AEPD (Spain) - PS/00280/2022

From GDPRhub
AEPD - PS/00280/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 28(3) GDPR
Article 32 GDPR
Ley 43/2010 del Servicio Postal Universal
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 03.11.2022
Fine: 70000 EUR
Parties: UNITED PARCEL SERVICE ESPAÑA LTD Y COMPAÑIA SRC
MEDIA MARKT SATURN ADMINISTRACION ESPAÑA, S.A.
National Case Number/Name: PS/00280/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined UPS €70,000 for leaving a parcel with a neighbour of the data subject without their previous consent, thus unlawfully disclosing the recipient's data to a third person.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a complaint with the Spanish DPA because a courier, United Parcel Service (UPS) (the controller) had delivered a parcel addressed to them to a neighbour without any prior consent.

The courier firstly tried to exclude its responsibility in subjective terms. The controller submitted that there was a contract in place with Media Markt and that they were acting as service providers, following their instructions and acting according to the contract. They also alleged that clause 10 of the contract specified that parcels may be left with neighbours when the addressee cannot be found; and clause 11 specified that it was Media Markt who should inform their customer about the processing of their data.

In its decision, the DPA had to determine who the controller was and what GDPR provisions might have been breached by the incident.

Holding[edit | edit source]

According to the Spanish DPA, with reference to EDPB's Guidelines 07/2020, in order to determine the roles of controllers and processors, what must be taken into account is the actual activity of both of them (i.e., the factual elements or circumstances of the case).

In this case, there was merely a services contract in place between the retailer and the controller. A contract that sets out precise instructions for the processing (i.e., 'the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller'), as per Article 28(3) GDPR, was lacking.

Additionally, the DPA highlighted that such contract should also define the obligation to respect the confidentiality of the data and the measures laid out in Article 32 GDPR. Therefore, as the obligations were not clearly defined, the controller could not qualify as a processor and was responsible for the incident due to actual control over the means of processing the personal data.

The DPA found a breach of Article 5(1)(f) GDPR since the personal data of the data subject were disclosed to a third person without their consent. For this violation, the DPA fined the controller €50,000. The DPA also found a violation of Article 32 GDPR since the controller did not implement the measures necessary to prevent such disclosure. For this violation, the DPA fined the controller €20,000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/10








     File No.: PS/00280/2022

               RESOLUTION OF PUNISHMENT PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                  BACKGROUND


FIRST: On March 9, 2021, it had entry in this Spanish Agency of
Data Protection (hereinafter AEPD) written claim, submitted by
A.A.A., (hereinafter, claimant) because your personal data has been transferred to a
third party, without your consent.


SECOND: In accordance with the mechanism prior to the admission for processing of the
claims made before the AEPD, provided for in article 65.4 of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), the claim was transferred to
MEDIA MARKT SATURN ADMINISTRATION ESPAÑA, S.A. for him to proceed to
its analysis and respond within a month, which was verified by means of a letter of

date of entry in this Agency of May 28, 2021.

THIRD: On June 7, 2021, after analyzing the documentation that was
in the file, a resolution was issued by the director of the Spanish Agency for
Data Protection, agreeing not to admit the claim for processing.


The resolution was notified to the claimant on June 9, 2021, according to notice of
receipt in the file.

FOURTH: On June 15, 2021, the claimant files an appeal

optional replacement (***EXP.1) through the Electronic Registry of the AEPD,
against the resolution issued in the file ***EXP.2, in which he shows his
disagreement with the contested resolution, explaining that it refers to
facts not stated by him.

Your claim does not refer to the assignment made by MEDIA MARKT,

but the responsibility for that action falls on the delivery company (UNITED
PARCEL SERVICE ESPAÑA LTD AND COMPAÑIA SRC).

He states that his request was delivered to one of the neighbors of the community in which
resides, without prior notice and therefore, without your prior and express consent,

also breaching Law 43/2010 of the Universal Postal Service. Also, it adduces
who exercised the right of opposition, without obtaining any response.

FIFTH: On December 23, 2021, the claim made was sent and the
appeal filed against the delivery company UNITED PARCEL SERVICE ESPAÑA

LTD Y COMPAÑIA SRC within the framework of the provisions of article 118 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations for the purpose of formulating the allegations and
present the documents and supporting documents that he deems appropriate.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/10









The notification of the hearing process occurred on December 23, 2021,
through the Electronic Notifications Service and Authorized Electronic Address,

according to the certificate that appears in the file.

UNITED PARCEL SERVICE ESPAÑA LTD Y COMPAÑIA SRC has not formulated
any allegation.

SIXTH: The Director of the Spanish Data Protection Agency resolves:


     Estimate the appeal for reversal (***EXP.1) filed by A.A.A. against
    the resolution of this Agency issued on June 7, 2021.

     Admit to processing the claim made against UNITED PARCEL

    SERVICE ESPAÑA LTD AND COMPAÑIA SRC, in accordance with article 65
    of the LOPDGDD.

SEVENTH: On July 5, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,

of the Common Administrative Procedure of the Public Administrations (in
hereinafter, LPACAP), for the alleged infringement of article 5.1.f) of the RGPD and article
32 of the RGPD, typified in article 83.5 of the RGPD.

EIGHTH: Notification of the aforementioned start-up agreement in accordance with the established rules

in Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), the respondent filed a written
of allegations in which, in summary, it stated that in the case at hand it is
a service provider that has to fulfill the services agreed with MEDIA
MARKT under the conditions set forth in the contract signed between the two.


In this sense, it should be noted that it acts and proceeds as agreed with MEDIA
MARKT, and in order to guarantee the delivery of the order within the time and form
agreed with MEDIA MARKT, always in favor and in the interest of the complainant.

Clause 10 and 11 of the terms and conditions of the contract that governs them are referred:


( https://www.ups.com/assets/resources/webcontent/es_ES/terms_carriage_es.pdf )

where, on the one hand, the possibility of delivering the package to the neighbor in
absence of the addressee; and on the other, the obligation of the sender of the shipment, in our

MEDIA MARKT case, to duly inform the recipient about the treatment of
your data within the framework of the services offered by the claimed entity.

“10. Delivery


If the receiver is not available, the package can be deposited in the mailbox
postal correspondence from the recipient's address, if deemed appropriate, or
delivered to the neighbor unless the sender has excluded this delivery option
by choosing the applicable additional service. “

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/10









"eleven. Data Protection


11.2. On the other hand, the sender guarantees that he has duly informed the
recipient that UPS may use the personal data of the recipient of
in accordance with the link above for the UPS Privacy Notice in effect at the time of
shipment regarding uses other than those specified in the previous subsection.”

The entity claimed as a supplier of MEDIA MARKT has no proof that

in the specific shipment to the complainant, it would have had to proceed in a way
specific or different from what was agreed with MEDIA MARKT.

Therefore, if the Agency decided not to admit the initial claim filed by the
complainant against MEDIA MARKT in which the complainant expressly referred

to the communication of your data to a third party without your consent, understand this part
which should proceed equally in the case at hand, since the entity
claimed has acted as agreed with its client MEDIA MARKT.

If the Agency agreed not to admit the claim against MEDIA MARKT,
then there can be no reason why this should not happen equally to the entity

claimed.

NINTH: On August 9, 2022, the instructor of the procedure agreed to give
by reproduced for evidentiary purposes the claim filed by A.A.A. and his
documentation, the documents obtained and generated during the admission phase to

processing of the claim, and the report of previous investigation actions that
are part of the procedure ***EXP.1.

Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of
initiation of the aforementioned sanctioning procedure, presented by UNITED PARCEL

SERVICE ESPAÑA LTD AND COMPAÑIA SRC, and the documentation that they
accompanies.

TENTH: On August 22, 2022, a resolution proposal was formulated,
proposing that the Director of the Spanish Data Protection Agency
sanction UNITED PARCEL SERVICE ESPAÑA LTD AND COMPAÑIA SRC, with NIF

C28328508, for an infringement of article 5.1.f) of the RGPD and for a second
infringement of article 32 of the RGPD, typified respectively in articles 83.5 a)
and 83.4 a) of the RGPD, with a fine of 50,000 euros (fifty thousand euros) and 20,000
euros (twenty thousand euros) respectively.


ELEVENTH: On September 5, 2022, allegations are made to the
resolution proposal by the entity complained against alleging that MEDIA
MARKT was aware of and had contractually agreed that UPS could leave
your packages to the care of a neighbor, as stated in clauses 10 and 11 of
the Terms and Conditions of the contract signed between the claimed entity and MEDIA

MARKT.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/10








In this way, it is MEDIA MARKT itself, as the sender of the product, which
should have excluded the possibility of delivery to a neighbor of the delivery, since UPS
expressly informed him that in the absence of this exclusion this was possible.


Therefore, the respondent entity considers that it has acted in accordance with the
contract signed with MEDIA MARKT, being MEDIA MARKT itself as
data controller who had the obligation to inform the
claimed entity that could not deliver through a neighbor.


In view of everything that has been done, by the Spanish Data Protection Agency
In this proceeding, the following are considered proven facts:

                                 PROVEN FACTS

FIRST: The request made by the claimant was delivered to one of the neighbors

of the community in which you reside, without prior notice and therefore, without your
prior and express consent.

                           FOUNDATIONS OF LAW


                                            Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                            II


The principles relating to the processing of personal data are regulated in the
Article 5 of the RGPD where it is established that “personal data will be:

“a) processed in a lawful, loyal and transparent manner in relation to the interested party (“lawfulness,
loyalty and transparency»);


b) collected for specific, explicit and legitimate purposes, and will not be processed
subsequently in a manner incompatible with those purposes; according to article 89,
paragraph 1, the further processing of personal data for archiving purposes in
public interest, scientific and historical research purposes or statistical purposes are not

deemed incompatible with the original purposes ("purpose limitation");

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/10








c) adequate, pertinent and limited to what is necessary in relation to the purposes for which
that are processed ("data minimization");


d) accurate and, if necessary, updated; all measures will be taken
reasonable to eliminate or rectify without delay the personal data that
are inaccurate with respect to the purposes for which they are processed (“accuracy”);

e) kept in a way that allows the identification of the interested parties during
longer than necessary for the purposes of the processing of personal data; the

Personal data may be kept for longer periods provided that it is
processed exclusively for archival purposes in the public interest, research purposes
scientific or historical or statistical purposes, in accordance with Article 89, paragraph 1,
without prejudice to the application of the appropriate technical and organizational measures that
This Regulation is imposed in order to protect the rights and freedoms of the

interested party (“limitation of the retention period”);

f) processed in such a way as to ensure adequate security of the data
including protection against unauthorized or unlawful processing and against
its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational ("integrity and confidentiality").


The data controller will be responsible for compliance with the provisions of
section 1 and able to demonstrate it (“proactive responsibility”).”

Article 72.1 a) of the LOPDGDD states that “according to what is established in the

article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe
after three years the infractions that suppose a substantial violation of the
articles mentioned therein and, in particular, the following:

a) The processing of personal data violating the principles and guarantees

established in article 5 of Regulation (EU) 2016/679”.

                                            III

Security in the processing of personal data is regulated in article 32 of the
RGPD where the following is established:


"1. Taking into account the state of the art, the application costs, and the nature
nature, scope, context and purposes of the treatment, as well as risks of probability
variable and seriousness for the rights and freedoms of natural persons, the responsible
The controller and the data processor will apply appropriate technical and organizational measures.
to guarantee a level of security appropriate to the risk, which, where appropriate, includes

yeah, among others:
a) pseudonymization and encryption of personal data;

b) the ability to ensure confidentiality, integrity, availability and resilience
permanent treatment systems and services;

c) the ability to restore the availability and access to the personal data of
quickly in the event of a physical or technical incident;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/10








d) a process of regular verification, evaluation and assessment of the effectiveness of the
technical and organizational measures to guarantee the security of the treatment.


2. When evaluating the adequacy of the security level, particular account shall be taken
ta the risks that the treatment of data presents, in particular as a consequence
of the accidental or unlawful destruction, loss or alteration of personal data transmitted
stored, stored or otherwise processed, or unauthorized communication or access

two to said data.

3. Adherence to a code of conduct approved under article 40 or to a mechanism
certification body approved under article 42 may serve as an element for
demonstrate compliance with the requirements established in section 1 of this
Article.


4. The person in charge and the person in charge of the treatment will take measures to guarantee that
Any person acting under the authority of the person in charge or the person in charge and having
access to personal data can only process said data following instructions
of the person in charge, unless it is obliged to do so by virtue of Union Law or

member states.”

Article 73.f) of the LOPDGDD, under the heading "Infringements considered serious
has:


“According to article 83.4 of Regulation (EU) 2016/679, they will be considered serious and
Infractions that suppose a substantial violation will prescribe after two years.
of the articles mentioned therein, and in particular the following:

f) The lack of adoption of those technical and organizational measures that result
appropriate to guarantee a level of security appropriate to the risk of the treatment,

in the terms required by article 32.1 of Regulation (EU) 2016/679

                                           IV

It is considered that the claimed party has transferred the data of the claimant to a third party,

without your consent.

According to Guidelines 07/2020 of the European Committee for Data Protection (CEPD)
on the concepts of data controller and manager in the RGPD, the
concepts of person in charge and person in charge are functional and have to be assigned

taking into account the actual activities of each. must be analyzed in each case.
the legal relationship established between the parties.

In this specific case, the respondent has provided the terms and conditions that
govern the contract signed with MEDIA MARKT to claim that it has acted in
in accordance with said contract for the provision of services, according to which it must be

MEDIA MARKT who requests the consent of his client when he requests the
product delivery service by courier. However, UPS has not credited
meet the necessary requirements to be considered in charge of the
treatment, since it has not been proven that MEDIA MARK and UPS have signed
the contract that must govern the relations between the person in charge and the person in charge of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/10








processing of personal data as established in article 28.3 of the RGPD
where the precise instructions for the processing of personal data are detailed
given by the person in charge.


In this sense, it should be noted that article 28.3 b) and c) of the RGPD, regarding the
responsible for the processing of personal data establishes the following:

“The treatment by the person in charge will be governed by a contract (…) that binds the
manager with respect to the person in charge.


Said contract or legal act shall stipulate, in particular, that the person in charge:

b) will guarantee that the persons authorized to process personal data have
committed to respecting confidentiality or are subject to an obligation of

confidentiality of a statutory nature;

c) take all necessary measures in accordance with article 32;

Therefore, the fact of having signed a contract with MEDIA MARKT does not

exempt UPS from liability, in this case the claimed company, because it was not
has specified whether we are dealing with a service contract or a contract entered into
between the controller and the controller of personal data, being in this
second case, it is compulsory to comply with all the guarantees required
in accordance with article 28 of the RGPD.


Thus, the known facts constitute an infraction, attributable to the
claimed party, for violation of precept 5.1 f) of the RGPD, in accordance with the
established in the foundation of law II.

This Agency also considers that we are facing a violation of the

article 32 of the RGPD, since the security measures of the claimed entity do not
are adequate and must be improved after it has been verified that they have not
have been sufficient to prevent the events denounced.

For all these reasons, this Agency considers that the claimed entity has infringed the

articles 5.1 f) and 32 of the RGPD, by violating the principle of integrity and confidentiality, as well
such as not adopting the necessary security measures to guarantee the protection of
the personal data of its clients.

                                           v


Article 58.2 of the RGPD provides the following: "Each control authority will have
of all the following corrective powers indicated below:

d) order the person in charge or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,

in a certain way and within a specified period;




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/10








i) impose an administrative fine under article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;


                                          SAW

The infringement of article 5.1 f) of the RGPD, can be sanctioned with a fine of 20,000
€000 maximum or, in the case of a company, an amount equivalent to 4%
as a maximum of the overall annual total turnover of the financial year

above, opting for the highest amount, in accordance with article 83.5 of the
GDPR.

Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established by article 83.2 of the RGPD, considering as

aggravating circumstance according to article 76.2 b) LOPDGDD, the relationship of the person responsible with the
treatment of personal data.

                                          7th

The infringement of article 32 of the RGPD can be sanctioned with a fine of 10,000,000

€ maximum or, in the case of a company, an amount equivalent to 2%
as a maximum of the overall annual total turnover of the financial year
above, opting for the highest amount, in accordance with article 83.4 of the
GDPR.


Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established by article 83.2 of the RGPD, considering as
aggravating circumstance according to article 76.2 b) LOPDGDD, the relationship of the person responsible with the
treatment of personal data.


                                         viii


In accordance with the precepts transcribed, in order to set the amount of the fines to
impose, they are considered concurrent in the present case, for both infractions, in
aggravating quality, the following factors:


     Linking the activity of the offender with the performance of
    personal data processing.

In view of the foregoing, the following is issued


                                         viii

Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,


the Director of the Spanish Data Protection Agency RESOLVES:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/10








FIRST: IMPOSE UNITED PARCEL SERVICE ESPAÑA LTD AND COMPANY
SRC, with NIF C28328508, for an infringement of article 5.1.f) of the RGPD, typified in
Article 83.5 of the RGPD, a fine of 50,000 euros (FIFTY THOUSAND euros).


SECOND: IMPOSE UNITED PARCEL SERVICE ESPAÑA LTD AND COMPANY
SRC, with NIF C28328508, for an infringement of article 32 of the RGPD, typified in the
article 83.4 of the RGPD, a fine of 20,000 euros (TWENTY THOUSAND euros).

THIRD: NOTIFY this resolution to UNITED PARCEL SERVICE

SPAIN LTD AND COMPANY SRC.

FOURTH: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency

Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment

voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month from

counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the

The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/10










web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-

administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.


                                                                                  938-120722
Sea Spain Marti
Director of the Spanish Data Protection Agency























































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es