Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines UPS España €70,000 for violating integrity and confidentiality principle

The Spanish data protection authority ('AEPD') published, on 3 November 2022, its decision in Proceeding No. PS/00280/2022, in which it imposed a fine of €70,000 on United Parcel Service España Ltd. Y Compañia SRC ('UPS') for violation of Articles 5(1)(f) and 32 of the General Data Protection Regulation (Regulation (EU) 2016679) ('GDPR'), following an individuals complaint.

Background to the decision

In particular, the AEPD noted that UPS delivered a parcel to one of the claimants' neighbour of the community in which it resides, without prior notice nor consent.

Findings of the AEPD

In its findings, the AEPD noted that UPS provided the terms and conditions that govern the contract signed with Media Markt Saturn Administracion España, S.A., claiming that it has acted in accordance with said contract for the provision of services, according to which it must be Media Markt who requests the consent of its customer when they request the product delivery service by courier.

However, the AEPD highlighted that UPS did not prove that the necessary requirements to be considered a data processor were met, since it was not proven that Media Markt and UPS signed the contract that must govern the relationship between the controller and the processor of personal data, according to Article 28(2) of the GDPR, where the precise instructions for the processing of personal data given by the person in charge are detailed. Therefore, the AEPD confirmed that the signed contract with Media Markt did not exempt UPS from liability.

Furthermore, the AEPD emphasised that UPS violated the principle of integrity and confidentiality principle pursuant to Article 5(1)(f) of the GDPR. In addition, the AEPD found that UPS had not adopted the necessary security measures to guarantee the protection of data subjects pursuant to Article 32 of the GDPR.


As a result, the AEPD imposed a fine of €70,000 on UPS for violations of Articles 5(1)(f) and 32 of the GDPR.

You can read the decision, only available in Spanish, here.