Orange will have to face a fine of 100,000 euros imposed by the Spanish Agency for Data Protection (AEPD). Not for registering without permission or not sufficiently verifying the identity of a scammer, as happened a few years ago. The key is different on this occasion: what has set the AEPD machinery in motion to lead to the sanction is a practice used by the company to confirm the identity of its customers during package deliveries: photographing the DNI on both sides . The Agency’s technicians conclude that more personal data appears on the card than is necessary for the exchange.
A slip that can be expensive for the operator.
A case dating back to 2020. The AEPD resolution was published only a few days ago, last Thursday, but part of a complaint actually registered three years ago. To be more precise on April 22, 2020, when two people went to a Civil Guard barracks in Totana, in Murcia: an individual (AAA) and a delivery man from the company General Logistic Systems (GLS).
The reason that led them to the Benemérita offices was peculiar: the first, AAA, wanted to investigate what just happened to him during the delivery of a package. Basically —and as stated by the AEPD itself— the individual found that if he wanted the delivery man to deliver his order, which contained an Orange mobile phone, he must first present his ID and allow it to be photographed on both the back and the front. obverse. The images were taken with a terminal to meet what was apparently a company requirement.
Activating the machinery of the AEPD. The case ended up reaching the AEPD shortly after with Orange as the claimed party and started a machinery that has now concluded with the resolution. And a fine of 100,000 euros for violating article 5.1.c of the General Data Protection Regulation.
The document basically details that the data must be treated in an “adequate, pertinent and limited” manner to what is necessary for each case. The body’s resolution puts an end to the administrative process, but appeals for reinstatement or administrative litigation can still be filed at the National Court.
Let them photograph my ID? Here is the key to the case. Is it justified that the DNI be photographed on both sides to verify the identity of the client? Or does it mean, on the contrary, demanding more information than is really necessary, which would violate what the regulation calls “data minimization”? In the case studied by the AEPD, the delivery person offers IdentService, which seeks to give more guarantees that whoever picks up the package is its true recipient.
If the name and ID are not what they should, the package will not be delivered. If they are, the photographs are taken and sent through an encrypted channel to be kept on an internal server, without the dealer being able to consult them. Each company would access theirs with a link and the material is stored for four years. Orange informs the customer by mail that at the time of delivery the DNI can be requested for digitization and collects the conditions on its website, where it warns: “The documentation will be scanned on collection.”
And what does Orange say? In its allegations before the Agency, the company has insisted that what is being pursued is a “legitimate interest” and that it conforms to what is stated in different sentences issued over the years and has been claimed before. In 2021, the AEPD already sanctioned Orange for not verifying the identity of a user who impersonated another to obtain a copy of their SIM and use Bizum.
Furthermore, he emphasizes that the photo is taken with a specific app that does not store the image on the device: “The ultimate goal is to guarantee that the terminal is delivered to the person who has hired it,” the AEPD document collects when listing its allegations. If images of the DNI are used, it abounds, it is to “prove, if necessary, having displayed the required diligence when verifying identity.”
More data than necessary. For the Agency, however, there are “obvious indications” that the company violated article 5 of the GDPR, and emphasizes: “The DNI contains not only the name and surname, its number and photograph of the recipient, but also incorporates many other data”. such as the user’s signature, address, place and date of birth, alphanumeric code, date of issue and validity. “Completely additional data that is neither adequate nor pertinent nor limited to the purpose of the delivery of the merchandise,” the agency says.
The solution: less invasive methods. This is another of the fundamental messages of the resolution, which indicates that to prove the identity of the person who collects the package and that it is indeed the client who contracted it, “means that are less harmful and aggressive to people’s privacy” must be used. . “The treatment of the images of the DNI is excessive for the purpose of verifying and determining that the recipient to whom the merchandise is delivered is the same person as the one who entered into the contract.”
Cover image: Martín Colombet (Orange)
In Xataka: Microsoft is the first Big Tech that complies with the data protection that Europe wants. Still falls short
