AEPD (Spain) - PS-00248-2024
Spanish DPA fines delivery company €205,000 for GDPR violations.
Summary
The Spanish Data Protection Agency (AEPD) has fined a delivery company €205,000 for failing to have a proper data processing agreement with a third-party parcel locker provider, violating Article 28 of the GDPR. The company also breached confidentiality by depositing a parcel in a locker without the recipient's prior authorization. The AEPD determined the locker provider acted as a processor, not an independent controller, despite contractual agreements stating otherwise.
Full text
Help AEPD (Spain) - PS-00248-2024: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 10:13, 12 June 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators75 edits Tag: submission [1.0] Latest revision as of 10:19, 12 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators75 editsTag: Visual edit Line 65: Line 65: }}}} The DPA fined a delivery company €205,000 for using a third-party parcel locker provider as a processor without an [[Article 28 GDPR|Article 28 GDPR]] agreement and for breaching confidentiality.The DPA fined a delivery company €205,000 for using a third-party parcel locker provider as a processor without an [[Article 28 GDPR]] agreement and for breaching confidentiality. == English Summary ==== English Summary == Line 77: Line 77: The data subject complained to the DPA, arguing that the parcel had been deposited in the processor’s locker without her prior authorisation and that the controller had unlawfully disclosed her personal data to the processor.The data subject complained to the DPA, arguing that the parcel had been deposited in the processor’s locker without her prior authorisation and that the controller had unlawfully disclosed her personal data to the processor. The controller and the processor had concluded a service agreement and a data protection addendum. However, these documents classified both companies as independent controllers. They had not entered into a data processing agreement under [[Article 28 GDPR|Article 28 GDPR]]. The controller argued that the relationship with the processor amounted to a data disclosure between independent controllers, not a processor relationship.The controller and the processor had concluded a service agreement and a data protection addendum. However, these documents classified both companies as independent controllers. They had not entered into a data processing agreement under [[Article 28 GDPR]]. The controller argued that the relationship with the processor amounted to a data disclosure between independent controllers, not a processor relationship. === Holding ====== Holding === Line 84: Line 84: First, the DPA assessed the roles of the controller and the processor. It held that the controller determined the purposes and essential means of the processing, namely the delivery of parcels to recipients and the use of the processor’s locker network as part of its delivery operations. The processor merely provided a service to the controller by receiving, keeping and enabling collection of parcels through its lockers. It did not determine its own independent purposes for the processing of the data subject’s personal data in this context.First, the DPA assessed the roles of the controller and the processor. It held that the controller determined the purposes and essential means of the processing, namely the delivery of parcels to recipients and the use of the processor’s locker network as part of its delivery operations. The processor merely provided a service to the controller by receiving, keeping and enabling collection of parcels through its lockers. It did not determine its own independent purposes for the processing of the data subject’s personal data in this context. The DPA therefore found that the processor acted as a processor within the meaning of the GDPR. Since the controller had not concluded a data processing agreement meeting the requirements of [[Article 28 GDPR|Article 28 GDPR]], the DPA found a breach of [[Article 28 GDPR|Article 28 GDPR]]. The fact that the parties had contractually described themselves as independent controllers was not decisive, as the classification of the parties must be based on their actual roles and functions under the GDPR.The DPA therefore found that the processor acted as a processor within the meaning of the GDPR. Since the controller had not concluded a data processing agreement meeting the requirements of [[Article 28 GDPR]], the DPA found a breach of [[Article 28 GDPR]]. The fact that the parties had contractually described themselves as independent controllers was not decisive, as the classification of the parties must be based on their actual roles and functions under the GDPR. Second, the DPA found a breach of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] in relation to integrity and confidentiality. The controller was responsible for the delivery of the parcel to the data subject’s home address, but the parcel was instead deposited in the processor’s locker system. The DPA considered that the controller had failed to ensure an appropriate level of confidentiality and control over the processing operation in the specific delivery process.Second, the DPA found a breach of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] in relation to integrity and confidentiality. The controller was responsible for the delivery of the parcel to the data subject’s home address, but the parcel was instead deposited in the processor’s locker system. The DPA considered that the controller had failed to ensure an appropriate level of confidentiality and control over the processing operation in the specific delivery process. The DPA also examined possible infringements of Articles 6(1) and 32 GDPR, but these were ultimately archived.The DPA also examined possible infringements of Articles 6(1) and 32 GDPR, but these were ultimately archived. The DPA imposed two administrative fines on the controller: €200,000 for the infringement of [[Article 28 GDPR|Article 28 GDPR]] and €5,000 for the infringement of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. The total fine therefore amounted to €205,000. After voluntary payment, the fine was reduced by 20% to €164,000, without recognition of liability by the controller.The DPA imposed two administrative fines on the controller: €200,000 for the infringement of [[Article 28 GDPR]] and €5,000 for the infringement of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. The total fine therefore amounted to €205,000. According to the Spanish Administrative Law (39/2015), and after voluntary payment, the fine was reduced by 20% to €164,000, without recognition of liability by the controller. In addition, the DPA ordered the controller, under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], to bring its processing operations into compliance. In particular, the controller was required to prove, within three months from the resolution becoming final and enforceable, that it had concluded the corresponding data processing agreement with the processor in order to comply with [[Article 28 GDPR|Article 28 GDPR]].In addition, the DPA ordered the controller, under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], to bring its processing operations into compliance. In particular, the controller was required to prove, within three months from the resolution becoming final and enforceable, that it had concluded the corresponding data processing agreement with the processor in order to comply with [[Article 28 GDPR]]. == Comment ==== Comment == Latest revision as of 10:19, 12 June 2026 AEPD - PS-00248-2024 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 28 GDPR Type: Complaint Outcome: Upheld Started: 11.11.2024 Decided: Published: 08.06.2026 Fine: 205,000 EUR Parties: SEUR GEOPOST, S.L. CITIBOX SMART SERVICES, S.L. National Case Number/Name: PS-00248-2024 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The DPA fined a delivery company €205,000 for using a third-party parcel locker provider as a processor without an Article 28 GDPR agreement and for breaching confidentiality. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject purchased goods on a website and in