UPS slapped with a 140,000 euro fine in Spain for leaving parcels with neighbours

The Spanish data protection agency (AEPD) has fined delivery company UPS with a hefty 140,000 euro fine for breaching its regulations, after a delivery driver sent a WhatsApp message to the recipient of a parcel who wasn’t at home telling them that he had left it downstairs with neighbours, but didn’t have permission to do so.

He sent a message saying “I left the package for you at the ice cream parlour downstairs,” but as a result of this, the AEPD penalised UPS for leaving a package in a commercial premises located on the ground floor of the building where the recipient resides, without authorisation from the customer.

The parcel had a note on it which included the recipient’s full name, telephone number and address, and the AEPD considered that exposing this information breached two infringements of their data protection laws.

The first breached the confidentiality of the customer's personal data, which is considered "very serious" and punishable by a fine of 100,000 euros, and the second serious infringement, punished with 40,000 euros, is for reoffending, after a similar incident happened with the same company at the end of last year.

PREVIOUS CASE:
In December, that AEPD fined UPS 70,000 euros for delivering two MediaMarkt orders to a neighbour of the recipient without his consent. According to UPS, the company "acts and proceeds as agreed with MediaMarkt and with the objective of guaranteeing delivery and the order in the time and manner agreed with the company, always in favour and in the interest of the complainant".

As evidence, the buyer submitted two clauses found in the terms and conditions of the contract which explained, on the one hand, the possibility of delivering the parcel to the neighbour in the absence of the recipient and, on the other hand, the obligation of the sender of the shipment, in this case MediaMarkt, to inform the recipient about the processing of his data in the framework of the services it offers".

"Thus, it is MediaMarkt, as the sender of the product, who should have excluded the possibility of delivery to a neighbour from the delivery, as UPS expressly informed that in the absence of this exclusion this was possible", they pointed out.

UPS believes that they acted in accordance with the contract signed with MediaMarkt and that they were responsible for the processing of the data, as they "had the obligation to inform that it could not proceed with the delivery through a neighbour".

But the AEPD found that UPS transferred the complainant's data to a third party without his consent and the fact that it had signed a contract with MediaMarkt, did not exempt UPS from liability.