AEPD (Spain) - PS/00280/2022
|AEPD - PS/00280/2022
|Article 5(1)(f) GDPR
Article 28(3) GDPR
Article 32 GDPR
Ley 43/2010 del Servicio Postal Universal
|UNITED PARCEL SERVICE ESPAÑA LTD Y COMPAÑIA SRC
MEDIA MARKT SATURN ADMINISTRACION ESPAÑA, S.A.
|National Case Number/Name:
|European Case Law Identifier:
|AEPD (in ES)
The Spanish DPA fined UPS €70,000 for leaving a parcel with a neighbour of the data subject without their previous consent, thus unlawfully disclosing the recipient's data to a third person.
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject filed a complaint with the Spanish DPA because a courier, United Parcel Service (UPS) (the controller) had delivered a parcel addressed to them to a neighbour without any prior consent.
The courier firstly tried to exclude its responsibility in subjective terms. The controller submitted that there was a contract in place with Media Markt and that they were acting as service providers, following their instructions and acting according to the contract. They also alleged that clause 10 of the contract specified that parcels may be left with neighbours when the addressee cannot be found; and clause 11 specified that it was Media Markt who should inform their customer about the processing of their data.
In its decision, the DPA had to determine who the controller was and what GDPR provisions might have been breached by the incident.
Holding[edit | edit source]
According to the Spanish DPA, with reference to EDPB's Guidelines 07/2020, in order to determine the roles of controllers and processors, what must be taken into account is the actual activity of both of them (i.e., the factual elements or circumstances of the case).
In this case, there was merely a services contract in place between the retailer and the controller. A contract that sets out precise instructions for the processing (i.e., 'the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller'), as per Article 28(3) GDPR, was lacking.
Additionally, the DPA highlighted that such contract should also define the obligation to respect the confidentiality of the data and the measures laid out in Article 32 GDPR. Therefore, as the obligations were not clearly defined, the controller could not qualify as a processor and was responsible for the incident due to actual control over the means of processing the personal data.
The DPA found a breach of Article 5(1)(f) GDPR since the personal data of the data subject were disclosed to a third person without their consent. For this violation, the DPA fined the controller €50,000. The DPA also found a violation of Article 32 GDPR since the controller did not implement the measures necessary to prevent such disclosure. For this violation, the DPA fined the controller €20,000.
Comment[edit | edit source]
Fun fact: this decision is directly contradicted by a recent decision by the Belgian DPA that considered the delivery of a parcel was not a processing of personal data. Link: https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-181-2022.pdf (in Dutch)
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 File No.: PS/00280/2022 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On March 9, 2021, it had entry in this Spanish Agency of Data Protection (hereinafter AEPD) written claim, submitted by A.A.A., (hereinafter, claimant) because your personal data has been transferred to a third party, without your consent. SECOND: In accordance with the mechanism prior to the admission for processing of the claims made before the AEPD, provided for in article 65.4 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the claim was transferred to MEDIA MARKT SATURN ADMINISTRATION ESPAÑA, S.A. for him to proceed to its analysis and respond within a month, which was verified by means of a letter of date of entry in this Agency of May 28, 2021. THIRD: On June 7, 2021, after analyzing the documentation that was in the file, a resolution was issued by the director of the Spanish Agency for Data Protection, agreeing not to admit the claim for processing. The resolution was notified to the claimant on June 9, 2021, according to notice of receipt in the file. FOURTH: On June 15, 2021, the claimant files an appeal optional replacement (***EXP.1) through the Electronic Registry of the AEPD, against the resolution issued in the file ***EXP.2, in which he shows his disagreement with the contested resolution, explaining that it refers to facts not stated by him. Your claim does not refer to the assignment made by MEDIA MARKT, but the responsibility for that action falls on the delivery company (UNITED PARCEL SERVICE ESPAÑA LTD AND COMPAÑIA SRC). He states that his request was delivered to one of the neighbors of the community in which resides, without prior notice and therefore, without your prior and express consent, also breaching Law 43/2010 of the Universal Postal Service. Also, it adduces who exercised the right of opposition, without obtaining any response. FIFTH: On December 23, 2021, the claim made was sent and the appeal filed against the delivery company UNITED PARCEL SERVICE ESPAÑA LTD Y COMPAÑIA SRC within the framework of the provisions of article 118 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations for the purpose of formulating the allegations and present the documents and supporting documents that he deems appropriate. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/10 The notification of the hearing process occurred on December 23, 2021, through the Electronic Notifications Service and Authorized Electronic Address, according to the certificate that appears in the file. UNITED PARCEL SERVICE ESPAÑA LTD Y COMPAÑIA SRC has not formulated any allegation. SIXTH: The Director of the Spanish Data Protection Agency resolves: Estimate the appeal for reversal (***EXP.1) filed by A.A.A. against the resolution of this Agency issued on June 7, 2021. Admit to processing the claim made against UNITED PARCEL SERVICE ESPAÑA LTD AND COMPAÑIA SRC, in accordance with article 65 of the LOPDGDD. SEVENTH: On July 5, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (in hereinafter, LPACAP), for the alleged infringement of article 5.1.f) of the RGPD and article 32 of the RGPD, typified in article 83.5 of the RGPD. EIGHTH: Notification of the aforementioned start-up agreement in accordance with the established rules in Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), the respondent filed a written of allegations in which, in summary, it stated that in the case at hand it is a service provider that has to fulfill the services agreed with MEDIA MARKT under the conditions set forth in the contract signed between the two. In this sense, it should be noted that it acts and proceeds as agreed with MEDIA MARKT, and in order to guarantee the delivery of the order within the time and form agreed with MEDIA MARKT, always in favor and in the interest of the complainant. Clause 10 and 11 of the terms and conditions of the contract that governs them are referred: ( https://www.ups.com/assets/resources/webcontent/es_ES/terms_carriage_es.pdf ) where, on the one hand, the possibility of delivering the package to the neighbor in absence of the addressee; and on the other, the obligation of the sender of the shipment, in our MEDIA MARKT case, to duly inform the recipient about the treatment of your data within the framework of the services offered by the claimed entity. “10. Delivery If the receiver is not available, the package can be deposited in the mailbox postal correspondence from the recipient's address, if deemed appropriate, or delivered to the neighbor unless the sender has excluded this delivery option by choosing the applicable additional service. “ C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/10 "eleven. Data Protection 11.2. On the other hand, the sender guarantees that he has duly informed the recipient that UPS may use the personal data of the recipient of in accordance with the link above for the UPS Privacy Notice in effect at the time of shipment regarding uses other than those specified in the previous subsection.” The entity claimed as a supplier of MEDIA MARKT has no proof that in the specific shipment to the complainant, it would have had to proceed in a way specific or different from what was agreed with MEDIA MARKT. Therefore, if the Agency decided not to admit the initial claim filed by the complainant against MEDIA MARKT in which the complainant expressly referred to the communication of your data to a third party without your consent, understand this part which should proceed equally in the case at hand, since the entity claimed has acted as agreed with its client MEDIA MARKT. If the Agency agreed not to admit the claim against MEDIA MARKT, then there can be no reason why this should not happen equally to the entity claimed. NINTH: On August 9, 2022, the instructor of the procedure agreed to give by reproduced for evidentiary purposes the claim filed by A.A.A. and his documentation, the documents obtained and generated during the admission phase to processing of the claim, and the report of previous investigation actions that are part of the procedure ***EXP.1. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of initiation of the aforementioned sanctioning procedure, presented by UNITED PARCEL SERVICE ESPAÑA LTD AND COMPAÑIA SRC, and the documentation that they accompanies. TENTH: On August 22, 2022, a resolution proposal was formulated, proposing that the Director of the Spanish Data Protection Agency sanction UNITED PARCEL SERVICE ESPAÑA LTD AND COMPAÑIA SRC, with NIF C28328508, for an infringement of article 5.1.f) of the RGPD and for a second infringement of article 32 of the RGPD, typified respectively in articles 83.5 a) and 83.4 a) of the RGPD, with a fine of 50,000 euros (fifty thousand euros) and 20,000 euros (twenty thousand euros) respectively. ELEVENTH: On September 5, 2022, allegations are made to the resolution proposal by the entity complained against alleging that MEDIA MARKT was aware of and had contractually agreed that UPS could leave your packages to the care of a neighbor, as stated in clauses 10 and 11 of the Terms and Conditions of the contract signed between the claimed entity and MEDIA MARKT. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/10 In this way, it is MEDIA MARKT itself, as the sender of the product, which should have excluded the possibility of delivery to a neighbor of the delivery, since UPS expressly informed him that in the absence of this exclusion this was possible. Therefore, the respondent entity considers that it has acted in accordance with the contract signed with MEDIA MARKT, being MEDIA MARKT itself as data controller who had the obligation to inform the claimed entity that could not deliver through a neighbor. In view of everything that has been done, by the Spanish Data Protection Agency In this proceeding, the following are considered proven facts: PROVEN FACTS FIRST: The request made by the claimant was delivered to one of the neighbors of the community in which you reside, without prior notice and therefore, without your prior and express consent. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II The principles relating to the processing of personal data are regulated in the Article 5 of the RGPD where it is established that “personal data will be: “a) processed in a lawful, loyal and transparent manner in relation to the interested party (“lawfulness, loyalty and transparency»); b) collected for specific, explicit and legitimate purposes, and will not be processed subsequently in a manner incompatible with those purposes; according to article 89, paragraph 1, the further processing of personal data for archiving purposes in public interest, scientific and historical research purposes or statistical purposes are not deemed incompatible with the original purposes ("purpose limitation"); C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/10 c) adequate, pertinent and limited to what is necessary in relation to the purposes for which that are processed ("data minimization"); d) accurate and, if necessary, updated; all measures will be taken reasonable to eliminate or rectify without delay the personal data that are inaccurate with respect to the purposes for which they are processed (“accuracy”); e) kept in a way that allows the identification of the interested parties during longer than necessary for the purposes of the processing of personal data; the Personal data may be kept for longer periods provided that it is processed exclusively for archival purposes in the public interest, research purposes scientific or historical or statistical purposes, in accordance with Article 89, paragraph 1, without prejudice to the application of the appropriate technical and organizational measures that This Regulation is imposed in order to protect the rights and freedoms of the interested party (“limitation of the retention period”); f) processed in such a way as to ensure adequate security of the data including protection against unauthorized or unlawful processing and against its loss, destruction or accidental damage, through the application of technical measures or appropriate organizational ("integrity and confidentiality"). The data controller will be responsible for compliance with the provisions of section 1 and able to demonstrate it (“proactive responsibility”).” Article 72.1 a) of the LOPDGDD states that “according to what is established in the article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679”. III Security in the processing of personal data is regulated in article 32 of the RGPD where the following is established: "1. Taking into account the state of the art, the application costs, and the nature nature, scope, context and purposes of the treatment, as well as risks of probability variable and seriousness for the rights and freedoms of natural persons, the responsible The controller and the data processor will apply appropriate technical and organizational measures. to guarantee a level of security appropriate to the risk, which, where appropriate, includes yeah, among others: a) pseudonymization and encryption of personal data; b) the ability to ensure confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore the availability and access to the personal data of quickly in the event of a physical or technical incident; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/10 d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular account shall be taken ta the risks that the treatment of data presents, in particular as a consequence of the accidental or unlawful destruction, loss or alteration of personal data transmitted stored, stored or otherwise processed, or unauthorized communication or access two to said data. 3. Adherence to a code of conduct approved under article 40 or to a mechanism certification body approved under article 42 may serve as an element for demonstrate compliance with the requirements established in section 1 of this Article. 4. The person in charge and the person in charge of the treatment will take measures to guarantee that Any person acting under the authority of the person in charge or the person in charge and having access to personal data can only process said data following instructions of the person in charge, unless it is obliged to do so by virtue of Union Law or member states.” Article 73.f) of the LOPDGDD, under the heading "Infringements considered serious has: “According to article 83.4 of Regulation (EU) 2016/679, they will be considered serious and Infractions that suppose a substantial violation will prescribe after two years. of the articles mentioned therein, and in particular the following: f) The lack of adoption of those technical and organizational measures that result appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of Regulation (EU) 2016/679 IV It is considered that the claimed party has transferred the data of the claimant to a third party, without your consent. According to Guidelines 07/2020 of the European Committee for Data Protection (CEPD) on the concepts of data controller and manager in the RGPD, the concepts of person in charge and person in charge are functional and have to be assigned taking into account the actual activities of each. must be analyzed in each case. the legal relationship established between the parties. In this specific case, the respondent has provided the terms and conditions that govern the contract signed with MEDIA MARKT to claim that it has acted in in accordance with said contract for the provision of services, according to which it must be MEDIA MARKT who requests the consent of his client when he requests the product delivery service by courier. However, UPS has not credited meet the necessary requirements to be considered in charge of the treatment, since it has not been proven that MEDIA MARK and UPS have signed the contract that must govern the relations between the person in charge and the person in charge of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/10 processing of personal data as established in article 28.3 of the RGPD where the precise instructions for the processing of personal data are detailed given by the person in charge. In this sense, it should be noted that article 28.3 b) and c) of the RGPD, regarding the responsible for the processing of personal data establishes the following: “The treatment by the person in charge will be governed by a contract (…) that binds the manager with respect to the person in charge. Said contract or legal act shall stipulate, in particular, that the person in charge: b) will guarantee that the persons authorized to process personal data have committed to respecting confidentiality or are subject to an obligation of confidentiality of a statutory nature; c) take all necessary measures in accordance with article 32; Therefore, the fact of having signed a contract with MEDIA MARKT does not exempt UPS from liability, in this case the claimed company, because it was not has specified whether we are dealing with a service contract or a contract entered into between the controller and the controller of personal data, being in this second case, it is compulsory to comply with all the guarantees required in accordance with article 28 of the RGPD. Thus, the known facts constitute an infraction, attributable to the claimed party, for violation of precept 5.1 f) of the RGPD, in accordance with the established in the foundation of law II. This Agency also considers that we are facing a violation of the article 32 of the RGPD, since the security measures of the claimed entity do not are adequate and must be improved after it has been verified that they have not have been sufficient to prevent the events denounced. For all these reasons, this Agency considers that the claimed entity has infringed the articles 5.1 f) and 32 of the RGPD, by violating the principle of integrity and confidentiality, as well such as not adopting the necessary security measures to guarantee the protection of the personal data of its clients. v Article 58.2 of the RGPD provides the following: "Each control authority will have of all the following corrective powers indicated below: d) order the person in charge or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/10 i) impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular; SAW The infringement of article 5.1 f) of the RGPD, can be sanctioned with a fine of 20,000 €000 maximum or, in the case of a company, an amount equivalent to 4% as a maximum of the overall annual total turnover of the financial year above, opting for the highest amount, in accordance with article 83.5 of the GDPR. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established by article 83.2 of the RGPD, considering as aggravating circumstance according to article 76.2 b) LOPDGDD, the relationship of the person responsible with the treatment of personal data. 7th The infringement of article 32 of the RGPD can be sanctioned with a fine of 10,000,000 € maximum or, in the case of a company, an amount equivalent to 2% as a maximum of the overall annual total turnover of the financial year above, opting for the highest amount, in accordance with article 83.4 of the GDPR. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established by article 83.2 of the RGPD, considering as aggravating circumstance according to article 76.2 b) LOPDGDD, the relationship of the person responsible with the treatment of personal data. viii In accordance with the precepts transcribed, in order to set the amount of the fines to impose, they are considered concurrent in the present case, for both infractions, in aggravating quality, the following factors: Linking the activity of the offender with the performance of personal data processing. In view of the foregoing, the following is issued viii Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/10 FIRST: IMPOSE UNITED PARCEL SERVICE ESPAÑA LTD AND COMPANY SRC, with NIF C28328508, for an infringement of article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, a fine of 50,000 euros (FIFTY THOUSAND euros). SECOND: IMPOSE UNITED PARCEL SERVICE ESPAÑA LTD AND COMPANY SRC, with NIF C28328508, for an infringement of article 32 of the RGPD, typified in the article 83.4 of the RGPD, a fine of 20,000 euros (TWENTY THOUSAND euros). THIRD: NOTIFY this resolution to UNITED PARCEL SERVICE SPAIN LTD AND COMPANY SRC. FOURTH: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/10 web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. 938-120722 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es