In a significant move against non-compliance with data protection regulations, Polish authorities have imposed a fine exceeding 11 million PLN on the courier company DPD. This penalty arises from DPD's use of external transport providers, known as LNH carriers, for package deliveries without formal data processing agreements, which are mandated by the General Data Protection Regulation (GDPR). The company argued that the transportation service did not necessitate data processing; however, this claim was rejected by regulatory authorities.

The President of the Personal Data Protection Office (UODO) concluded that DPD's operations constituted a clear violation of GDPR. The reasoning behind this decision highlights the essential nature of data protection agreements, especially as LNH carriers were involved in the loading and unloading of packages, thereby gaining access to personal data on package labels. This oversight raises serious questions about DPD's adherence to data protection standards and its overall accountability in managing customer information.

This ruling serves as a warning to other companies in the logistics and courier sectors about the importance of compliance with data protection laws. As GDPR continues to be a critical regulatory framework across Europe, companies must closely evaluate their data handling practices, especially regarding third-party service providers. The implications of this case could influence how companies structure their agreements with carriers and ensure strict adherence to data protection protocols to avoid similar penalties in the future.