AEPD (Spain) - PS-00248-2024

Summary

Spain's AEPD has fined SEUR GEOPOST €205,000 for violating GDPR. The company used a third-party parcel locker provider, CITIBOX SMART SERVICES, as a processor without a proper Article 28 GDPR agreement, and also breached confidentiality. The AEPD determined that CITIBOX acted as a processor, not an independent controller, despite the parties' contractual classification.

Full text

Help AEPD (Spain) - PS-00248-2024: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 10:13, 12 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators75 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 10:13, 12 June 2026 AEPD - PS-00248-2024 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 28 GDPR Type: Complaint Outcome: Upheld Started: 11.11.2024 Decided: Published: 08.06.2026 Fine: 205,000 EUR Parties: SEUR GEOPOST, S.L. CITIBOX SMART SERVICES, S.L. National Case Number/Name: PS-00248-2024 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The DPA fined a delivery company €205,000 for using a third-party parcel locker provider as a processor without an Article 28 GDPR agreement and for breaching confidentiality. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject purchased goods on a website and indicated her home address as the delivery address. SEUR GEOPOST, S.L., the controller, was responsible for delivering the parcel. Instead of delivering the parcel to the data subject’s home, an employee of the controller deposited it in a locker operated by CITIBOX SMART SERVICES, S.L., the processor. The processor operated parcel lockers installed in common areas of residential buildings. In order to allow the data subject to collect the parcel, the controller communicated personal data to the processor, including at least the data subject’s telephone number. The processor then sent the data subject an SMS informing her that the parcel had been deposited in the locker and explaining how it could be collected. The data subject was not registered with the processor and had not previously had any business relationship with it. She opened the locker after a telephone conversation with an employee of the processor, without downloading the processor’s app or registering as a user. The data subject complained to the DPA, arguing that the parcel had been deposited in the processor’s locker without her prior authorisation and that the controller had unlawfully disclosed her personal data to the processor. The controller and the processor had concluded a service agreement and a data protection addendum. However, these documents classified both companies as independent controllers. They had not entered into a data processing agreement under Article 28 GDPR. The controller argued that the relationship with the processor amounted to a data disclosure between independent controllers, not a processor relationship. Holding The DPA upheld the complaint. First, the DPA assessed the roles of the controller and the processor. It held that the controller determined the purposes and essential means of the processing, namely the delivery of parcels to recipients and the use of the processor’s locker network as part of its delivery operations. The processor merely provided a service to the controller by receiving, keeping and enabling collection of parcels through its lockers. It did not determine its own independent purposes for the processing of the data subject’s personal data in this context. The DPA therefore found that the processor acted as a processor within the meaning of the GDPR. Since the controller had not concluded a data processing agreement meeting the requirements of Article 28 GDPR, the DPA found a breach of Article 28 GDPR. The fact that the parties had contractually described themselves as independent controllers was not decisive, as the classification of the parties must be based on their actual roles and functions under the GDPR. Second, the DPA found a breach of Article 5(1)(f) GDPR in relation to integrity and confidentiality. The controller was responsible for the delivery of the parcel to the data subject’s home address, but the parcel was instead deposited in the processor’s locker system. The DPA considered that the controller had failed to ensure an appropriate level of confidentiality and control over the processing operation in the specific delivery process. The DPA also examined possible infringements of Articles 6(1) and 32 GDPR, but these were ultimately archived. The DPA imposed two administrative fines on the controller: €200,000 for the infringement of Article 28 GDPR and €5,000 for the infringement of Article 5(1)(f) GDPR. The total fine therefore amounted to €205,000. After voluntary payment, the fine was reduced by 20% to €164,000, without recognition of liability by the controller. In addition, the DPA ordered the controller, under Article 58(2)(d) GDPR, to bring its processing operations into compliance. In particular, the controller was required to prove, within three months from the resolution becoming final and enforceable, that it had concluded the corresponding data processing agreement with the processor in order to comply with Article 28 GDPR. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.  File No.: EXP202407910 RESOLUTION TERMINATING THE PROCEDURE DUE TO VOLUNTARY PAYMENT From the procedure initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On November 11, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanction proceedings against SEUR GEOPOST, S.L. (hereinafter, SEUR). Having been notified of the initiation agreement and after analyzing the allegations presented, on September 15, 2025, the proposed resolution was issued, which is transcribed below: << File No.: EXP202407910 PROPOSED RESOLUTION OF SANCTIONING PROCEEDINGS Contents FIRST: Complaint filed with the Spanish Data Protection Agency (AEPD)...................................................4 SECOND: Transfer of the complaint to CITIBOX...................................................4 THIRD: Non-admission of the complaint:...............................................6 FOURTH: Appeal for reconsideration filed by the complainant, processing and resolution thereof:.................................................................................................6 FIFTH: Preliminary investigative actions:........................................................6 A. Information provided by CITIBOX:...........................................................7 B. Information provided by SEUR:......................................................................15 SIXTH: Agreement to initiate the sanctioning procedure.......................................20 SEVENTH: Evidence gathering:...............................................................................21 EIGHTH: Annex with the list of documents included in the procedure:......24 NINTH: Turnover of SEUR GEOPOST S.L:....................................24 PROVEN FACTS................................................................................................24 INDEX OF PROVEN FACTS..........................................................................24 FIRST:...............................................................................................................25 SECOND:..............................................................................................................25 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/78 THIRD:...............................................................................................................25 FOURTH:.................................................................................................................26 FIFTH:..................................................................

Entities