Clifford Chance

On 3 November 2022, the Spanish Data Protection Agency (Agencia Española de Protección de Datos, "AEPD") published a decision in which it agreed to sanction United Parcel Service España LTD y Compañía SRC ("UPS") with a fine of 70,000 euros for having delivered a package of a Media Markt customer to his neighbour, as the customer was not at home at the time of delivery.

The dispute commenced with a claim filed by a Media Markt customer due to UPS having delivered a package addressed for his attention to one of the neighbours without prior notice and without his consent. Initially, the AEPD believed that the claim was made against the disclosure of data made by Media Markt and, after analysing the documentation, decided not to admit the claim. The claimant lodged an appeal against this decision, clarifying that his claim did not refer to the disclosure made by Media Markt but by the delivery company UPS, pursuant to which the AEPD decided to admit the claim and to commence sanctioning proceedings for the alleged infringement of articles 5.1f) and 32 of the GDPR.

In the allegations made by UPS during the proceedings, UPS stated that the delivery services of Media Markt products were provided under the conditions set forth in the contract signed between both entities. These conditions envisaged (i) the possibility of delivering the package to the neighbour in the absence of the addressee, unless the sender had excluded such delivery option and (ii) the obligation of the sender, in this case Media Markt, to duly inform the addressee about the processing of his data in the context of the services provided by the respondent. UPS also indicated that it was not aware in the case of the delivery to the claimant that it should have proceeded in a specific or different manner to the one agreed in the Media Markt contract.

In subsequent allegations, UPS indicated that Media Markt was aware of and had contractually accepted that UPS could leave the packages with a neighbour, as this was established in the contract, and that Media Markt itself should have excluded the possibility of delivering the package to the neighbour.

After analysing the allegations made by UPS, the AEPD concluded, firstly, that it had been demonstrated that UPS had disclosed the claimant's data to a third party without his consent.

Secondly, it concluded that, although UPS had submitted the terms and conditions governing the contract signed with Media Markt, it had not demonstrated that the prerequisites to be considered a data processor have been met, since it had not provided proof of the signing of a contract as established in article 28.3 GDPR which sets forth the instructions for the processing of data provided by the data controller.

Consequently, it concluded that the fact of having signed a contract with Media Markt did not exempt UPS, because it had not specified whether the contract signed was a service contract or a contract between data controller and processor.

In light of the foregoing, the AEPD considered that UPS had infringed articles 5.1 f) and 32 GDPR, by violating the principle of integrity and confidentiality, as well as by failing to adopt the necessary security measures to guarantee the protection of its customer's personal data.

For the infringement of article 5.1f) GDPR, the AEPD imposed a fine of 50,000 euros and for the infringement of article 32 GDPR, a fine of 20,000 euros. In both cases, the AEPD considered as an aggravating factor "the link between the offender's activity and the processing of personal data".