KFC Spain’s lesson: privacy policies matter! Neglecting vital personal data processing details in their policy led KFC Spain to a €25,000 fine. Uncover why privacy policies are crucial to safeguard your business and how to reduce risks.
Privacy policies matter
KFC Spain argued that their service is primarily focused on gastronomy and, therefore, doesn’t involve extensive processing of personal data. They claimed that personal data processing only occurs in the context of their delivery service. However, an individual lodged a complaint against the company with the Spanish Data Protection Agency (AEPD), known as Agencia Española de Protección de Datos.
The AEPD disagreed with KFC Spain's perspective. The agency found that KFC Spain had violated Articles 13 and 37 of the General Data Protection Regulation (GDPR) in the following ways:
Failure to appoint a DPO: By not designating a Data Protection Officer, KFC Spain breached Article 37 of the GDPR, which mandates the appointment of a DPO under specific circumstances.
Key takeaways for your business
Our experts recommend taking the following steps to reduce your risk: