[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbg-QNyB_jeHrdprnqdtNdDjUR8cWLxI-YMfiUdvrOok":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":26,"category":27,"article_tags":31},"91606207-e190-40f8-afb5-b102487c0b6d","AEPD (Spain) - PS-00248-2024","aepd-spain-ps-00248-2024-9d1274","← Older revision Revision as of 07:54, 17 June 2026 Line 65: Line 65: }} }} The DPA fined a delivery company €205,000 for using a third-party parcel locker provider as a processor without an [[Article 28 GDPR]] agreement and for breaching confidentiality. The DPA fined a delivery company €205,000 for failing to conclude a processing agreement with the provider of parcel lockers it used as pick-up points for its customers. The delivery company considered the provider to be a separate controller while it actually acted as a processor. == English Summary == == English Summary ==","Spain's Data Protection Authority (AEPD) fined SEUR GEOPOST €205,000 for using a third-party parcel locker provider (CITIBOX SMART SERVICES) without a proper Article 28 GDPR data processing agreement. The delivery company incorrectly classified the locker provider as an independent controller rather than a processor, and unlawfully shared customer personal data (including phone numbers) without appropriate contractual safeguards.","Spain's AEPD fines delivery company €205K for failing to establish Article 28 GDPR data processor agreement.","Help AEPD (Spain) - PS-00248-2024: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 10:19, 12 June 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators78 editsTag: Visual edit← Older edit Latest revision as of 07:54, 17 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators78 editsTag: Visual edit Line 65: Line 65: }}}} The DPA fined a delivery company €205,000 for using a third-party parcel locker provider as a processor without an [[Article 28 GDPR]] agreement and for breaching confidentiality.The DPA fined a delivery company €205,000 for failing to conclude a processing agreement with the provider of parcel lockers it used as pick-up points for its customers. The delivery company considered the provider to be a separate controller while it actually acted as a processor. == English Summary ==== English Summary == Latest revision as of 07:54, 17 June 2026 AEPD - PS-00248-2024 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 28 GDPR Type: Complaint Outcome: Upheld Started: 11.11.2024 Decided: Published: 08.06.2026 Fine: 205,000 EUR Parties: SEUR GEOPOST, S.L. CITIBOX SMART SERVICES, S.L. National Case Number\u002FName: PS-00248-2024 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The DPA fined a delivery company €205,000 for failing to conclude a processing agreement with the provider of parcel lockers it used as pick-up points for its customers. The delivery company considered the provider to be a separate controller while it actually acted as a processor. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject purchased goods on a website and indicated her home address as the delivery address. SEUR GEOPOST, S.L., the controller, was responsible for delivering the parcel. Instead of delivering the parcel to the data subject’s home, an employee of the controller deposited it in a locker operated by CITIBOX SMART SERVICES, S.L., the processor. The processor operated parcel lockers installed in common areas of residential buildings. In order to allow the data subject to collect the parcel, the controller communicated personal data to the processor, including at least the data subject’s telephone number. The processor then sent the data subject an SMS informing her that the parcel had been deposited in the locker and explaining how it could be collected. The data subject was not registered with the processor and had not previously had any business relationship with it. She opened the locker after a telephone conversation with an employee of the processor, without downloading the processor’s app or registering as a user. The data subject complained to the DPA, arguing that the parcel had been deposited in the processor’s locker without her prior authorisation and that the controller had unlawfully disclosed her personal data to the processor. The controller and the processor had concluded a service agreement and a data protection addendum. However, these documents classified both companies as independent controllers. They had not entered into a data processing agreement under Article 28 GDPR. The controller argued that the relationship with the processor amounted to a data disclosure between independent controllers, not a processor relationship. Holding The DPA upheld the complaint. First, the DPA assessed the roles of the controller and the processor. It held that the controller determined the purposes and essential means of the processing, namely the delivery of parcels to recipients and the use of the processor’s locker network as part of its delivery operations. The processor merely provided a service to the controller by receiving, keeping and enabling collection of parcels through its lockers. It did not determine its own independent purposes for the processing of the data subject’s personal data in this context. The DPA therefore found that the processor acted as a processor within the meaning of the GDPR. Since the controller had not concluded a data processing agreement meeting the requirements of Article 28 GDPR, the DPA found a breach of Article 28 GDPR. The fact that the parties had contractually described themselves as independent controllers was not decisive, as the classification of the parties must be based on their actual roles and functions under the GDPR. Second, the DPA found a breach of Article 5(1)(f) GDPR in relation to integrity and confidentiality. The controller was responsible for the delivery of the parcel to the data subject’s home address, but the parcel was instead deposited in the processor’s locker system. The DPA considered that the controller had failed to ensure an appropriate level of confidentiality and control over the processing operation in the specific delivery process. The DPA also examined possible infringements of Articles 6(1) and 32 GDPR, but these were ultimately archived. The DPA imposed two administrative fines on the controller: €200,000 for the infringement of Article 28 GDPR and €5,000 for the infringement of Article 5(1)(f) GDPR. The total fine therefore amounted to €205,000. According to the Spanish Administrative Law (39\u002F2015), and after voluntary payment, the fine was reduced by 20% to €164,000, without recognition of liability by the controller. In addition, the DPA ordered the controller, under Article 58(2)(d) GDPR, to bring its processing operations into compliance. In particular, the controller was required to prove, within three months from the resolution becoming final and enforceable, that it had concluded the corresponding data processing agreement with the processor in order to comply with Article 28 GDPR. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.  File No.: EXP202407910 RESOLUTION TERMINATING THE PROCEDURE DUE TO VOLUNTARY PAYMENT From the procedure initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On November 11, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanction proceedings against SEUR GEOPOST, S.L. (hereinafter, SEUR). Having been notified of the initiation agreement and after analyzing the allegations presented, on September 15, 2025, the proposed resolution was issued, which is transcribed below: \u003C\u003C File No.: EXP202407910 PROPOSED RESOLUTION OF SANCTIONING PROCEEDINGS Contents FIRST: Complaint filed with the Spanish Data Protection Agency (AEPD)...................................................4 SECOND: Transfer of the complaint to CITIBOX...................................................4 THIRD: Non-admission of the complaint:...............................................6 FOURTH: Appeal for reconsideration filed by the complainant, processing and resolution thereof:.................................................................................................6 FIFTH: Preliminary investigative actions:........................................................6 A. Information provided by CITIBOX:...........................................................7 B. Information provided by SEUR:......................................................................15 SIXTH: Agreement to initiate the sanctioning procedure.......................................20 SEVENTH: Evidence gathering:...............................................................................21 EIGHTH: Annex with the list of documents included in the procedure:......24 NINTH: Turnover of SEUR GEOPOST S.L:...............","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_PS-00248-2024&diff=51897&oldid=51868","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F5\u002F59\u002FLogoES.jpg","2026-06-17T07:54:34+00:00","2026-06-17T08:00:25.385094+00:00",7,[18,21,23],{"name":19,"type":20},"SEUR GEOPOST, S.L.","vendor",{"name":22,"type":20},"CITIBOX SMART SERVICES, S.L.",{"name":24,"type":25},"Article 28 GDPR Data Processing Agreement","technology","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":26,"icon":28,"name":29,"slug":30},null,"GDPR","gdpr",[32,37,42],{"category":33},{"id":34,"icon":28,"name":35,"slug":36},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":38},{"id":39,"icon":28,"name":40,"slug":41},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":43},{"id":44,"icon":28,"name":45,"slug":46},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]