One of the responsibilities which processors acquired under the GDPR was to have a binding contract covering their processing which included certain mandated terms. The obligation applies equally to controllers and we’ve seen a few instances (in Italy and Poland for example) where DPAs have fined both the controller and the processor for not having an appropriate written contract in place. However a recent decision by the AEPD seems to break new ground as it focuses on the need for contracts between the processor and the sub-processor as a statutory (as opposed to contractual) obligation.
Perhaps surprisingly the firms in question were both delivery companies, and the investigation was prompted by a complaint from an individual whose parcel had been misdelivered. It’s a near universal experience in modern life: you get home to discover your latest internet purchase is “with a neighbour”. If you’re lucky, you find out which one. If you’re unlucky, there follow weeks of being passed back and forth between the merchant and the courier company, each saying the other is responsible for the loss of your parcel. At some point you give up and buy another. What it probably doesn’t occur to you to do is complain to your local data protection authority about the exposure of your personal data to the unknown individual who acquired your parcel, but that’s what one frustrated Spanish consumer did.
The subsequent investigation by the AEPD found that the merchant had contracted with a transport company (a processor), Fourth Party Logistics (FPL), for delivery services. FPL used various group companies to provide most of the service, but it engaged an unrelated entity, Bee Logistics, to carry out the ultimate (unsuccessful) delivery. FPL did not provide the AEPD with any contractual documentation covering its intra-group relationships, and admitted that there was only a verbal contract with Bee Logistics. Noting that “transport companies handle an important quantity of data”, the AEPD fined FPL €120,000 for breaching articles 28(2) and 28(3) by failing to have a written contract in place with its sub-processor, and failing to have the prior authorisation of the controller for the sub-contracting. One imagines that this outcome was as satisfying as it was unexpected for the original complainant, even if they never did find their parcel.
The full decision is available here.