Penalty to a courier company for delivering a package in the “ice cream shop below” without prior consent
The AEPD has imposed a penalty to a courier company for delivering a package in the “ice cream shop below” without prior consent. Until relatively recently, when we placed an order, if no one was at the agreed address to pick it up at the time of delivery, it was usually handed over to a neighbour so that the owner could pick it up later.
However, nowadays, delivering a parcel to the wrong person can be very expensive for courier companies.
In this particular case, the Spanish Data Protection Agency (AEPD) has fined the courier company UPS €140,000, as a repeat offender, for leaving a parcel in a commercial premises, an ice cream parlour, in the same building where it was to be delivered without the authorisation of the person to whom it was addressed.
The financial penalty is based on the fact that the full name, address and telephone number of the person to whom the parcel was addressed were included on the delivery note.
The owner received an audio message from the courier informing her that, as she could not find anyone at home, he had left the parcel at the building’s ice cream parlour, without her having given her consent to do so at any time.
What violations did UPS fail to comply with?
In this case, the Spanish Data Protection Agency found the company in breach of Articles 5(1)(f) and 32 of the General Data Protection Regulation (GDPR).
Both sections deal with the security of personal data. Specifically, Article 5(1)(f) states that personal data must be processed in such a way as to ensure adequate security, thereby preserving confidentiality and integrity.
This is not the first time that the AEPD has sanctioned UPS for this type of incident, in November 2022 a user reported the courier company for taking the decision to deliver his package to another person without the user’s consent, on that occasion UPS had to pay an amount of €70,000.
In the current case, the AEPD points out that exposing this information to third parties involves “two infringements of data protection laws”. The first of “very serious” category and punished with 100,000 euros, for violating the “confidentiality” of the recipient’s personal data. The second, “serious”, is fined €40,000 for repeated infringements.
The AEPD has drawn the attention of both private entities and public institutions to their actions
The world of messaging is one of the sectors in which the AEPD is carrying out the most work in terms of data protection, both for private companies and public institutions.
The Santiago de Compostela City Council was recently warned for sending a citizen an uncertified letter in which all her personal details such as ID card number, name, surname, address, car registration number, make and model of vehicle could be seen, because the letter was a speeding offence.
However, the AEPD states that “with the exposure of such data with the removal of the pink receipt notice relating to the notification, the complainant has lost its power of disposal and control to decide whether or not to provide such data to a third party”.
Therefore, the supervisory authority concludes that, at the time of sending, the municipality did not have reasonable security measures in place based on the estimated potential risks.
In Letslaw we are specialists in data protection and we can help you to carry out your professional work in a safe way respecting the correct treatment of personal data.