€25,000 fine for an incomplete privacy policy on a website

KFC Spain’s lesson: privacy policies matter! Neglecting vital personal data processing details in their policy led KFC Spain to a €25,000 fine. Uncover why privacy policies are crucial to safeguard your business and how to reduce risks.

Privacy policies matter

KFC Restaurants Spain S.L. recently found itself in hot water when it received a €25,000 fine for failing to provide a complete privacy policy on its website. The case highlights the importance of maintaining an up-to-date and comprehensive privacy policy to comply with GDPR. Let’s delve into the details of the incident, explore its impact, and discuss the actions your business can take to avoid similar penalties.

The issue arose when KFC Restaurants Spain S.L. neglected to include vital information about the processing of personal data and the name of their Data Protection Officer (DPO) within the privacy policy on their website.  

KFC Spain argued that their service is primarily focused on gastronomy and, therefore, doesn’t involve extensive processing of personal data. They claimed that personal data processing only occurs in the context of their delivery service. However, an individual lodged a complaint against the company with the Spanish Data Protection Agency (AEPD), known as Agencia Española de Protección de Datos. 

The impact 

The AEPD disagreed with KFC Spain's perspective. The agency found that KFC Spain had violated Articles 13 and 37 of the General Data Protection Regulation (GDPR) in the following ways: 

Incomplete privacy policy: KFC Spain violated Article 13 of the GDPR by omitting crucial information about data processing in its privacy policy. Instead, the company provided generic and abstract details about external providers of personal data. This failure to provide comprehensive and specific information led to a breach of GDPR requirements.

Failure to appoint a DPO: By not designating a Data Protection Officer, KFC Spain breached Article 37 of the GDPR, which mandates the appointment of a DPO under specific circumstances.

As a result, KFC Spain was issued a fine of €25,000. The company was also given one month to rectify the missing content in its privacy policy (here is the decision -only available in Spanish).

Key takeaways for your business 

Our experts recommend taking the following steps to reduce your risk: 

  1. Keep your privacy policy up to date: Regularly review and update your privacy policy to ensure it accurately reflects your data processing practices. Be diligent in providing comprehensive information about data processing activities and the rights of data subjects.
  2. Use DataGuard’s Privacy Policy Generator: Our privacy policy generator helps you create and update your privacy policy effectively by automating policy creation, saving your team hours of work.
  3. Seek expert advice: If you’re uncertain about your privacy policy or data processing practices, consult with an expert. They can provide guidance and help ensure your policies align with the applicable laws.

What should be included in a website privacy policy? 

Your website's privacy policy should encompass all elements that process personal data. For instance, if you have a contact form, newsletter subscription, integrated map services, fonts, or analytics tools on your website, each of these elements must be listed and described in your privacy policy. 

Legal background 

Under Article 13 and 14 of the GDPR, website operators have a duty to inform visitors if personal data is processed on their sites. As websites typically process technically necessary personal data, such as users' IP addresses, a privacy policy is necessary to fulfil the obligation of transparency and inform users about their data processing activities.

Über den Autor

Boris Otterbach Boris Otterbach
Boris Otterbach

Principal Privacy

Boris Otterbach ist Jurist und zertifizierter Datenschutzbeauftragter mit über fünf Jahren Erfahrung in diesem Bereich. Bereits während seines Studiums hat er sich vertieft mit den Bereichen Europarecht, Völkerrecht und Menschenrechtsschutz beschäftigt. Dabei war auch das Thema Datenschutz ein zentraler Aspekt. Die DSGVO hilft dabei, gemeinsam europäische Rahmenbedingungen zu schaffen, damit alle denselben Schutz erfahren – und diese Rahmenbedingungen müssen mit pragmatischen, alltagsfähigen Lösungen befüllt werden. Bei DataGuard arbeitet Boris an der Entwicklung pragmatischer Lösungen für DSGVO-Schutzmaßnahmen, damit Unternehmen DSGVO-konform werden können. Die tägliche Arbeit durch mehr Automatisierung effektiver zu gestalten, treibt ihn an, bei DataGuard jeden Tag neue Herausforderungen zu meistern und sicherzustellen, dass Unternehmen aus datenschutzrechtlicher Sicht geschützt sind und neueste Technologien optimal genutzt werden. Als Berater betreute er vor allem Kunden aus den Bereichen Personalwesen, Hotel und Gastgewerbe. In seiner Rolle als Principal Professional Services bei DataGuard unterstützt er die Datenschutz- , Informationssicherheit- und Compliance- Teams mit seinem umfassenden Know-how und seiner Erfahrung, um die Menschen hinter den Daten zu schützen.

Mehr Artikel ansehen

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by 4.000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by 4.000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by 4.000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by 4.000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by 4.000+ customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk