TNT EXPRESS WORLDWIDE SPAIN, S.L. – €10,000 Fine (Spain, 2021)

A data subject filed a complaint with the Spanish DPA (AEPD) against a company that used incorrect personal data for an invoice. The controller had received an order from the data subject's personal email and with the data subject's own personal data. The delivery address was, however, the address of the company where the data subject worked. The controller sent an invoice addressed to the company but including the data subject's personal email and information, therefore incorrectly using the provided personal data. The order was private and personal, not professional and thus related to their employer. The controller then asked the data subject to correct the situation, asking the data subject for information already in possession of the controller. The AEPD concluded that the controller had breached the accuracy principle enshrined in Article 5(1)(d) GDPR, since the personal data processed was not accurate, and the controller did not take reasonable steps to ensure the accuracy of the data, since the controller had to ask for the data subject's collaboration, causing additional trouble to the data subject, in order to rectify the situation. Therefore, the DPA fined the controller €10,000 for a violation of Article 5(1)(d) GDPR.