AEPD (Spain) - PS/00301/2020

From GDPRhub
AEPD (Spain) - PS/00301/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(d) GDPR
Type: Complaint
Outcome: Upheld
Decided: 17.06.2021
Published: 22.06.2021
Fine: 10000 EUR
Parties: TNT EXPRESS WORLDWIDE SPAIN, S.L.
National Case Number/Name: PS/00301/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) fined a controller €10,000 for issuing an invoice containing incorrect data in violation of the accuracy principle.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a complaint with the Spanish DPA (AEPD) against a company that used incorrect personal data for an invoice. The controller had received an order from the data subject's personal email and with the data subject's own personal data. The delivery address was, however, the address of the company where the data subject worked.

The controller sent an invoice addressed to the company but including the data subject's personal email and information, therefore incorrectly using the provided personal data. The order was private and personal, not professional and thus related to their employer.

The controller then asked the data subject to correct the situation, asking the data subject for information already in possession of the controller.

Holding[edit | edit source]

The AEPD concluded that the controller had breached the accuracy principle enshrined in Article 5(1)(d) GDPR, since the personal data processed was not accurate, and the controller did not take reasonable steps to ensure the accuracy of the data, since the controller had to ask for the data subject's collaboration, causing additional trouble to the data subject, in order to rectify the situation.

Therefore, the DPA fined the controller €10,000 for a violation of Article 5(1)(d) GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/9










     Procedure No.: PS / 00301/2020


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on the
following



                                  BACKGROUND

FIRST: On 02/10/2020 he had an entry, from the CATALAN AGENCY OF
DATA PROTECTION, claim of A.A.A. (hereinafter, the claimant) against TNT

EXPRESS WORLDWIDE SPAIN, S.L. with CIF B28905784 (hereinafter, the claimed one).

The reasons on which the claim is based are that on 01/07/2020 “I access the web *** URL.1
to hire a private courier service. The reservation of the service is made from me
private email (*** EMAIL.1) and payment is made with a private VISA card. The direction

collection (only specified as collection address) is that of the company SATI
ENVIROTECH SL, in which I work. The company provides the service correctly. The
problem comes a week, when in the accounting department of my company
they receive an invoice from TNT in the name of SATI ENVIROTECH SL, with all the data
shipping details: my personal email address and the name, address and details of

recipient's contact (such as delivery information). The TNT company has associated for
of your own free will a particular order to a company client account, when the service has
been hired at a private level and the company address has only been given as a point of
collection, and now, my company has two invoices (the initial wrong and the rectification of payment)
with personal data about me and the recipient and that were provided exclusively to the company.
TNT transport company ... "


Along with the claim, it provides ELEVEN FILES, pdf format, extracting as more
important:

1) To identify it, with a shipping number ending in 60, name "address ..." that identifies

a document with TNT delivery note number data, nine digits, ending in 60, fe-
cha shipment *** DATE.1, which appears in the box: sender (sender) "account" with the
company data SATI ENVIRO TECH, and contact address: "name and surname of the re
claimant, telephone: *** TELEPHONE. 1 that matches that of the claimant in the claim,
and delivery address in someone else's name, with an address. "Shipping date *** FE-

CHA.1 ”, merchandise description:“ *** DESCRIPTION.1 ”In the“ delivery address ”box and
"Contact" .


2) To identify it, ending in 28, it is an invoice capture *** INVOICE.1, “invoice pa-
gada ”,“ invoice date ”01/22/20, NIF ES *** NIF.1 (is that of the claimant), data of the claim-

te, delivery note number ending in 60, customer code number *** CODE. 1.

3) To identify it: "shipping invoice", contains an email dated 01/30/2020, from a
TNT email address to the claimant, in which it indicates “We enclose an invoice

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/9








*** SHIPPING INVOICE.1 *** SHIPPING.1 with tax data, according to request. Please check and
issue the payment by bank transfer to the SANTANDER ES *** ACCOUNT. 1.


4) To identify it: “external invoice shipment”, four pages, email dated 02/04/2020. On
this email, a TNT employee tells the claimant "we have located her payment with
card and canceled the invoice. Initially SATI was billed because when entering the data of the
company, the system understood that the shipment was from the company and not personal ”. It has as an-
There is another email dated 02/03, from the claimant to TNT, in which it indicates “it was a shipment that
I managed, but it was for someone else, she paid with her card.

I could do is look in my mailbox for your own reservation confirmation email.
goes and payment of the service. You should have this information too ... ”I access the
TNT website to hire a collection service. All the management is done associated with me
personal email account, which is the same from which I write. How did you-
garbage collection, I put the address of my company (SATI ENVIROTECH SL) that is a client

yours but it is not who is requesting the service.
- I make the payment and the amount is charged to the card. You come, collect the package and deliver it.
So far everything great.
- They contact me from my company's accounting to find out why they have received an invoice.
ra that does not correspond to a company shipment. I show them the email of the service reservation
cio, where do you see that I am the one who requests it and I am the one who makes the payment. They tell me no

There is a problem but that I request the subscription invoice to rectify that information.
- After more than a week, you send the invoice for that subscription to the company. Perfect.
- You contact me, asking me to pay you back for the service ...
- I inform you that it has already been paid, as it appears in the header of the invoice that I return.
You sent me yourself in that last email ... and today, February 3, almost a month later

of the incident ... you ask me to send you the details of the payment made.
-That is, you, at your own risk and expense, have associated a service and an amount to a
client who has not requested anything from you. I did not know that you once have a registered address
As a customer, you take the liberty of associating a service in which the address matches
your client, but not the payment information or the personal email requesting the service, etc.

-In fact, I would like to know what type of treatment you do with personal data, because
now in my company they have an invoice that you have sent them with personal information
sonal mine. Do you work based on the provisions of the General Data Protection Law?
Why, if only the collection address matches your customer, but it has been done
of a personal email, with a personal and non-company credit card, with an information
mation of a private nature (such as the name and address of the recipient) you associate the

given to the company SATI ENVIROTECH and you send them an invoice for a service that is not applicable
and with private data?

5) To identify it: "external shipping invoice", with three pages, email, claimed, of
01/31/2020 to the claimant: ”Please, to locate the payment, you can provide us with the date of the

charge to your card and the exact amount? " Thank you very much in advance." It is preceded by another of the
claimant, dated 01/30/2020, at 1:22 p.m., stating “This invoice was paid at the time of
the online reservation of the service. Please, check your payments or modify the text of the email
where payment is requested by transfer ”, which in turn is preceded by that of the claimed to
the claimant dated 01/30/2020, 13, 18 indicating “We enclose an invoice *** INVOICE.1 of the en-

vío *** SHIPPING.1 with tax data, according to request.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/9








Please, review and issue the payment by bank transfer to the SANTANDER account
IT *** ACCOUNT.1. "


6) To identify it: “regarding the shipment”, two pages, email of 01/10/2020 of the re-
Claimant to the claimed, Manifests "I do not have a client account. My data is… ”provides
your address information, DNI no. telephone and e-mail. It is preceded by a mail of the same day, from
the one claimed that indicates “we will contact you regarding the shipment with the delivery note number here.
bado del 60. We have received a request for your part indicating that you are that you
be billed for this shipment. Could you please tell us the account number with TNT or

if you do not have to provide us with the following information ... ”and requests the aforementioned information to
create such an account for you.


7) Named: “TNT pickup”. Two pages, email of *** DATE.1 in which you

informs that "the collection of your shipment has been requested on *** DATE.1" and the person to whom
will deliver, with the delivery address

SECOND: In view of the facts reported in the claim and the documents
provided by the claimant, on 06/02/2020, the General Subdirectorate for Data Inspection
proceeded to transfer the claim to the respondent so that she could report on the facts, if

well after the time did not respond.

       The claim was admitted for processing on 09/09/2020.

THIRD: On 11/3/2020, the Director of the AEPD agreed:



         "START SANCTIONING PROCEDURE for TNT EXPRESS WORLDWIDE
 SPAIN, S.L., with CIF B28905784, for the alleged violation of article 5.1.d) of the RGPD,
 as indicated in article 83.5. a) of the same standard. "


         "For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, of the
 Common Administrative Procedure of Public Administrations (LPACAP), the
 The penalty that may correspond would be 10,000 euros, without prejudice to what results from the
 instruction."


 FOURTH: The initiation agreement was notified electronically. Figure in the file
 Certificate of 11/14/2020 of Electronic Notification Services and Address
 Certified Electronics of the FNMT-RCM:

 “That the Ministry of Economic Affairs and Digital Transformation (through the

 General Secretariat of Digital Administration) is currently the head of the Service of
 Electronic Notifications (SNE) and Authorized Electronic Address (DEH) in accordance with
 Order PRE / 878/2010 and Royal Decree 139/2020, of January 28. The provider of said
 service since June 26, 2015 is the National Mint and Stamp Factory-Real Casa
 of the Currency (FNMT-RCM), according to the Management Commission in force of the Ministry of

 Finance and Public Administrations. -Through said service the
 notification: Reference: *** REFERENCE. 1 Acting Administration: Spanish Agency for
 Data Protection (AEPD) Owner: TNT EXPRESS WORLDWIDE (SPAIN) SL -
 B28905784 Subject: "Notification available in the Folder or DEH of the indicated holder" with the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/9








 following result: Date of availability: 03/11/2020 20:39:23 Date of rejection
 automatic: 11/14/2020 00:00:00 Automatic rejection generally occurs after
 ten calendar days have elapsed since it was made available for access according to

 paragraph 2, article 43, of the law 39/2015, of October 1, of the Administrative Procedure
 Common of Public Administrations. And in a particular way, after the deadline
 established by the acting Administration in accordance with the specific legal regulations that
 be applicable "

 Regarding the initial agreement, no allegations have been received.


FIFTH: On 05/13/2021 a resolution proposal of the literal is issued:

       “That the Director of the Spanish Data Protection Agency sanctions
TNT EXPRESS WORLDWIDE SPAIN, S.L., with NIF B28905784, for an infringement of the

article 5.1.d) of the GDPR, in accordance with article 83.5 a) of the GDPR, with a fine
of 10,000 euros (ten honey euros). "

       Appearing notified on 05/19/2021, no allegations are received against it.

                                PROVEN FACTS


 1) The claimant, on *** DATE 1, hires a private courier service so that
merchandise is delivered, for which you access the web *** URL.1 and place the order from
your private email (*** EMAIL.1) stating that you made the payment with a VISA card
particular. The collection address of the merchandise to be delivered (only specified

as collection address) is that of your company, SATI ENVIROTECH SL, in which it provides
services, designating a person for this purpose. The claimant states that the service is
lent correctly.



 2) A few days later, the claimant states that SATI's accounting department
ENVIROTECH SL, receives an invoice from TNT in the name of SATI ENVIROTECH SL, "with
all the personal data of the shipment: my personal email address and the name, address and
recipient's contact details (such as delivery information ”)

 3) The claimed, according to documents available to the claimant, delivery notes, manifests,

invoices, it has the name and surname of the claimant, her address, her email address
electronic and NIF, and the day and amount paid by card payment of your order.

 4) The complainant sent the invoice to the complainant by e-mail at the time
*** INVOICE.1, “invoice paid”, “invoice date” 01/22/20, claimant's NIF), data of the

claimant, shipment number ending in 60, customer code number *** CODE. 1.

 5) In the emails exchanged between claimant and claimed after the
delivery of the merchandise (example 01-30-2020), despite the claimant stating that
paid for the service at the time of the online contract, and after having provided the service

delivery of the merchandise, the complainant requests the complainant by email from
01/30/2010 at 1:18 p.m., after sending the invoice therein, that "issue the payment for
bank transfer to an account that indicates ”, answering to the claimant that the


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/9








same day of service request, *** DATE. 1. In another email, the respondent asks for information
on 01/31/2020 to locate the payment.


  6) In an email from the claimed to the claimant dated 02/04/2020, he informs her
“We have located your card payment and canceled the invoice” “initially SATI was billed
ENVIROTECH, because when entering the company data, the system understood that the shipment was
of the company and not personal ”. It is preceded by another email from the claimant indicating that the
delivery service did it associated with your personal email account.



                             FOUNDATIONS OF LAW

                                               I


  The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of art. 58.2 of the RGPD and in art.
47 and 48.1 of LOPDGDD.

                                              II


Defines article 4.2 of the RGPD: "treatment": any operation or set of operations

made on personal data or personal data sets, either by
automated procedures or not, such as collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use, communication by
transmission, diffusion or any other form of access authorization, collation or interconnection,
limitation, deletion or destruction; "

The data that the complainant had to process in their systems of the complainant, who was the one who
contracted, have been associated with the data of the company in which the claimant provided
services. According to the complainant, the headquarters of the company was pointed out, to a particular person
for the delivery of the merchandise. The defendant assigns an invoice to the company, containing

the data of the claimant. These proven facts revealed suppose the
infringement of the claimed of article 5.1.d) that indicates: ”the personal data will be:

  “D) accurate and, if necessary, updated; all reasonable measures will be taken
so that personal data that are inaccurate with
regarding the purposes for which they are processed ("accuracy".

  The established obligation of the need for the personal data that is

collect and process in any file or any treatment operation, be exact and
respond at all times to the current situation of those affected by being responsible for the
treatment who is responsible for the fulfillment of this obligation.

  Issue the invoice to the company with the claimant's data, when she was the only one

petitioner, supposes an inaccurate treatment of the claimant's data, giving rise to
that the claimant had to worry about fixing the situation due to this lack of accuracy
with respect to the purposes for which they should be processed.


                                                  III

Article 83.5 of the RGPD indicates:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/9









 "Violations of the following provisions will be sanctioned, in accordance with the section
2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company

dam, of an amount equivalent to a maximum of 4% of the total annual turnover
overall for the previous financial year, opting for the one with the highest amount:

 a) the basic principles for the treatment, including the conditions for consent-
according to articles 5, 6, 7 and 9; "


Among the corrective powers contemplated in article 58 of the RGPD, in its section 2 “i) im-
impose an administrative fine pursuant to article 83, in addition to or instead of the measures
mentioned in this section, according to the circumstances of each particular case. "


The LOPDGDD states in its article 72:

 1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the following:


 a) The processing of personal data violating the principles and guarantees established in
Article 5 of Regulation (EU) 2016/679. "

                                               IV

The complained party is an entity obliged to communicate electronically with the Administration

electronically (art 14.2.a) LPACAP. The initiation agreement contained the necessary elements
years to make a pronouncement on the claim. The telematic notification produced
cida has the legal effect of having been rejected, in accordance with article 43 of the LPA-
CPAC, practice of notifications through electronic means:

"1. Notifications by electronic means will be made by appearance at the

Electronic headquarters of the Administration or Acting Body, through the address
electronic enabled only one or through both systems, as provided by each Administration
u Organism.

For the purposes provided in this article, it is understood by appearance at the headquarters

electronic data, access by the interested party or their duly identified representative to the
content of the notification.

2. Notifications by electronic means shall be understood to have been made at the time
access to its content occurs.


When notification by electronic means is mandatory, or has been
expressly chosen by the interested party, it will be understood to be rejected when they have
ten calendar days from the provision of the notification without accessing its
contents."

                                                V


Regarding the amount of the administrative fine that would be imposed, there will be

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/9








to comply with the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:

“1 Each control authority will guarantee that the imposition of administrative fines with
in accordance with this article for the infractions of this Regulation indicated in the
Sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. "

“2 Administrative fines will be imposed, depending on the circumstances of each case,
individual, as an additional or substitute title for the measures contemplated in article 58, section
do 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount in
each individual case will be duly taken into account:

a) the nature, severity and duration of the offense, taking into account the nature, al-
cance or purpose of the processing operation in question as well as the number of inte-
affected parties and the level of damages they have suffered;

b) intentionality or negligence in the infringement;

c) any measure taken by the person in charge or in charge of the treatment to alleviate the
damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account
ta of the technical or organizational measures that have been applied by virtue of articles 25 and
32;

e) any previous infringement committed by the person in charge or the person in charge of the treatment;

 f) the degree of cooperation with the supervisory authority in order to remedy the infringement
tion and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in particular if the

responsible or the manager notified the infringement and, if so, to what extent;
i) when the measures indicated in article 58, paragraph 2, have been previously ordered-

against the person in charge or the person in charge in relation to the same matter,
compliance with said measures;

j) adherence to codes of conduct under Article 40 or to certification mechanisms
approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as

the financial benefits obtained or the losses avoided, directly or indirectly, through
of the offense. "

In relation to section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions
and corrective measures ”, provides:

"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also
may be taken into account:
a) The continuing nature of the offense.

b) The linking of the offender's activity with the performance of personal data processing
sonal.

c) The benefits obtained as a result of the commission of the offense.

d) The possibility that the affected person's conduct could have led to the commission of the
infringement.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/9








e) The existence of a merger by absorption process after the commission of the infringement.
This cannot be attributed to the absorbing entity.

f) Affecting the rights of minors.

g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, on a voluntary basis, to mecha-

nisms for alternative conflict resolution, in those cases in which there are conflicts
troversies between those and any interested party. "

Article 83.2.k) of the RGPD concurs, specified in article 76.2 b) of the LOPDGDD,
for the usual treatment of personal data of clients that a company is assumed
dedicated to delivery of goods.

For this reason, the penalty to be imposed is considered to be 10,000 euros.


 Therefore, in accordance with the applicable legislation and the graduation criteria assessed
of the sanctions whose existence has been proven,


 the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE a fine of 10,000 euros to TNT EXPRESS WORLDWIDE SPAIN,
S.L., with CIF B28905784, for an infringement of article 5.1.d) of the RGPD, in accordance with
with article 83.5 a) of the RGPD.


SECOND: NOTIFY this resolution to TNT EXPRESS WORLDWIDE SPAIN, S.L.

THIRD: Warn the sanctioned person that he must enforce the sanction imposed once
that this resolution be enforceable, in accordance with the provisions of art. 98.1.b) of

Law 39/2015, of 1/10, of the Common Administrative Procedure of the Administrations
Public (hereinafter LPACAP), within the voluntary payment period established in art. 68 of
General Collection Regulation, approved by Royal Decree 939/2005, of 07/29, in
relationship with art. 62 of Law 58/2003, of 12/17, by entering it, indicating the NIF of the
sanctioned and the procedure number that appears in the heading of this

document, in the restricted account number ES00 0000 0000 0000 0000 0000, opened in the name of
the Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A .. In
otherwise, it will be collected in the executive period.

 Once the notification has been received and once it is executed, if the date of execution is between the
days 1 and 15 of each month, both inclusive, the term to make the voluntary payment will be up to

on the 20th of the following or immediately subsequent business month, and if it is between the 16th and
last of each month, both inclusive, the payment term will be until the 5th of the second month
next or immediate after business.

 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution

it will be made public once it has been notified to the interested parties.

 Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties
They may optionally file an appeal for reconsideration before the Director of the Agency

Spanish Data Protection within a period of one month from the day following the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/9








notification of this resolution or directly administrative contentious appeal before the Chamber

of the Contentious-administrative of the National Court, in accordance with the provisions of the
Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13 of
July, regulating the Contentious-Administrative Jurisdiction, within two months to
count from the day after notification of this act, as provided in article

46.1 of the aforementioned Law.

  Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may
provisionally suspend the final administrative resolution if the interested party manifests

his intention to file a contentious-administrative appeal. If this is the case, the
The interested party must formally communicate this fact by writing to the Agency
Spanish Data Protection, presenting it through the Electronic Registry of the
Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the
remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1.

You must also send the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the date
following the notification of this resolution, it would terminate the suspension

precautionary.


                                                                                             938-131120
  Mar Spain Martí
  Director of the Spanish Agency for Data Protection


































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es