Telefonico Servicios Integrales de Distribucion – €70,000 Fine (Spain, 2025)

The data subject ordered a mobile phone which was to be delivered by Telefonico Servicios Integrales de Distribucion (data controller). The package label contained details relating to the complainant, including their ID card number and phone number, and was marked as only being supposed to be delivered to the data subject. When the company tried to deliver the package, the data subject was not home and the parcel was delivered to a neighbor in the same building with whom the data subject had a poor relationship. This occurred in spite of the controller's internal policy requiring delivery only to the intended addressee and the data subject's personal data visible on the package label. The data subject filed a complaint with the AEPD (Spanish DPA) on 23rd February 2023. The DPA found that controller, in delivering the parcel to the incorrect recipient, had infringed the requirement to implement appropriate technical and organisational security measures in Article 5(1)(f). This infringement, the DPA noted, resulted in the improper disclosure of the data subject’s personal data. The DPA issued a fine of €70,000 for this infringement. In setting the amount, the DPA had regard to the fact that the delivery of parcel was the core business activity of the controller, and that they handled the personal data of a large number of data subjects. The controller was also ordered to establish further technical and organisational measures to ensure that deliver drivers comply with the internal procedure to only deliver parcels to the addressee.