Surely it has happened to all of us at some point: we have made a purchase online and, upon arriving home, we have found the typical receipt informing us that the package has been delivered to a neighbor. Regardless of the amount of the product in question, the shipping method chosen or any other condition. From now on, they will have to think twice. Since, recently, the Spanish Data Protection Agency has fined The Bee Logistics with 70,000 euros for this.
Must visit a neighbor to pick up a package that has been attempted to be delivered in our absence has become commonplace for many. In fact, in some cases, it is not necessary for us to not be at home. But the carrier leaves all deliveries to the same neighbor in order to save time and meet deadlines for the rest of your packages. However, the Spanish Data Protection Agency has been tightening its grip on these actions for some time. Recently, in fact, it has sanctioned The Bee Logistics with 70,000 euros for this practice.
Despite the amount, it is not the first time that the AEPD acts in this type of case. Just a year ago, UPS was also fined the same amount for similar conduct. And, some time later, the same company was sanctioned with 140,000 euros for having left a package in a business close to the recipient’s home. This is, therefore, a type of behavior that the AEPD hopes to eradicate through sanctions.
The responsibility of the transport company
This specific case occurred on June 28, 2022, when the recipient received a call from the courier, informing him that they were trying to deliver a package purchased in the Carrefour online store. Since he was not at home, he gave permission to deliver to a specific neighbor. However, when I complained about the order, he said that he had not arrived no courier to your home to deliver any package.
It was then that the person who had bought the package reported the case. Alleging that not only had the package been stolen, but that all of her personal information had been left behind. exposed to the eyes of a third party without having given consent to do so. With the problems that this could cause in terms of privacy.
After requesting the pertinent information from all the companies involved, the AEPD determined that the final responsibility was The Bee Logistics, which was the one who had assumed the responsibility of delivering that order.
A security breach in data processing
The AEPD determined that there had been a security breach of the data, since the claimant’s personal data had been exposed to a third party. In addition, it was also highlighted throughout the process that transport companies must have different measures, both technical and administrative, to comply with the regulations of data protection required by law. Even more so if you take into account the large number of people who have access to this data and who interact directly with it.
In this specific case, the sanction is double. The first of them, for violating article 5.1f) of the General Data Protection Regulation, which refers to the confidentiality and integrity of the data, with a total amount of 50,000 euros. While for violating article 32, which refers to the safety of the treatment, a penalty of 20,000 euros has been imposed.
