KFC Spain’s lesson: privacy policies matter! Neglecting vital personal data processing details in their policy led KFC Spain to a €25,000 fine. Uncover why privacy policies are crucial to safeguard your business and how to reduce risks.
Privacy policies matter
KFC Restaurants Spain S.L. recently found itself in hot water when it received a €25,000 fine for failing to provide a complete privacy policy on its website. The case highlights the importance of maintaining an up-to-date and comprehensive privacy policy to comply with GDPR. Let’s delve into the details of the incident, explore its impact, and discuss the actions your business can take to avoid similar penalties.
The issue arose when KFC Restaurants Spain S.L. neglected to include vital information about the processing of personal data and the name of their Data Protection Officer (DPO) within the privacy policy on their website.
KFC Spain argued that their service is primarily focused on gastronomy and, therefore, doesn’t involve extensive processing of personal data. They claimed that personal data processing only occurs in the context of their delivery service. However, an individual lodged a complaint against the company with the Spanish Data Protection Agency (AEPD), known as Agencia Española de Protección de Datos.
The impact
The AEPD disagreed with KFC Spain's perspective. The agency found that KFC Spain had violated Articles 13 and 37 of the General Data Protection Regulation (GDPR) in the following ways:
Incomplete privacy policy: KFC Spain violated Article 13 of the GDPR by omitting crucial information about data processing in its privacy policy. Instead, the company provided generic and abstract details about external providers of personal data. This failure to provide comprehensive and specific information led to a breach of GDPR requirements.
Failure to appoint a DPO: By not designating a Data Protection Officer, KFC Spain breached Article 37 of the GDPR, which mandates the appointment of a DPO under specific circumstances.
As a result, KFC Spain was issued a fine of €25,000. The company was also given one month to rectify the missing content in its privacy policy (here is the decision -only available in Spanish).
Key takeaways for your business
Our experts recommend taking the following steps to reduce your risk:
- Keep your privacy policy up to date: Regularly review and update your privacy policy to ensure it accurately reflects your data processing practices. Be diligent in providing comprehensive information about data processing activities and the rights of data subjects.
- Use DataGuard’s Privacy Policy Generator: Our privacy policy generator helps you create and update your privacy policy effectively by automating policy creation, saving your team hours of work.
- Seek expert advice: If you’re uncertain about your privacy policy or data processing practices, consult with an expert. They can provide guidance and help ensure your policies align with the applicable laws.
What should be included in a website privacy policy?
Your website's privacy policy should encompass all elements that process personal data. For instance, if you have a contact form, newsletter subscription, integrated map services, fonts, or analytics tools on your website, each of these elements must be listed and described in your privacy policy.
Legal background
Under Article 13 and 14 of the GDPR, website operators have a duty to inform visitors if personal data is processed on their sites. As websites typically process technically necessary personal data, such as users' IP addresses, a privacy policy is necessary to fulfil the obligation of transparency and inform users about their data processing activities.