News

🇪🇸📱 Delivering a mobile to the Wrong Person Can Be Very Costly

Source: PS-00406-2023

A Spanish telecom operator was fined €70,000 for delivering a phone… to the wrong neighbor.
No identity check.
And the recipient’s personal data was fully visible on the label.

🎯 Facts

📦 A human error: the delivery person handed the package to a neighbor, without verifying their identity.
👀 As a result: the recipient’s name, phone number, address, and DNI number were exposed.
📝 And yet, the company’s internal policy clearly stated:

"The parcel must only be delivered to the account holder, upon presentation of ID."
📲 A delivery SMS even reminded the recipient of this rule.

⚠️ But ZELERIS (the logistics subcontractor) didn’t follow its own procedures.
And couldn’t even identify the delivery agent involved.

🔍 Breaches Identified

1️⃣ Violation of the principle of confidentiality (Art. 5.1.f GDPR)
→ Personal data disclosed to an unauthorized third party.

2️⃣ Failure to follow internal delivery protocols
→ Parcel delivered without ID check, despite explicit instructions.

⚖️ Sanction

💶 Fine of €70,000
🛠️ Obligation to provide evidence, within 6 months, of corrective measures taken.
✅ No penalty for Article 32 (security measures), as safeguards were in place — but not applied.

📌 Key takeaway

Even with a policy in place, failing to apply it operationally can still lead to GDPR liability.
And yes, sometimes a shipping label is enough to trigger a complaint, a fine, and a reputational hit.