AEPD (Spain) - PS/00301/2020
|AEPD (Spain) - PS/00301/2020|
|Relevant Law:||Article 5(1)(d) GDPR|
|Parties:||TNT EXPRESS WORLDWIDE SPAIN, S.L.|
|National Case Number/Name:||PS/00301/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA (AEPD) fined a controller €10,000 for issuing an invoice containing incorrect data in violation of the accuracy principle.
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject filed a complaint with the Spanish DPA (AEPD) against a company that used incorrect personal data for an invoice. The controller had received an order from the data subject's personal email and with the data subject's own personal data. The delivery address was, however, the address of the company where the data subject worked.
The controller sent an invoice addressed to the company but including the data subject's personal email and information, therefore incorrectly using the provided personal data. The order was private and personal, not professional and thus related to their employer.
The controller then asked the data subject to correct the situation, asking the data subject for information already in possession of the controller.
Holding[edit | edit source]
The AEPD concluded that the controller had breached the accuracy principle enshrined in Article 5(1)(d) GDPR, since the personal data processed was not accurate, and the controller did not take reasonable steps to ensure the accuracy of the data, since the controller had to ask for the data subject's collaboration, causing additional trouble to the data subject, in order to rectify the situation.
Therefore, the DPA fined the controller €10,000 for a violation of Article 5(1)(d) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 Procedure No.: PS / 00301/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: On 02/10/2020 he had an entry, from the CATALAN AGENCY OF DATA PROTECTION, claim of A.A.A. (hereinafter, the claimant) against TNT EXPRESS WORLDWIDE SPAIN, S.L. with CIF B28905784 (hereinafter, the claimed one). The reasons on which the claim is based are that on 01/07/2020 “I access the web *** URL.1 to hire a private courier service. The reservation of the service is made from me private email (*** EMAIL.1) and payment is made with a private VISA card. The direction collection (only specified as collection address) is that of the company SATI ENVIROTECH SL, in which I work. The company provides the service correctly. The problem comes a week, when in the accounting department of my company they receive an invoice from TNT in the name of SATI ENVIROTECH SL, with all the data shipping details: my personal email address and the name, address and details of recipient's contact (such as delivery information). The TNT company has associated for of your own free will a particular order to a company client account, when the service has been hired at a private level and the company address has only been given as a point of collection, and now, my company has two invoices (the initial wrong and the rectification of payment) with personal data about me and the recipient and that were provided exclusively to the company. TNT transport company ... " Along with the claim, it provides ELEVEN FILES, pdf format, extracting as more important: 1) To identify it, with a shipping number ending in 60, name "address ..." that identifies a document with TNT delivery note number data, nine digits, ending in 60, fe- cha shipment *** DATE.1, which appears in the box: sender (sender) "account" with the company data SATI ENVIRO TECH, and contact address: "name and surname of the re claimant, telephone: *** TELEPHONE. 1 that matches that of the claimant in the claim, and delivery address in someone else's name, with an address. "Shipping date *** FE- CHA.1 ”, merchandise description:“ *** DESCRIPTION.1 ”In the“ delivery address ”box and "Contact" . 2) To identify it, ending in 28, it is an invoice capture *** INVOICE.1, “invoice pa- gada ”,“ invoice date ”01/22/20, NIF ES *** NIF.1 (is that of the claimant), data of the claim- te, delivery note number ending in 60, customer code number *** CODE. 1. 3) To identify it: "shipping invoice", contains an email dated 01/30/2020, from a TNT email address to the claimant, in which it indicates “We enclose an invoice C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/9 *** SHIPPING INVOICE.1 *** SHIPPING.1 with tax data, according to request. Please check and issue the payment by bank transfer to the SANTANDER ES *** ACCOUNT. 1. 4) To identify it: “external invoice shipment”, four pages, email dated 02/04/2020. On this email, a TNT employee tells the claimant "we have located her payment with card and canceled the invoice. Initially SATI was billed because when entering the data of the company, the system understood that the shipment was from the company and not personal ”. It has as an- There is another email dated 02/03, from the claimant to TNT, in which it indicates “it was a shipment that I managed, but it was for someone else, she paid with her card. I could do is look in my mailbox for your own reservation confirmation email. goes and payment of the service. You should have this information too ... ”I access the TNT website to hire a collection service. All the management is done associated with me personal email account, which is the same from which I write. How did you- garbage collection, I put the address of my company (SATI ENVIROTECH SL) that is a client yours but it is not who is requesting the service. - I make the payment and the amount is charged to the card. You come, collect the package and deliver it. So far everything great. - They contact me from my company's accounting to find out why they have received an invoice. ra that does not correspond to a company shipment. I show them the email of the service reservation cio, where do you see that I am the one who requests it and I am the one who makes the payment. They tell me no There is a problem but that I request the subscription invoice to rectify that information. - After more than a week, you send the invoice for that subscription to the company. Perfect. - You contact me, asking me to pay you back for the service ... - I inform you that it has already been paid, as it appears in the header of the invoice that I return. You sent me yourself in that last email ... and today, February 3, almost a month later of the incident ... you ask me to send you the details of the payment made. -That is, you, at your own risk and expense, have associated a service and an amount to a client who has not requested anything from you. I did not know that you once have a registered address As a customer, you take the liberty of associating a service in which the address matches your client, but not the payment information or the personal email requesting the service, etc. -In fact, I would like to know what type of treatment you do with personal data, because now in my company they have an invoice that you have sent them with personal information sonal mine. Do you work based on the provisions of the General Data Protection Law? Why, if only the collection address matches your customer, but it has been done of a personal email, with a personal and non-company credit card, with an information mation of a private nature (such as the name and address of the recipient) you associate the given to the company SATI ENVIROTECH and you send them an invoice for a service that is not applicable and with private data? 5) To identify it: "external shipping invoice", with three pages, email, claimed, of 01/31/2020 to the claimant: ”Please, to locate the payment, you can provide us with the date of the charge to your card and the exact amount? " Thank you very much in advance." It is preceded by another of the claimant, dated 01/30/2020, at 1:22 p.m., stating “This invoice was paid at the time of the online reservation of the service. Please, check your payments or modify the text of the email where payment is requested by transfer ”, which in turn is preceded by that of the claimed to the claimant dated 01/30/2020, 13, 18 indicating “We enclose an invoice *** INVOICE.1 of the en- vío *** SHIPPING.1 with tax data, according to request. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/9 Please, review and issue the payment by bank transfer to the SANTANDER account IT *** ACCOUNT.1. " 6) To identify it: “regarding the shipment”, two pages, email of 01/10/2020 of the re- Claimant to the claimed, Manifests "I do not have a client account. My data is… ”provides your address information, DNI no. telephone and e-mail. It is preceded by a mail of the same day, from the one claimed that indicates “we will contact you regarding the shipment with the delivery note number here. bado del 60. We have received a request for your part indicating that you are that you be billed for this shipment. Could you please tell us the account number with TNT or if you do not have to provide us with the following information ... ”and requests the aforementioned information to create such an account for you. 7) Named: “TNT pickup”. Two pages, email of *** DATE.1 in which you informs that "the collection of your shipment has been requested on *** DATE.1" and the person to whom will deliver, with the delivery address SECOND: In view of the facts reported in the claim and the documents provided by the claimant, on 06/02/2020, the General Subdirectorate for Data Inspection proceeded to transfer the claim to the respondent so that she could report on the facts, if well after the time did not respond. The claim was admitted for processing on 09/09/2020. THIRD: On 11/3/2020, the Director of the AEPD agreed: "START SANCTIONING PROCEDURE for TNT EXPRESS WORLDWIDE SPAIN, S.L., with CIF B28905784, for the alleged violation of article 5.1.d) of the RGPD, as indicated in article 83.5. a) of the same standard. " "For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, of the Common Administrative Procedure of Public Administrations (LPACAP), the The penalty that may correspond would be 10,000 euros, without prejudice to what results from the instruction." FOURTH: The initiation agreement was notified electronically. Figure in the file Certificate of 11/14/2020 of Electronic Notification Services and Address Certified Electronics of the FNMT-RCM: “That the Ministry of Economic Affairs and Digital Transformation (through the General Secretariat of Digital Administration) is currently the head of the Service of Electronic Notifications (SNE) and Authorized Electronic Address (DEH) in accordance with Order PRE / 878/2010 and Royal Decree 139/2020, of January 28. The provider of said service since June 26, 2015 is the National Mint and Stamp Factory-Real Casa of the Currency (FNMT-RCM), according to the Management Commission in force of the Ministry of Finance and Public Administrations. -Through said service the notification: Reference: *** REFERENCE. 1 Acting Administration: Spanish Agency for Data Protection (AEPD) Owner: TNT EXPRESS WORLDWIDE (SPAIN) SL - B28905784 Subject: "Notification available in the Folder or DEH of the indicated holder" with the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/9 following result: Date of availability: 03/11/2020 20:39:23 Date of rejection automatic: 11/14/2020 00:00:00 Automatic rejection generally occurs after ten calendar days have elapsed since it was made available for access according to paragraph 2, article 43, of the law 39/2015, of October 1, of the Administrative Procedure Common of Public Administrations. And in a particular way, after the deadline established by the acting Administration in accordance with the specific legal regulations that be applicable " Regarding the initial agreement, no allegations have been received. FIFTH: On 05/13/2021 a resolution proposal of the literal is issued: “That the Director of the Spanish Data Protection Agency sanctions TNT EXPRESS WORLDWIDE SPAIN, S.L., with NIF B28905784, for an infringement of the article 5.1.d) of the GDPR, in accordance with article 83.5 a) of the GDPR, with a fine of 10,000 euros (ten honey euros). " Appearing notified on 05/19/2021, no allegations are received against it. PROVEN FACTS 1) The claimant, on *** DATE 1, hires a private courier service so that merchandise is delivered, for which you access the web *** URL.1 and place the order from your private email (*** EMAIL.1) stating that you made the payment with a VISA card particular. The collection address of the merchandise to be delivered (only specified as collection address) is that of your company, SATI ENVIROTECH SL, in which it provides services, designating a person for this purpose. The claimant states that the service is lent correctly. 2) A few days later, the claimant states that SATI's accounting department ENVIROTECH SL, receives an invoice from TNT in the name of SATI ENVIROTECH SL, "with all the personal data of the shipment: my personal email address and the name, address and recipient's contact details (such as delivery information ”) 3) The claimed, according to documents available to the claimant, delivery notes, manifests, invoices, it has the name and surname of the claimant, her address, her email address electronic and NIF, and the day and amount paid by card payment of your order. 4) The complainant sent the invoice to the complainant by e-mail at the time *** INVOICE.1, “invoice paid”, “invoice date” 01/22/20, claimant's NIF), data of the claimant, shipment number ending in 60, customer code number *** CODE. 1. 5) In the emails exchanged between claimant and claimed after the delivery of the merchandise (example 01-30-2020), despite the claimant stating that paid for the service at the time of the online contract, and after having provided the service delivery of the merchandise, the complainant requests the complainant by email from 01/30/2010 at 1:18 p.m., after sending the invoice therein, that "issue the payment for bank transfer to an account that indicates ”, answering to the claimant that the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/9 same day of service request, *** DATE. 1. In another email, the respondent asks for information on 01/31/2020 to locate the payment. 6) In an email from the claimed to the claimant dated 02/04/2020, he informs her “We have located your card payment and canceled the invoice” “initially SATI was billed ENVIROTECH, because when entering the company data, the system understood that the shipment was of the company and not personal ”. It is preceded by another email from the claimant indicating that the delivery service did it associated with your personal email account. FOUNDATIONS OF LAW I The Director of the Spanish Agency for Data Protection, in accordance with the provisions of art. 58.2 of the RGPD and in art. 47 and 48.1 of LOPDGDD. II Defines article 4.2 of the RGPD: "treatment": any operation or set of operations made on personal data or personal data sets, either by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of access authorization, collation or interconnection, limitation, deletion or destruction; " The data that the complainant had to process in their systems of the complainant, who was the one who contracted, have been associated with the data of the company in which the claimant provided services. According to the complainant, the headquarters of the company was pointed out, to a particular person for the delivery of the merchandise. The defendant assigns an invoice to the company, containing the data of the claimant. These proven facts revealed suppose the infringement of the claimed of article 5.1.d) that indicates: ”the personal data will be: “D) accurate and, if necessary, updated; all reasonable measures will be taken so that personal data that are inaccurate with regarding the purposes for which they are processed ("accuracy". The established obligation of the need for the personal data that is collect and process in any file or any treatment operation, be exact and respond at all times to the current situation of those affected by being responsible for the treatment who is responsible for the fulfillment of this obligation. Issue the invoice to the company with the claimant's data, when she was the only one petitioner, supposes an inaccurate treatment of the claimant's data, giving rise to that the claimant had to worry about fixing the situation due to this lack of accuracy with respect to the purposes for which they should be processed. III Article 83.5 of the RGPD indicates: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/9 "Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company dam, of an amount equivalent to a maximum of 4% of the total annual turnover overall for the previous financial year, opting for the one with the highest amount: a) the basic principles for the treatment, including the conditions for consent- according to articles 5, 6, 7 and 9; " Among the corrective powers contemplated in article 58 of the RGPD, in its section 2 “i) im- impose an administrative fine pursuant to article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case. " The LOPDGDD states in its article 72: 1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in Article 5 of Regulation (EU) 2016/679. " IV The complained party is an entity obliged to communicate electronically with the Administration electronically (art 14.2.a) LPACAP. The initiation agreement contained the necessary elements years to make a pronouncement on the claim. The telematic notification produced cida has the legal effect of having been rejected, in accordance with article 43 of the LPA- CPAC, practice of notifications through electronic means: "1. Notifications by electronic means will be made by appearance at the Electronic headquarters of the Administration or Acting Body, through the address electronic enabled only one or through both systems, as provided by each Administration u Organism. For the purposes provided in this article, it is understood by appearance at the headquarters electronic data, access by the interested party or their duly identified representative to the content of the notification. 2. Notifications by electronic means shall be understood to have been made at the time access to its content occurs. When notification by electronic means is mandatory, or has been expressly chosen by the interested party, it will be understood to be rejected when they have ten calendar days from the provision of the notification without accessing its contents." V Regarding the amount of the administrative fine that would be imposed, there will be C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/9 to comply with the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate: “1 Each control authority will guarantee that the imposition of administrative fines with in accordance with this article for the infractions of this Regulation indicated in the Sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. " “2 Administrative fines will be imposed, depending on the circumstances of each case, individual, as an additional or substitute title for the measures contemplated in article 58, section do 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, al- cance or purpose of the processing operation in question as well as the number of inte- affected parties and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account ta of the technical or organizational measures that have been applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement tion and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the responsible or the manager notified the infringement and, if so, to what extent; i) when the measures indicated in article 58, paragraph 2, have been previously ordered- against the person in charge or the person in charge in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to certification mechanisms approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through of the offense. " In relation to section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and corrective measures ”, provides: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also may be taken into account: a) The continuing nature of the offense. b) The linking of the offender's activity with the performance of personal data processing sonal. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the infringement. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/9 e) The existence of a merger by absorption process after the commission of the infringement. This cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to mecha- nisms for alternative conflict resolution, in those cases in which there are conflicts troversies between those and any interested party. " Article 83.2.k) of the RGPD concurs, specified in article 76.2 b) of the LOPDGDD, for the usual treatment of personal data of clients that a company is assumed dedicated to delivery of goods. For this reason, the penalty to be imposed is considered to be 10,000 euros. Therefore, in accordance with the applicable legislation and the graduation criteria assessed of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE a fine of 10,000 euros to TNT EXPRESS WORLDWIDE SPAIN, S.L., with CIF B28905784, for an infringement of article 5.1.d) of the RGPD, in accordance with with article 83.5 a) of the RGPD. SECOND: NOTIFY this resolution to TNT EXPRESS WORLDWIDE SPAIN, S.L. THIRD: Warn the sanctioned person that he must enforce the sanction imposed once that this resolution be enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of 1/10, of the Common Administrative Procedure of the Administrations Public (hereinafter LPACAP), within the voluntary payment period established in art. 68 of General Collection Regulation, approved by Royal Decree 939/2005, of 07/29, in relationship with art. 62 of Law 58/2003, of 12/17, by entering it, indicating the NIF of the sanctioned and the procedure number that appears in the heading of this document, in the restricted account number ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A .. In otherwise, it will be collected in the executive period. Once the notification has been received and once it is executed, if the date of execution is between the days 1 and 15 of each month, both inclusive, the term to make the voluntary payment will be up to on the 20th of the following or immediately subsequent business month, and if it is between the 16th and last of each month, both inclusive, the payment term will be until the 5th of the second month next or immediate after business. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution it will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties They may optionally file an appeal for reconsideration before the Director of the Agency Spanish Data Protection within a period of one month from the day following the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/9 notification of this resolution or directly administrative contentious appeal before the Chamber of the Contentious-administrative of the National Court, in accordance with the provisions of the Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13 of July, regulating the Contentious-Administrative Jurisdiction, within two months to count from the day after notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may provisionally suspend the final administrative resolution if the interested party manifests his intention to file a contentious-administrative appeal. If this is the case, the The interested party must formally communicate this fact by writing to the Agency Spanish Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also send the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the date following the notification of this resolution, it would terminate the suspension precautionary. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es