDPR in the case at hand, the loss of confidentiality, occurred after the rules already in place were breached by ZELERIS, and is, therefore, undeniable and has been confirmed throughout the sanctioning procedure, as the complainant's personal data has been exposed to third parties. Therefore, this allegation must be rejected.

Furthermore, the GDPR has been fully applicable since May 2018, and from that date, data controllers must comply with the principle of confidentiality. The system of guarantees established by the GDPR cannot be weakened by an alleged "lack of awareness."

Furthermore, ZELERIS presents a list of measures it has been implementing, among which it cites:

i) implemented: inclusion of (…).

(…).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/38

ii) in the process of implementation:

-(…).

-(…).

In relation to these statements, this Agency wishes to point out that
these measures have been adopted and communicated to this Agency in the allegations

to the proposed resolution on January 16, 2025, which means that they have been
adopted or are in the process of being implemented after the initiation of the sanctioning procedure, the initiation agreement for which was notified on February 12, 2024.
Therefore, for all purposes, the infringement has occurred. A different question is whether, in

view of the measures adopted by the respondent, this Agency proceeds to order measures within the framework of Article 58.2.d) of the GDPR.

II. ON THE LEGAL GROUNDS.

First. Regarding the alleged infringement committed by ZELERIS: lack of typicality, unlawfulness, and culpability.

Regarding this allegation, it should be noted that it was already addressed in section 2 of the response to the allegations in the initiation agreement, to which we refer, and therefore, this allegation must be rejected.

Second. Breach of the principle of proportionality in sanctions.

ZELERIS's reasons for considering that the principle of proportionality has been violated are the following:

i) this is the first sanctioning procedure since 1999.

ii) the proportion of the volume of shipments in a year and the number of complaints for privacy violations demonstrate that the security measures implemented are effective.

iii) the exposed data affected only one person, and occurred in (...).

iv) ZELERIS has adopted the appropriate measures to reduce the risk of data being exposed in the event of an incident.

Regarding the breach of the principle of proportionality, it should be noted that this was addressed in the response to the allegations regarding the initiation agreement, in section 4, to which we refer, so this allegation cannot be taken into account.

Third. Regarding the criteria for graduating the sanction.

ZELERIS expresses its disagreement with the application of the following

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/38

aggravating factors.

i) The nature, severity, and duration of the violation, as reiterated in the

allegations presented to the initiation agreement, and also requests this Agency to assess all the circumstances outlined, as this is a one-off, isolated error, in which no harm would have been caused to the complaining party, and the personal data was minimally disseminated.

Regarding these statements, it should be noted that they were already analyzed in the

response to the allegations to the initiation agreement, section 3, to which we refer.

However, regarding the statement that no harm was caused to the complainant and that the personal data was minimally disseminated, it should be noted that it cannot be stated that the complainant has not suffered any harm, given that the mailing to which he was the recipient never reached him, and furthermore, the fact that the dissemination of his personal data was "minimal," as ZELERIS claims, cannot be taken into consideration, given that the breach of confidentiality existed when personal data was provided to a neighbor, with whom, furthermore, according to the complainant, he has a poor relationship. Therefore, this allegation cannot be taken into account.

ii) Intentionality/negligence. This question has already been answered in the response to the allegations in the initiation agreement, section 3, to which we refer, and this allegation must be rejected.

iii) the connection between the offender's activity and the processing of personal data.

Regarding this aggravating factor, it should be noted that it has already been addressed in the responses to the allegations to the initiation agreement, section 3, to which we refer.

Furthermore, ZELERIS states that, in accordance with the Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, adopted by the Article 29 Working Party, the factors provided for in Article 83.2 of the GDPR must be assessed in a combined manner, such that the assessment should be carried out taking into account the number of data subjects along with the potential impact on them. It adds that Recital 75 of the GDPR would rule in the same vein.

In relation to this issue, ZELERIS should remember that Article 83 of the GDPR,

referring to the General Conditions for the Imposition of Administrative Fines, states in its
section 5:

“5. Violations of the following provisions shall be punishable, in accordance with
section 2, by administrative fines of a maximum of EUR 20,000,000 or,

in the case of an undertaking, by an amount equivalent to a maximum of 4% of the total global annual turnover of the preceding financial year, whichever is higher:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/38

a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7, and 9;

That is, violations affecting Article 5 GDPR, as in this case, can be sanctioned with an administrative fine of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global turnover for the previous financial year. In this case, the percentage is 0.017%, and considering that the aggravating factors have been duly assessed, this claim must be rejected.

Furthermore, ZELERIS believes that the following mitigating factors should have been taken into account:

a) degree of cooperation with the supervisory authority.

b) any other aggravating or mitigating factors applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.

These statements were already addressed in the response to the allegations in the initiation agreement, in section 3, to which we refer, and we reject this allegation.

V
Integrity and Confidentiality

Article 5.1.f) “Principles relating to processing” of the GDPR states:

“1. Personal data shall be:
(…)

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by applying appropriate technical or organizational measures (“integrity and confidentiality”).”

In the present case, it is established that the complainant's personal data, in particular his contact telephone number, which his neighbor does not necessarily know, has been improperly disclosed to a third party, insofar as the complainant's personal data appeared on the label of the package to be delivered to the complainant (name, surname, address, and telephone number).

It should be noted that the label contained an error in the lettering of the apartment to which the delivery was to be made, and that this delivery was to be made solely and exclusively to the owner of the fusion line, who is the claimant. This circumstance did not occur. The delivery was made to another person who lives in the same building as the claimant.

Thus, since the package was delivered to a person other than the recipient of the shipment or the owner of the fusion contract, that is, the claimant,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/38

this has resulted in a violation of the principle of confidentiality of the claimant's personal data.

Therefore, based on the evidence currently available from the sanctioning procedure, the known facts are considered to constitute an infringement attributable to ZELERIS for violation of Article 5.1.f) of the GDPR.

IV

Classification and classification of the violation of Article 5.1.f) of the GDPR

The aforementioned violation of Article 5.1.f) of the GDPR entails the commission of the violations classified in Article 83.5 of the GDPR, which, under the heading "General conditions for the imposition of administrative fines," provides:

"Violations of the following provisions shall be punished, in accordance with paragraph 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the preceding financial year, whichever is higher:

a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7, and 9; (...)"

For its part, the LOPDGDD, in its article Article 71, Infractions, states that:

“The acts and conduct referred to in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law, constitute infractions.”

For the purposes of the statute of limitations, Article 72 "Very Serious Violations" of the LOPDGDD states:

"1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, violations that constitute a substantial violation of the articles mentioned therein, and in particular the following, are considered very serious and will be subject to a three-year statute of limitations:

a) The processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU) 2016/679. (…)"

VI
Penalty for violation of Article 5.1.f) of the GDPR

In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state:

"1. Each supervisory authority shall ensure that the Imposition of administrative fines pursuant to this Article for infringements of this Regulation, the fines indicated in paragraphs 4, 9, and 6 shall be effective, proportionate, and dissuasive in each individual case.

2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58(2)(a) to (h) and (j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:

a) the nature, gravity, and duration of the infringement, taking into account the

nature, scope, or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage they have suffered;

b) the intentionality or negligence of the breach;

c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects;

d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures they have implemented pursuant to Articles 25 and 32;

e) any previous breaches committed by the controller or processor;

f) the degree of cooperation with the supervisory authority to remedy the breach and mitigate the potential adverse effects of the breach;

g) the categories of personal data affected by the breach;

h) how the supervisory authority became aware of the breach, in particular whether the controller or processor notified the breach and, if so, to what extent;

(i) where the measures indicated in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with such measures;

(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42; and

(k) any other aggravating or mitigating factors applicable to the circumstances of the case,

such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.

For its part, Article 76 "Sanctions and corrective measures" of the LOPDGDD (Organic Law on Data Protection)
provides:

"1. The sanctions provided for in paragraphs 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria established in paragraph 2 of the aforementioned article.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/38

2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:

a) The continuous nature of the infringement.

b) The connection between the offender's activity and the processing of personal data.

c) The benefits obtained as a result of the infringement.

d) The possibility that the affected party's conduct could have led to the infringement.

e) The existence of a merger by absorption process subsequent to the infringement, which cannot be attributed to the acquiring entity.

f) The impact on the rights of minors.

g) The availability of a data protection officer, when not mandatory.

h) Voluntary submission by the controller or processor to alternative dispute resolution mechanisms in cases where there are disputes between them and any interested party.

In the present case, considering the seriousness of the violation, especially considering the consequences its commission has on those affected, a fine must be imposed, in addition to the adoption of measures.

For the purposes of deciding on the imposition of an administrative fine and its amount, it is considered appropriate to grade the sanction to be imposed according to the following circumstances, contemplated in the aforementioned provisions.

- The nature, seriousness, and duration of the violation, taking into account the nature, scope, or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damages they have suffered (section a): the personal data of the complaining party, in particular their telephone number, have been transferred to an unauthorized third party, since delivered a package containing the aforementioned information to the wrong person.

Additionally, the claimant did not receive the requested terminal, as evidenced in the documentation in the file.

- Intentionality/Negligence in the infringement (section b). In this regard, the
Supreme Court has held that negligence exists whenever a legal duty of care is disregarded, that is, when the offender fails to behave
with the required diligence. In assessing the degree of diligence, the professionalism of the individual must be especially considered. There is no doubt that, in the case under consideration, when the appellant's activity involves

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/38

constant and extensive handling of personal data, it is necessary to emphasize the
rigor and exquisite care required to comply with the legal provisions in this regard.
[Judgment of the National Court of 10/17/2007 (rec. 63/2006)].

In this case, there was a lack of due diligence, as the company's own instructions were not followed at the time of delivery.

Furthermore, it is considered appropriate to grade the sanction to be imposed according to the following criteria established in section 2 of article 76 "Sanctions and corrective measures" of the LOPDGDD:

As aggravating factors:

- The connection between the offender's activity and the processing of personal data (section b): ZELERIS routinely and continuously processes personal data, to the extent that ZELERIS, as a result of its business activity (transport and logistics services), routinely and continuously processes the personal data of a large number of data subjects. Carrying out freight transport activities, which is its main activity, necessarily involves the processing of personal data.

Thus, the infringing actions occur within the framework of personal data processing that ZELERIS routinely carries out in its business and is linked to it.

The balance of the circumstances contemplated in Article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infraction committed by violating the provisions of Article 5.1.f of the GDPR, allows for the imposition of a fine of €70,000 (seventy thousand euros).

VII
Security of Processing

Article 32 "Security of Processing" of the GDPR establishes:

"1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which, where appropriate, includes, among others:

a) the pseudonymization and encryption of personal data;

b) the ability to guarantee the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

c) the ability to restore availability and access to personal data quickly in the event of a physical or technical incident;

d) a process for regularly verifying, evaluating, and assessing the effectiveness of the technical and organizational measures to ensure the security of processing."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/38

2. When assessing the adequacy of the security level, particular account shall be taken of the risks posed by data processing, in particular as a result of the accidental or unlawful destruction, loss, or alteration of personal data transmitted, stored, or otherwise processed, or unauthorized communication of or access to such data.

3. Adherence to a code of conduct approved pursuant to Article 40 or a certification mechanism approved pursuant to Article 42 may serve as an element of demonstrating compliance with the requirements set out in paragraph 1 of this Article.

4. The controller and the processor shall take measures to ensure that
any person acting under the authority of the controller or the processor who

has access to personal data may only process such data on
instructions from the controller, unless required to do so by Union or Member State law.

Having reviewed the allegations made by the respondent, and in response to them, the documentation in the administrative file, and that provided by the respondent, it is evident that all the technical and organizational security measures whose absence has been proven directly enabled the personal data breach, without having occurred, in this specific case, a violation of Article 32 of the GDPR, as the absence of other technical and organizational security measures independent of the personal data breach has not been proven.

VIII
Corrective Measures

In accordance with the provisions of the aforementioned Article 58.2 d) of the GDPR, according to which each supervisory authority may "order the controller or processor to ensure that processing operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period...", ZELERIS is required to notify this Agency within 6 months of the adoption of the following measures

- Within 6 months, prove the adoption of appropriate technical and organizational measures in accordance with the GDPR to ensure that its delivery personnel do not violate established protocols and do not deliver a package to an unauthorized third party, nor make deliveries without reliably verifying the identity of the person to whom the package is being delivered.

The imposition of these measures is compatible with the sanction of an administrative fine, as provided in Article 83.2 of the GDPR.

Please note that failure to comply with this body's order for measures may be considered an administrative offense under the GDPR, classified as an offense in Articles 83.5 and 83.6. Such conduct may lead to the opening of a subsequent administrative sanctioning procedure.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/38

Furthermore, it is recalled that neither the acknowledgment of the infringement committed, nor, where applicable, the voluntary payment of the proposed amounts, exempts from the obligation to prove compliance with the proposed corrective measures.

Therefore, in accordance with applicable legislation and having assessed the criteria for graduating the sanctions whose existence has been proven,
the Presidency of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE on TELEFÓNICA SERVICIOS INTEGRALES DE

DISTRIBUCIÓN, S.A., with NIF A82261280, for an infringement of Article 5.1.f) of the GDPR, as defined in Article 83.5 of the GDPR, a fine of seventy thousand euros (€70,000).

ARCHIVE TELEFÓNICA SERVICIOS INTEGRALES DE DISTRIBUCIÓN, S.A.,

with NIF A82261280, for violating Article 32 of the GDPR, as defined in Article 83.4 of the GDPR.

SECOND: ORDER TELEFÓNICA SERVICIOS INTEGRALES DE DISTRIBUCIÓN, S.A., with NIF A82261280, pursuant to Article 58.2.d) of the GDPR, within 6 months of this resolution becoming final and enforceable,

to adopt appropriate technical and organizational measures in accordance with the GDPR to ensure that its delivery drivers do not violate established protocols and do not deliver a package to an unauthorized third party, nor make deliveries without reliably verifying the identity of the person to whom the package is delivered.

THIRD: NOTIFY TELEFÓNICA SERVICIOS INTEGRALES DE DISTRIBUCIÓN, S.A. of this resolution.

FOURTH: This resolution will become enforceable once the deadline for filing an optional appeal for reconsideration expires (one month from the day following notification of this resolution) without the interested party having exercised this right.
The sanctioned party is hereby notified that they must pay the imposed sanction once this resolution becomes enforceable, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to Article 68 of the General Regulation on Tax Collection. 62 of Law 58/2003, of December 17, by depositing the fine, indicating the sanctioned party's NIF (Tax Identification Number) and the procedure number listed in the heading of this document, into the restricted account IBAN: ES00-0000-0000-0000-0000-0000, opened in the name of the Spanish Data Protection Agency at the banking institution CAIXABANK, S.A.
Otherwise, collection will be carried out during the enforcement period.

Once the notification has been received and enforced, if the enforcement date is between the 1st and 15th of each month, inclusive, the deadline for making the voluntary payment will be the 20th of the following month or the next business day after, and if it is between the 16th and last day of each month, inclusive, the payment deadline will be the 5th of the second following month or the next business day after.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/38

In accordance with the provisions of Article 50 of the LOPDGDD (Spanish Organic Law on the Protection of Personal Data), this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative process pursuant to Art. 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the President of the Spanish Data Protection Agency within one month from the day following notification of this resolution, or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of Article 25 and Section 5 of the Fourth Additional Provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this decision, as provided for in Article 46.1 of the aforementioned Law.

Finally, it is noted that pursuant to the provisions of Art. 90.3 a) of the LPACAP (Spanish Civil Procedure Act), a final administrative decision may be provisionally suspended if the interested party expresses their intention to file an administrative appeal.
If this is the case, the interested party must formally notify this fact by means of a written notice addressed to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other registries provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. They must also forward to the Agency the documentation proving the effective filing of the administrative appeal. If the Agency does not become aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will terminate the provisional suspension.

938-101224

Olga Pérez Sanjuán
The Deputy Director General of Data Inspection, in accordance with Article 48.2 of the LOPDGDD (Spanish Data Protection Act), due to a vacancy in the position of President and Deputy President

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
Retrieved from "https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202304094&oldid=46770"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki