AEPD (Spain) - PS/00140/2022: Difference between revisions
(→Facts) |
mNo edit summary |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 63: | Line 63: | ||
}} | }} | ||
The Spanish DPA fined KFC a total of €25,000 | The Spanish DPA fined KFC a total of €25,000 for using generic wording when defining the purposes of data processing and for failing to appoint a DPO, in violation of [[Article 13 GDPR|Articles 13]] and [[Article 37 GDPR|37 GDPR]]. | ||
== English Summary == | == English Summary == | ||
Line 72: | Line 72: | ||
In response, the controller admitted that there was a problem in the configuration of the registration form, which erroneously included a consent request for special offers and promotions. Likewise, it recognized that the link in such form mistakenly directed the user to a legal note instead of the page with the privacy policy. However, it claimed that these errors were fixed. Also according to the controller, the website provided double-layer data protection information and the second layer contained all the details required by [[Article 13 GDPR]]. | In response, the controller admitted that there was a problem in the configuration of the registration form, which erroneously included a consent request for special offers and promotions. Likewise, it recognized that the link in such form mistakenly directed the user to a legal note instead of the page with the privacy policy. However, it claimed that these errors were fixed. Also according to the controller, the website provided double-layer data protection information and the second layer contained all the details required by [[Article 13 GDPR]]. | ||
As for the appointment of a DPO, the controller argued that [[Article 37 GDPR|Article 37]](1) was not applicable since the data processing was merely auxiliary to its core activity, that is, the provision of meals. Finally, the controller argued that, as the general privacy policy applied to all its brands in different jurisdictions, it was not possible to provide complete information about the recipients beforehand. | As for the appointment of a DPO, the controller argued that [[Article 37 GDPR|Article 37]](1) GDPR was not applicable since the data processing was merely auxiliary to its core activity, that is, the provision of meals. Finally, the controller argued that, as the general privacy policy applied to all its brands in different jurisdictions, it was not possible to provide complete information about the recipients beforehand. | ||
=== Holding === | === Holding === | ||
During the investigation, the DPA verified that the “Data Privacy Policy” was divided among three documents: a) terms of use of the website; b)a general privacy policy for all countries and c) a specific privacy policy for European Economic Area (EEA) countries, United Kingdom and Switzerland. | During the investigation, the DPA verified that the “Data Privacy Policy” was divided among three documents: a) terms of use of the website; b) a general privacy policy for all countries and c) a specific privacy policy for European Economic Area (EEA) countries, United Kingdom and Switzerland. | ||
By reviewing the documents, the DPA noted that the Privacy Policy adequately indicated the legal basis for each processing operation and that the subscription to receive advertising messages and special offers was voluntary. Therefore, it considered that the processing was lawful in accordance with [[Article 6 GDPR]]. However, it held that the documents did not offer precise information on the purposes of data processing as it used undefined expressions such as "we can use...". It emphasized that “language qualifiers such as 'may', 'might', 'some', 'often' and 'possible' should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing” ([https://ec.europa.eu/newsroom/article29/items/622227 Article 29 Working Party Guidelines on Transparency under GDPR]). In the case at hand, the DPA found that no valid justification was given for the use of generic language and imposed a fine of €5,000 for the violation of [[Article 13 GDPR]]. | By reviewing the documents, the DPA noted that the Privacy Policy adequately indicated the legal basis for each processing operation and that the subscription to receive advertising messages and special offers was voluntary. Therefore, it considered that the processing was lawful in accordance with [[Article 6 GDPR]]. However, it held that the documents did not offer precise information on the purposes of data processing as it used undefined expressions such as "we can use...". It emphasized that “language qualifiers such as 'may', 'might', 'some', 'often' and 'possible' should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing” ([https://ec.europa.eu/newsroom/article29/items/622227 Article 29 Working Party Guidelines on Transparency under GDPR]). In the case at hand, the DPA found that no valid justification was given for the use of generic language and imposed a fine of €5,000 for the violation of [[Article 13 GDPR]]. | ||
With regard to the appointment of a DPO, the DPA recalled that [[Article 37 GDPR|Article 37(1)(b) GDPR]] provides for 3 elements that must be examined: “core activity”, “usual and systematic monitoring” and “large scale”. To interpret these terms, the [https://ec.europa.eu/newsroom/article29/items/612048/en Guidelines of the Article 29 Working Party] were again used. Therefore, “core activity” was understood as the key operations necessary to achieve the controller’s or processor’s goals. However, it should not be interpreted as excluding activities where the processing of | With regard to the appointment of a DPO, the DPA recalled that [[Article 37 GDPR|Article 37(1)(b) GDPR]] provides for 3 elements that must be examined: “core activity”, “usual and systematic monitoring” and “large scale”. To interpret these terms, the [https://ec.europa.eu/newsroom/article29/items/612048/en Guidelines of the Article 29 Working Party] were again used. Therefore, “core activity” was understood as the key operations necessary to achieve the controller’s or processor’s goals. However, it should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity. In turn, the concept of “usual and systematic monitoring” was defined as including all forms of ongoing, recurring or constant tracking/profiling of data subjects, either online or offline, in a pre-arranged, organised or methodical manner. Finally, to to determine whether the processing is carried out on a “large scale”, the DPA assessed: the number of data subjects concerned; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; and the geographical extent of the processing activity. Taking all these criteria as met, the DPA stated that the controller failed to comply with its obligation to appoint a DPO and imposed a a fine of €20,000 for a violation of [[Article 37 GDPR]]. | ||
data forms an inextricable part of the controller’s or processor’s activity. In turn, the concept of “usual and systematic monitoring” was defined as including all forms of ongoing, recurring or constant tracking/profiling of data subjects, either online or offline, in a pre-arranged, organised or methodical manner. | |||
Finally, to to determine whether the processing is carried out on a “large scale”, the DPA assessed: the number of data subjects concerned; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; and the geographical extent of the processing activity. Taking these criteria as met, the DPA stated that the controller failed to comply with its obligation to appoint a DPO and imposed a a fine of €20,000 for a violation of [[Article 37 GDPR]]. | |||
In addition, DPA has ordered the controller to adjust its actions to data protection regulations with regard to these infringements. | In addition, DPA has ordered the controller to adjust its actions to data protection regulations with regard to these infringements. |
Latest revision as of 05:40, 9 May 2023
AEPD - PS/00140/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 37(1) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 28.05.2021 |
Decided: | |
Published: | |
Fine: | 25,000 EUR |
Parties: | KFC Restaurants |
National Case Number/Name: | PS/00140/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Bernardo Armentano |
The Spanish DPA fined KFC a total of €25,000 for using generic wording when defining the purposes of data processing and for failing to appoint a DPO, in violation of Articles 13 and 37 GDPR.
English Summary
Facts
On May 28, 2021, the data subject filed a complaint with the Spanish DPA, claiming that, when creating an account on the controller’s website, it was only possible to register after accepting the terms and conditions and consenting to the sending of special offers and promotions. Moreover, they argued that the controller failed to provide information about: (a) the recipients of personal data; b) the possibility of making international transfers; c) the retention period. Finally, it argued that no DPO was appointed.
In response, the controller admitted that there was a problem in the configuration of the registration form, which erroneously included a consent request for special offers and promotions. Likewise, it recognized that the link in such form mistakenly directed the user to a legal note instead of the page with the privacy policy. However, it claimed that these errors were fixed. Also according to the controller, the website provided double-layer data protection information and the second layer contained all the details required by Article 13 GDPR.
As for the appointment of a DPO, the controller argued that Article 37(1) GDPR was not applicable since the data processing was merely auxiliary to its core activity, that is, the provision of meals. Finally, the controller argued that, as the general privacy policy applied to all its brands in different jurisdictions, it was not possible to provide complete information about the recipients beforehand.
Holding
During the investigation, the DPA verified that the “Data Privacy Policy” was divided among three documents: a) terms of use of the website; b) a general privacy policy for all countries and c) a specific privacy policy for European Economic Area (EEA) countries, United Kingdom and Switzerland.
By reviewing the documents, the DPA noted that the Privacy Policy adequately indicated the legal basis for each processing operation and that the subscription to receive advertising messages and special offers was voluntary. Therefore, it considered that the processing was lawful in accordance with Article 6 GDPR. However, it held that the documents did not offer precise information on the purposes of data processing as it used undefined expressions such as "we can use...". It emphasized that “language qualifiers such as 'may', 'might', 'some', 'often' and 'possible' should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing” (Article 29 Working Party Guidelines on Transparency under GDPR). In the case at hand, the DPA found that no valid justification was given for the use of generic language and imposed a fine of €5,000 for the violation of Article 13 GDPR.
With regard to the appointment of a DPO, the DPA recalled that Article 37(1)(b) GDPR provides for 3 elements that must be examined: “core activity”, “usual and systematic monitoring” and “large scale”. To interpret these terms, the Guidelines of the Article 29 Working Party were again used. Therefore, “core activity” was understood as the key operations necessary to achieve the controller’s or processor’s goals. However, it should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity. In turn, the concept of “usual and systematic monitoring” was defined as including all forms of ongoing, recurring or constant tracking/profiling of data subjects, either online or offline, in a pre-arranged, organised or methodical manner. Finally, to to determine whether the processing is carried out on a “large scale”, the DPA assessed: the number of data subjects concerned; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; and the geographical extent of the processing activity. Taking all these criteria as met, the DPA stated that the controller failed to comply with its obligation to appoint a DPO and imposed a a fine of €20,000 for a violation of Article 37 GDPR.
In addition, DPA has ordered the controller to adjust its actions to data protection regulations with regard to these infringements.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/50 Procedure No.: PS/00140/2022. RESOLUTION OF THE SANCTION PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: Dated 05/28/21, you have entered this Agency, writing presented by D.A.A.A. (hereinafter, "the claimant"), against the entity, KFC RESTAURANTS SPAIN, S.L., (KFC) with CIF.: B86281599, owner of the website, https://www.kfc.es, (hereinafter, "the claimed party") for the alleged violation of the regulations of data protection: Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection of Physical Persons in what regarding the Processing of Personal Data and the Free Circulation of these Data (GDPR), Organic Law 3/2018, of December 5, on Data Protection Personal and Digital Rights Guarantee (LOPDGDD). The claim stated the following: "The company KFC Restaurants Spain SL does not follow the guidelines of the GDPR in its website https://www.kfc.es. All violations are detailed below: - The privacy policy for users cannot be easily accessed of the EEA adapted to the GDPR (https://www.kfc.es/multimarcas), since the link privacy policy publicly visible at the bottom of the web leads to one for the US (https://www.kfc.es/privacidad). - When creating an account on the website (https://www.kfc.es/cuenta/registro), it is not registration is possible without selecting the box "I accept the terms and conditions of use to receive special offers and promotions from KFC and Franchisees", that is, they force you to receive special offers and promotions. At no time is it mentioned or linked to the privacy policy or its acceptance at the time of registration, only to "terms and conditions of use", which leads to a legal notice. - The defendant is an entity that develops advertising activities and commercial prospecting, and carry out treatments based on the preferences of the people affected or carry out activities that imply the elaboration of profiles of the same according to its policy of cookies and policy of privacy, so they are obliged to have a person Delegate of Data Protection, and they don't have it. - In the privacy policy: (a) the recipients of the information are not detailed personal information · (b) the data of the person in charge does not appear detailed in data protection matters (company name, NIF, registered office); (c) if details the possibility of making international data transfers, and it is not informs the interested party of the existence of adequacy decisions, guarantees, binding corporate rules or specific applicable situations. I only know they use generic formulas as suitable guarantees. Nor is it explained C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/50 procedure to obtain a copy of these or that they were lent; (d) no the time of conservation of the data is detailed, formulas are used generic as "for as long as necessary" SECOND: On 06/29/21 and 07/12/21, in accordance with the provisions of the Article 65.4 of the LOPDGDD Law, by this Agency, transfer of said claim to the claimed party, to proceed to its analysis and report, in the period of one month, on what was stated in the claim document. According to the certificate of the Electronic Notifications and Electronic Address Service, the Application letter sent to the claimed party, on 06/29/21, through the service of electronic notifications "NOTIFIC@", was rejected at destination on 07/10/21. According to the certificate of the State Postal and Telegraph Society, the application document sent to the claimed party, on 07/12/21 through the notification service Postal service, was notified at destination on 07/22/21. THIRD: On 08/20/21, the claimed entity submitted a written response to the request made from this Agency, in which, among others, stated: “a.- The website www.kfc.es provides data protection information in double layer: The first layer is located at the URL www.kfc.es/privacidad and includes information on the processing of personal data carried out by the different brands of the company and details, among others, the following: a) The type of information processed; b) The purposes of the treatment; c) The automated processing that can be performed; d) The categories of data recipients; e) The options and control over the information; F) How the data is stored and protected; g) Link to the privacy policy for the European Economic Area and the United Kingdom; h) Information regarding the privacy of minors; i) Contact information. The second layer is located at the URL www.kfc.es/multimarcas, and details, completing the first layer information, the rest of the information required by article 13 of the GDPR: a. Legal basis of the treatment; b. Data storage and transfer; c. Rights Information that assist the interested parties and how to exercise them; d. Contact information; and. Annexes detailing the categories of personal data processed, the purposes of the treatment and the legal bases for the treatment of the themselves. This second layer is directly accessible at the bottom of the page from "Privacy Notice" that leads to the URL www.kfc.es/multimarcas with information specific to EEA and UK residents and includes the rest of the information required by article 13 of the GDPR. Similarly, the Privacy Policy must include the following statement at the top to direct users to disclosures particular jurisdictions: “Consult our Global Privacy Policy at below in effect for your jurisdiction. See section 7 Disclosures C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/50 jurisdictions to find specific additional privacy information of your state or country. Not having this statement is an omission regarding our policies Privacy Policy, which we will correct along with any other changes and improvements to be made and derived from this claim. Date implementation: these changes will be applied as of September 30, 2021. b.- Impossibility of creating an account if the sending of offers is not accepted specials and promotions: The web account creation space is designed to allow the creation of accounts without having to accept the sending of special offers and promotions. However, due to an error or failure in the configuration of the form, the texts corresponding to both acceptance checkboxes, include authorization to receive special offers and promotions. The text of the first checkbox is correct, this being the one corresponding to the express acceptance by the user to receive offers and promotions from KFC and is dial-optional. The text of the second checkbox should only include the acceptance of the terms, conditions of use and the privacy policy, although by mistake the tag "to receive special offers and promotions" was included when should state "I accept the terms and conditions of use and the privacy policy privacy to register at www.kfc.es”, and it is compulsory. Yeah well the text of the checkbox indicates that the authorization refers to the reception of offers and promotions, the internal treatment of the authorization is limited to the acceptance for the creation of the user account. Once the error is detected, KFC will proceed to correct it and modification so that the texts of the checkboxes correspond to the authorizations. Implementation Date: These changes have already been applied. A screenshot of the account creation form is attached.- Annex II. c.- The form does not provide a link to the privacy policies time these have to be accepted for the creation of an account. The web account creation form link is designed to allow access to the terms and conditions of use and the privacy policy. However, due to an error or failure in the configuration of the hyperlink, this points to the Legal Note instead of the correct texts. Once the error is detected, KFC will proceed to correct it and modification so that the hyperlink points to the terms and conditions of use. Implementation Date: These changes have already been applied. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/50 d.- A Data Protection Officer has not been appointed, taking into account that the entity develops advertising and commercial prospecting activities and carries out treatments based on people's preferences affected or carry out activities that imply the elaboration of profiles of the same. From KFC we interpret that, due to the nature of data processing carried out, we are not obliged to designate a Data Protection Officer since we are not in any of the specific cases established by article 37.1 of the GDPR. In relation to these assumptions, we must emphasize the provisions of section b of article 37.1 of the GDPR establishes that you will be obliged to designate a DPO "when the main activities of the person in charge or in charge consist of processing operations which, due to their nature, reach or purposes, require regular and systematic observation of stakeholders at large scale". As established in recital 97 of the RGP, it is understood that the The main activities of a manager are related to "their primary activities and are not related to data processing personal as auxiliary activities, therefore, the main activities» can be considered the key operations necessary to achieve the objectives of the person in charge or of the person in charge of the treatment”. In this regard, KFC's core business does not focus on processing data of users of the website www.kfc.es, but rather this is a auxiliary activity to the main one, which is the provision of services restoration to our clients, and this is carried out, mainly, without the need to process their personal data and in person at our restaurants and venues. Orders placed remotely, either at through the website www.kfc.es, or through other channels, are treated as activity auxiliary to the main one and, due to the nature of the service, require the treatment of certain data of users and clients for the billing and delivery of orders. In the same way, for the obligation to designate a DPD to result, the Treatment should require regular and systematic observation of interested. In this regard, the Article 29 Working Group interprets "usual" with one or more of the following meanings: continued or that occurs at specified intervals during a specified period; recurring or repeated in preset times; Occurs constantly or periodically. And “systematic” with one or more of the following meanings: that is produces according to a system; prearranged, organized or methodical; that it takes place as part of an overall data collection plan; carried out as part of a strategy. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/50 In this regard, due to the nature and purpose of data processing, As indicated above, the management and billing of orders made at the request of customers and users through the website, We consider that it cannot be considered as a habitual observation and interest system. In the same way, for the obligation to designate a DPD to arise, the Processing of personal data must be carried out on a large scale. Despite The GDPR does not define what is meant by large-scale processing, both the recital 91 of the GDPR as the Working Party of article 29 give guidance in this regard, taking into account the following factors when to determine if a treatment is carried out on a large scale: the number of affected stakeholders, either as a specific number or as a proportion of the corresponding population; the volume of data or the variety of data elements data that is subject to treatment; the duration, or permanence, of the data processing activity; the geographical scope of the activity of treatment. Data processing is limited to those customers and users who wish to place orders through our website, there are other channels to remote ordering. The volume or variety of data object of the treatment is limited to those necessary to carry out orders in compliance with the principle of data minimization. Similarly, the total number of users registered on the website www.kfc.es does not exceed 20,000 and is limited to customers and users within the national territory, Spain. KFC does not meet any of the above factors so it does not We consider the processing of customer and user data carried out on a large scale. For all of the above, from KFC we have been considering that we were not obliged to designate a Protection Delegate of data. However, and based on the claim received, if from the AEPD believe that there is sufficient evidence that certain government activities treatment require us to appoint a Data Protection Officer, we will take it into consideration to re-evaluate the legal requirements for your designation. e.- In the privacy policies: The recipients of personal data are not detailed. the policy of general privacy included in the URL www.kfc.es/privacidad includes in its section 4 the information regarding how the information of the users is shared users, and in section 7 jurisdictional disclosures, in relation to the communication of data made to public authorities based on the state or country of residence of the user. Section 4 of the privacy policy Privacy describes up to 10 different categories of recipients of the data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/50 In this regard, the GDPR in its article 13.1 e) indicates that the person responsible for the Treatment must inform the recipients or the categories of recipients of personal data, if applicable. In the same way, the AEPD itself in its Guide for the fulfillment of duty to inform in its heading 7.4 Recipients, indicates the following: "When has planned to transfer or communicate, legitimately, the personal data that is collected will be informed about the identity of the recipients, if they are clearly predetermined, or of the categories of recipients, if these do not are predetermined." In this case and since it is a general privacy policy that applies to all brands and for different territories, recipients do not are predetermined and therefore only information is provided on the categories of recipients to whom the data may be communicated, including the purpose or purpose of the communication of these. We understand that the information provided in the general privacy policy complies with the requirements of article 13.1 e) of the GDPR regarding the provision of information regarding the categories of recipients. On the non-appearance of the details of the person in charge of protection of data. In this case, due to the general nature of both privacy policies, privacy included in the web www.kfc.es -general applicable to all territories and specific to residents of the EEA, UK and Switzerland-, identification of the data controller can be found in the Legal Notice. We take note of this shortcoming and we will incorporate this improvement to provide greater clarity and transparency to the information provided in the policies of privacy, redirecting users to the Legal Notice in the privacy policy privacy for the identification of the person in charge of the treatment in each territory, including Spain. These changes will be applied at the end of Sep. 2021. The possibility of making international data transfers is detailed, but the interested party is not informed of the existence of adequacy decisions, guarantees, binding corporate rules or specific situations applicable. The specific privacy notice for the EEA and the United Kingdom informs the users of the possibility of making international transfers, it includes mention that, if done, KFC will ensure that: a) the personal information is transferred to countries recognized for offering a equivalent level of protection; either b) the transfer is made in accordance with appropriate safeguards, such as the standard clauses on data protection adopted by the Commission European. Notwithstanding these measures, the country and jurisdiction to which C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/50 transferring the data can provide a level of data protection lower than that provided for in EEA or UK law. Although this information may seem too generic, we take note and we will incorporate an improvement to provide greater clarity and transparency to the training provided in the privacy policy, redirecting users to the contact addresses of each person in charge in each territory, so that may request additional information on international transfers that can be realized and the appropriate guarantees used to guarantee the adequate level of security in them. Attached is a screenshot of the information provided about international transfers as Annex III. Implementation date: these Changes will be applied as of September 30, 2021. d. The time of conservation of the data is not detailed. The privacy policy included in the URL www.kfc.es/privacidad includes in its section 6 the information regarding the data retention period. Article 13.1 a) of the GDPR indicates that the data controller must inform the period during which the personal data will be kept or, when this is not possible, the criteria used to determine this term. In this case and since it is a general privacy policy that applies to all brands and for different territories, the retention periods of the data are not predetermined and therefore it is provided only information regarding their conservation criteria, indicating that they will be kept “for the time reasonably necessary to maintain the Service, comply with legal and accounting obligations, and other purposes described in this Policy, or as otherwise required or permitted by law.” The information related to the retention period of the data is attached as Annex IV. data. Therefore, we understand that the information provided in the privacy policy general privacy complies with the requirements of article 13.1 a) of the GDPR in regarding the provision of information regarding the conservation periods of the data or the criteria to establish said deadlines. However, and as though this information may seem too much generic, we take note and will incorporate an improvement to provide greater clarity and transparency to the information provided in the privacy policy, we will incorporate conservation criteria or longer conservation periods specific to the privacy notice specific to the EEA and UK. Date implementation: these changes will be applied as of September 30, 2021. FOURTH: On 10/25/21, by the Director of the Spanish Agency for Protection of Data, an agreement is issued to admit the processing of the claim presented, in accordance with article 65 of the LPDGDD Law, when assessing possible rational indications of a violation of the rules in the field of competences of the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/50 FIFTH: Dated 11/30/21 and 02/09/22, within the framework of the actions carried out by the General Sub-directorate of Data Inspection in order to clarify certain facts of which this Spanish Agency for the Protection of Data, and in use of the powers conferred by article 58.1 GDPR and art. 67 LOPDGDD required the requested entity to provide further information on: a).- the list of activities of the entity that involve processing of personal data, expressly detailing if client treatments are carried out for purposes advertising; b).- For each activity, the following must be provided: number of customer data that treat, variety of data elements of each client that are subject to treatment, time during which the data of each client is processed and detail of the permanence of such data in their information systems; the geographical or territorial scope of the treatments detailing if their systems process data related to clients of a certain territorial scope or of the entire national territory and c).- summary of the analysis carried out by your entity to assess the need to appoint a DPD, indicating if they have named it and if so if it has been communicated and published. SIXTH: On 03/01/22 and 03/10/22, the claimed entity sent to this Agency, two separate writings in response to the requirement made by this Agency, in the which, among others, informs about the following aspects: "An extract from the Record of Treatment Activities (RAT) is provided in where all the processing activities carried out by KFC in connection with advertising activities with customers, indicating the number of customer data whose data is processed and the type of data treated for each activity, as well as the time during which they are treated said data. In this regard, KFC has a conservation calendar for data and internal protocol of conservation / deletion of personal data they have ceased to be necessary. It should be noted that from KFC it is not under no circumstances perform profile analysis; processing activities related to the sending of commercial information are carried out based on the user consent (opt-in system) and without user segmentation. The processing activities related to advertising are carried out always with the prior consent of the user, unlike the processing activities related to the fulfillment of requests for users that are carried out on the basis of the performance of a contract. The geographical scope of the treatment activities is Spain, being the Centralized data management for the entire national territory. Regarding the analyzes carried out by your entity to assess the need for appoint a DPO, indicating whether they have been appointed and if so, whether they are communicated and published: In this regard, from KFC it has been understood that there is no obligation to appointment of the DPO, because the processing activities carried out They are not limited to those of article 37 GDPR nor is the entity among the obligated in article 34 LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/50 In the same way, compliance management in terms of data protection It has been exercised by internal personnel specialized in data protection, in particular, from the UK, through B.B.B., Global Privacy Lead CounselHead and the consultancy of external experts in each of the countries from which it is operated. However, and as previously indicated, internally we will proceed to periodically evaluate the need for its designation, based on the possible operational changes as well as the start of new business branches that may involve the incorporation of new processing activities, the in order to offer greater guarantees of compliance to our clients and users regarding the activities and procedures in the treatment of personal data, in particular, if processing activities are initiated to profiling. II.- That on March 1, 2022, a written request for extension of term given the complexity and volume of information and/or documentation to be managed in order to be available to complete the aforementioned requirement in the most appropriate way possible to the good end of the processing of the requirement, as well as the need to coordinate response with US parent company, Yum Restaurants International Management LLC, confirming by the AEPD the granting said extension of term. III.- That, by virtue of the aforementioned requirement, this Agency is provided with the documentation required as follows: Copy of extract Registration of Processing activities related to clients and purposes advertising as Annex I and Copy of Internal Analysis carried out to evaluate the need to name DPD as Annex II SEVENTH: On 03/21/22, by this Agency, when accessing the "Policy of Privacy” of the web page, www.kfc.es , it was possible to verify the following characteristics: a).- On obtaining the consent of users for the treatment of their personal information: 1º.- Through the link: <<Create your account>>, located at the top of the page main page, the website redirects to a new page https://www.kfc.es/cuenta/registro where The user can register on the web and where the name, surname, phone, email and credit card number. In order to send the form, the user must necessarily click the option: _ I accept the <<Terms of use>>. There is also the possibility of registering voluntarily, to receive offers specials and promotions, clicking on the option C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/50 _ I want to sign up to receive special offers, raffles and promotions for part of KFC and/or its franchisees. For more information, visit our <<Privacy Policy>>. <<Create my Pollo Pollo account>> 2º.- Through the link: <<Start Order>>, located at the top of the main page, the web redirects to a new page https://www.kfc.es/store-selection where you can make the selection of the order and the option to receive it at home or pick it up at the establishment. Once the order has been selected, to process it, the website redirects the user to a new page https://www.kfc.es/checkout, where personal data must be entered of the user: name, surname, telephone, email and credit card number. In order to send the form, the user must necessarily click the option: _ I accept the <<Terms of use>>. There is also the possibility of registering voluntarily, to receive offers specials and promotions, clicking on the option _ I want to sign up to receive special offers, raffles and promotions for part of KFC and/or its franchisees. For more information, visit our <<Privacy Policy>>. <<Order Now>> 3º.- Through the link: <<Work with us>>, located in the menu on the upper right, the web redirects to a new https://www.kfc.es/nosotros/trabaja-en-kfc where the user can register or register Register, to receive job offers, at the link: https://kfc.epreselect.com/General/ Alta.aspx Once the personal data has been entered: name, surname, email, ID, the user You must necessarily click on the boxes: _ I am not a robot. _ I have read, understand and accept the <<Privacy Policy>> There is also a banner with the following information: Basic Information on Data Protection: Responsible: KFC IBERIA; Purposes: Include in the database of candidates of the Company the data of the curriculum vitae that you provide us when you create your account with us to use them in future selection processes in which your profile may fit; Legitimation: Consent of the interested party; Recipients: We will not communicate your data to third parties except legal obligation and to the companies indicated in the additional information. 4º.- Finally, there is also the possibility of providing personal data to the entity through the subscription page for special offers and promotions, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/50 https://www.kfc.es/subscripcion, where the user must provide the name, last name and email. Before being able to send the subscription newsletter, the user must click on the option to accept it: _ I want to sign up to receive special offers, raffles and promotions for part of KFC and/or its franchisees. For more information, visit our <<Privacy Policy>>. b).- Regarding the “Privacy Policy”: 1º.- If the clauses of the "Terms of Use" of the web are accessed, through the existing links in the different forms or through the link exists in the part bottom of the main page, the web redirects to a new page https://www.kfc.es/nota-legal , where information is provided, among others, on the following aspects: (…) Contact: the websites are owned and managed by kfc restaurant spain s.l. a company registered in Spain, whose registered office is at Serrano Galvache 56, Madroño building, 3rd floor, KFC, Madrid, 28033. CIF: B86281599. To contact us, call +34 917 68 07 30. Registration: Data protection: we will collect, store and process your personal information in accordance with our privacy policy. please, please read our <<privacy policy>> to make sure you are satisfied and understand its content before creating an account. Terms and conditions for orders placed via mobile: data protection: we will collect, store and process your personal information in accordance with our <<privacy policy>>. by Please read our privacy policy to make sure you are satisfied. and understand its content before creating an account. If you are not satisfied with the service you have received, please contact us through clientes@kfc.es or +34 91 904 18 81 (…) 2º.- If you access the "Privacy Policy" of the web, through the links existing in the different forms or through the link exists at the bottom from the main page, the web redirects to a new page https://www.kfc.es/privacidad, where information is provided, among others, on the following aspects: “About the personal information they collect; How they use the information staff; What information may be collected automatically; As share the collected information; About the options and control over the information collected, how they store and protect the information; On European jurisdictional regulations expressly indicate the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/50 "When we have an establishment in the European Economic Area (“EEA”), the United Kingdom or Switzerland, or we are processing personal data relating to persons located in the EEA, UK or Switzerland, please click <<click here>> for additional information about our privacy practices data privacy; About children's privacy; About links to others websites and services; How to contact the site managers Web; And about the changes in the privacy policy (…)”. 3º.- If you access the "Privacy Notice" of the web, through the link that exists in the bottom of the main page, the web redirects to a new page https://www.kfc.es/multimarcas, where specific information is provided on the processing of personal data obtained in the EEA, United Kingdom or Switzerland and between it, you will find the following information: About the Treatment Manager: KFC Spain: KFC Restaurants Spain, S.L. with NIF B86281599 and address at Calle Serrano Galvache (Pq. Business Pq. Norte), 56 - Edif. Olmo Fifth Floor, Madrid, Madrid. Mail Email: clientes@kfc.es. Telephone: 91 904 18 81. On the legal basis for data processing. On the basis of the consent given and on the right to withdraw your consent at any time, when have granted. About the storage and transfer of data in the EEA and the United Kingdom. On the individual rights of EEA residents and how to exercise it, and the right to file a claim with your authority local. How to contact the person in charge of the web. In addition to the information provided in the "Privacy Policy" and in the "Notice of Privacy” two annexes are attached with the following information: - Annex 1 sets out in detail the categories of personal information re- collected, as well as the legal basis on which they are based to treat the information personal information and the recipients of such personal information. - Annex 2 sets out the categories of personal information that they collect and how they use that information. The table also lists the legal basis in on which they are based to treat personal information and the recipients of such personal information. EIGHTH: On 05/31/22, by the Board of Directors of the Spanish Agency for Data Protection, a sanctioning procedure is initiated against the claimed entity, at appreciate reasonable indications of violation of the provisions of the articles: a).- Violation of article 6.1 of the GDPR due to the non-existence of a mechanism that allows users to give their consent to the processing of their data personal data for each and every one of the purposes for which the personal data, when applicable, with an initial penalty of 30,000 euros (thirty thousand euros). b).- Violation of article 37 of the GDPR, due to the failure to appoint a Data Protection Officer; with an initial sanction of 20,000 euros (twenty thousand euros) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/50 c).- Violation of article 13 of the GDPR, due to the lack of information provided in the "Privacy Policy" on the processing of personal data obtained, with an initial penalty of 5,000 euros (five thousand euros). As certified by the Single Authorized Electronic Address Service (DEHÚ), the letter of initiation of the file sent to the claimed party, on 05/31/22 through the electronic notification service "NOTIFIC@", was made available to the claimed party 06/01/2022, appearing in the certificate as the date of rejection automatic, on 06/12/22. Although the notification was validly made by electronic means, assuming that carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, under informative, a copy of the document to initiate the file was sent by postal mail which was delivered at destination on 07/26/22. NINTH: Notified the initiation agreement to the claimed party, the latter in writing dated 08/09/22 formulated, in summary, the following allegations: FIRST.- REGARDING THE PROPOSED SANCTION FOR VIOLATION OF ARTICLE 6.1. OF GDPR. 1.1. THE RESEARCH ACTIVITY OF THE AEPD IS INSUFFICIENT TO ORDER THE START OF THE SANCTION PROCEDURE Article 53 of Organic Law 3/2018, of December 5, of Protection of Personal Data and guarantee of digital rights (in forward, "LOPDGDD"): "1. Those who carry out the research activity may collect the precise information for the fulfillment of its functions, carry out inspections, require the display or sending of documents and data necessary, examine them in the place where they are deposited or in where the treatments are carried out, obtain a copy of them, inspect the physical and logical equipment and require the execution of treatments and treatment management and support programs or procedures subject to investigation". For its part, article 67 of the LOPDGDD provides the following: 1. Before the adoption of the agreement to start the procedure, and once admitted to process the claim, if any, the Spanish Agency for the Protection of Data may carry out preliminary investigation actions in order to achieve a better determination of the facts that justify the procedure”. In other words, the AEPD is responsible for carrying out the investigation tasks sufficient to determine the scope of potential infringements committed prior to issuing the agreement to initiate any procedure sanctioning. And this in accordance with the provisions of article 68 of the LOPDGDD; specifying said article that the initiation of the procedure for the exercise of the sanctioning power will proceed once the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/50 investigative actions of the AEPD and, in any case, if as a result of said investigations, it is appropriate to initiate such a procedure. Based on the foregoing, it should be noted that the reasons why the AEPD proposes a penalty of 30,000 euros in the framework of this procedure sanctioning are exposed on pages 31 and 32 of the Agreement of Beginning of Sanctioning Procedure. These reasons are summarized in that KFC carries out personal data processing for purposes "written in accordance with generic form, which allow unlimited post-processing, once fulfilled the purpose for which they were obtained." In this regard, the AEPD upholds its decision – without taking into account the aggravating circumstances, which will be duly refuted later in this writing– SOLELY AND EXCLUSIVELY in the wording of the privacy policy privacy that is published on the KFC website at the time of carrying out carried out by the AEPD its investigative work. And this without taking into account that: The purposes indicated in the privacy policy on which it is proposed sanction describe potential situations and do not imply that they are actually carried out, or are carried out in a manner totally lawful as will be exposed; and most importantly, such further Treatments for which a sanction is proposed are not included in the Registry of Treatment Activities already provided to the AEPD, which represents a clear lack of contrast on the part of the AEPD when determining the eventual existence and scope of the presumed infringement committed and the calculation of the proposed sanction. KFC is at all times in compliance with its obligations regarding protection and data and specifically with those derived from the legality of the processing of personal data that it does carry out in accordance with the Article 6 of the GDPR. Without going any further, the AEPD says nothing about the forms collection of personal data transcribed on pages 13 to 16 of the Agreement to Initiate Sanctioning Procedure. They show the good behavior of KFC and the correct management that it does when picking up personal data of its interested parties and the adjusted information by layers that provides about the treatments that it actually performs. However, the AEPD proposes a sanction for the violation of article 6 of the GDPR against KFC for the inclusion in its privacy policy of treatments which include terms such as: “we may use”; or "we can share" that they cannot at all conclude that KFC actually carries out treatment some. The AEPD in its Agreement to Initiate Sanctioning Procedure is talking about hypothetical treatments without any supporting evidence that they are actually being carried out. Furthermore, as explained in the prior information phase that precedes this disciplinary procedure, the Registry of Data Treatment Activities KFC requested and duly provided in due time and form before the AEPD, incorporates customer treatments for advertising purposes. between sayings There are none of the treatments that the AEPD now mentions. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/50 to propose sanction. As much as KFC's privacy policy left open the possibility of processing data for the purposes of "profiling, programs reward or customer loyalty; to share, sell or disclose the information obtained to the parent company, to other companies in the group or subsidiaries other than for administrative management or to sell, share or disclose the personal data obtained", the truth is that said treatments are not currently carried out by KFC, as stated duly of the aforementioned Registry of Treatment Activities provided to the file, which does not say anything about said treatments, nor about the data communications to third parties that are mentioned (and cannot be say so, because these treatments are not carried out by our company). In addition, KFC does not conduct any activity related to a food program. reward or customer loyalty. This has not been confirmed by the AEPD in the transcription of the privacy texts contributed to this procedure nor by the complainant in his claim. The investigative activity of the AEPD in these proceedings was exclusively to require KFC to provide: «List of activities of the entity that involve data processing personal, expressly detailing if client treatments are carried out for advertising purposes For each activity you must provide: O number of customer data they process, O variety of data elements of each client who are the subject of treatment, OR time during which treat the data of each client and details of the permanence of said data in its information systems; Or the geographic or territorial scope of the processing detailing whether their systems process data relating to clients of a certain territorial area or the entire national territory. Having observed the existing inconsistencies between what is described in the Record of KFC Treatment Activities and what is reported in its privacy policy privacy, the AEPD should have continued its investigative work and not should have proposed a sanction given the clear and evident lack of elements of conviction that would even allow us to intuit that KFC had committed any breach of the GDPR of the nature described here. By way of illustration, the RAT provided to the procedure of Information request E/12752/2021 followed by this Agency: 1.2. IN THE PRIVACY POLICY INVESTIGATED THERE ARE IDENTIFIED TREATMENTS THAT CAN BE CARRIED OUT AND THERE IS A BASIS ENOUGH LEGITIMATING FOR IT Notwithstanding what is described in Claim 1.1. above, and that KFC never has carried out the treatments described in the Initiation Agreement Sanctioning Procedure of the AEPD, it is noteworthy that even in the case that the processing of personal data indicated by the AEPD had took place, they are identified in the KFC privacy policy which is transcribed in the aforementioned Agreement to Initiate Proceedings C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/50 Sanctioning and without foundation to propose a sanction based on the article 6.1 of the GDPR. The AEPD proposes a sanction to KFC for carrying out subsequent treatments to those identified in the KFC privacy policy based on article 6.1 of the GDPR, but really the only way you are aware of such treatments is precisely for what is indicated in the privacy policy of KFC. That is, a sanction is being proposed for carrying out further processing that they are identified in KFC's own privacy policy. Of In fact, it is the AEPD itself that, to justify its sanction proposal, extracts paragraphs of KFC's privacy policy stating that KFC may carry out said treatments with respect to its interested parties. What should not be confused is the execution of processing for purposes further, on the one hand, with the duty of transparency ex article 13 of the GDPR on the other, when describing said treatments and their legitimizing bases. AND is that, for this, the AEPD is already proposing a sanction as can be seen in the page 40 of the Agreement to Initiate Sanctioning Procedure. I already know KFC is proposing a sanction for breach of the duty of transparency, and the The reality is that the AEPD is making up a second sanction for lack of transparency shielded by an implausible violation of article 6.1 of the GDPR based on evidence that is precisely obtained from the policy of KFC privacy. It is completely incongruous to propose a sanction to a controller for carrying out further processing identified in its own privacy policy precisely because the The main reason for sanctioning for further processing resides in a data processing for a purpose other than that initially informed – Considering 50 GDPR–. In any case, we can speak of an omission to identify the bases legitimizing of each of the treatments that the AEPD identifies in its Agreement to Start the Sanctioning Procedure, but as will be seen, the lack of transparency on the identification of the legitimizing bases does not imply unlawful processing of personal data: When talking about "personalizing your experience with us" the AEPD is confusing profiling with a mere activity segmentation for the sole purpose of carrying out marketing activities perfectly compatible with the rules of protection of data and with the criteria of the European Committee for Data Protection, as well as of the Article 29 Working Group. The fact that KFC adjusts the offer of your products and services to the preferences expressed by your customers during the purchase of products is inherent to the activity of any company that is duly organized and that carries out an activity diligent and oriented to the best service to its clients. The Article 29 Working Group, in its Guidelines on Decisions automated individual and profiling purposes for the purposes of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/50 Regulation 2016/679, of October 3, 2017, indicates that the activities of user segmentation can be treated with different legitimizing bases, among them, the execution of the contractual relationship between the client and the controller, and the legitimate interest pursued by the controller of the treatment, in this case KFC. The truth is that, to date, the AEPD has not required KFC to indicate the legitimizing basis of this processing of personal data insofar as it is proposing a sanction for an unfortunate and non-existent infraction. Likewise, the segmentation that emerges from the wording of the privacy policy KFC's privacy matches the parameters set forth by the Group of Work of Article 29 to base such treatment either on the execution of the contractual relationship, or in the legitimate interest of KFC: from reading the privacy policy does not follow the elaboration by KFC of a exhaustive or detailed profile subject to the prior consent of the interested party, especially if we take into account the main activity of KFC, which is none other than the sale of fried chicken in physical establishments. What can be the degree of completeness of the profiling for the sale of products of this type? If the customer prefers a bucket of fried chicken or a chicken burguer? Of course, it cannot be concluded that profiling activities are taking place subject to consent to based on the information available to the AEPD. Regarding the geolocation treatment indicated by the Agency, It should be emphasized that our privacy policy clearly states in section "5. Your Choices and Control Over Your Information" which will only be discussed under the consent of the interested party: consent that, in addition, comes complemented by the privacy configuration options that are offer to users and that are clearly explained in our privacy policy. privacy. The other treatment identified by the AEPD is "promoting our affinity and rewards programs” – this can clearly be done by KFC, both for those clients who have given their consent for promotions, as for any other client in accordance with the provisions of the Article 21 of Law 34/2002, of July 11, on Services of the Society of the Information and Electronic Commerce. In addition to the fact that, as indicated, it is not a further treatment, it is a treatment clearly identified in the privacy policy and clearly linked to KFC's own activity linked to the treatment of the data of the people who, voluntarily, register on our website. Regarding the communication of personal data both with third parties as an intragroup, indicate that section 4 of the KFC privacy policy identifies all categories of third parties that can access data data subjects and under what circumstances. Not again We are talking about a matter of subsequent processing ex article 6.1. of the GDPR but whether the information provided is sufficiently C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/50 transparent, for which, a sanction is already being proposed (so the one that is now proposed is not applicable, based on the principle of non bis in idem). Lastly, in terms of considering the reference in the our privacy policy to "service providers" as recipients of the data of our registered web users, it could not be more outside instead, for the following reasons: We reiterate: in any case, the foregoing would imply an alleged violation of article 13 GDPR, for the alleged violation of which by KFC already proposes sanction for which, again, it is not appropriate to sanction again based on to article 6.1 GDPR by application of the non bis in idem principle; But it is also that sharing data from our registered users with service providers, with whom KFC has duly signed the corresponding custom treatment contracts, it is not at all no data processing subsequent to the main processing of the data said users, but something intrinsically linked to said treatment major. Anyone with elementary knowledge of economics knows of the existence of the value chain, and that all economic activity is supported by the concurrence of external providers to whom it is entrusted more efficient management of production processes of any organization If the above were not enough, the art itself. 13 GDPR allows for expressly identify the recipients of data by "categories" of the same, with which, with the reference to external providers, it is complied with said precept when providing information to our users registered. SECOND.- REGARDING THE PROPOSED SANCTION FOR VIOLATION OF ARTICLE 37 OF THE GDPR. The AEPD identifies a possible offense committed by KFC for not having appointed a data protection delegate being obliged to do so according to the criteria of article 37 of the GDPR, mentioning the established criteria by the Article 29 Working Group to determine the need for designate a data protection officer. Where this part does not coincide with the actions of the AEPD in the present procedure is in the form of applying the Guidelines on Delegates of Data Protection to the present factual assumption to conclude that KFC You must designate a data protection officer. Next, the conclusions reached by this part are exposed to consider that the elements indicated in article 37.1 b) of the GDPR are not comply and that, therefore, it is not necessary to designate a delegate of Data Protection: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/50 (i) Regarding the "main activity": In accordance with what is specified by the Working Group of Article 29, the main activities must be associated with those activities and “key operations necessary to achieve the objectives” of any company in its commercial activity. The AEPD makes use of examples such as hospitals or companies of private security whose operations and activities are closely linked to the processing of personal data – health data, and systematic surveillance respectively-. However, the main activity of KFC is the provision of catering services at physical points of sale through its franchisees without the need for any personal data processing relating to consumers of such products. It does not make sense that the AEPD on page 43 of the Agreement to Begin Sanctioning Procedure, indicate that the corporate purpose is not related to the main activity, and then use the KFC corporate object to say that you are obliged to designate a data protection officer. But it is that, in addition, our website is by no means the center of KFC's activity, rather, it is only one of the channels that KFC uses to put into contact consumers of our products with franchisees at through which our products can be purchased (among other channels that KFC uses to achieve this purpose is advertising in the media, advertising on public roads, advertising campaigns sponsorship and sponsorship, alliances with third-party organizations, etc…). Consequently, it is clear that KFC does not use its website as a main selling point of its products (such main selling points are and they will always be the establishments of its franchisee network). As As indicated above, KFC online sales during 2021 rose to 2,530,000 euros. This is 1.1% of total KFC sales in Spain through its franchisees; therefore, indicate that «nature of the plaintiff's activity inextricably requires the treatment of personal data, without which its development would be impossible" is a conclusion that is not only erroneous and imprecise from the moment in which the The bulk of KFC's income in Spain comes from sales other than those of its web page, but also lacks any proof from from the agency. The RGPD pronounces precisely in this line in its Recital 97 when understanding that «the main activities of a person in charge are related to their primary activities and are not related to the processing of personal data as ancillary activities”. Having in account the disproportion of KFC's online sales with respect to its volume of total sales, it can hardly be understood that such activity is considered as primary and, therefore, as principal. In short, if the criteria set forth by the AEPD were followed, any company that Have a website as a complementary channel for your activity would be obliged to designate a data protection officer, and this conclusion would void articles 37 of the GDPR and 34 of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/50 LOPDGDD, and it would be clearly contrary to the letter and the spirit of the norm Regarding this specific obligation to designate a person responsible for ensure compliance with privacy regulations. Regarding "regular and systematic observation": The KFC activity on its website with the definitions given by the AEPD itself, since there is neither "a general data collection plan" nor is it carried out "as part of a strategy", neither the AEPD provides proof nor any evidence of such accusations. The only thing that happens to the data personal information processed in the KFC web environment of its customers is that they carry out orders to receive food at home or pick it up in establishments KFC franchisees and promotional campaigns and actions are carried out to retain customers. In no case carrying out a systematic follow-up of the interested. Geolocation tasks only occur, as is obvious and evident, when the interested party wishes to locate a store near him, when you want to receive the order at your home, or when -existing base appropriate legitimizing – wishes to receive promotional information from the place in which which is found This is by no means constant over time and can only be produced at the request of the user who makes use of the KFC website and after having obtained your consent. Regarding "large-scale" treatment: At this point, we We fully refer to what is indicated in the Fourth Subsequent Allegation. He volume of data from customers who placed orders in the online environment of KFC in 2021 amounts to 110,000 registrations, which made 153,439 orders; another 100,000 records are those that received communications commercial during 2021. All of them, limited to the geographical area of Spain for specific purposes and identified in the policy of privacy. Added to this, the risk in the treatment is low, since they are not treated data of the categories established in articles 9 and 35 of the GDPR, as well as nor do the circumstances indicated for this purpose in the guidelines and guidelines of the Article 29 Working Group, nor in the conditions indicated in article 28 of the LOPDGDD. All of this, as can be seen Record of Treatment Activities of constant reference. Added to this, it should be made clear that the AEPD throughout the phase of investigation has not been able to link the data processed by KFC on its page web to any app, much less to a widely implemented app (which is too ambiguous a term to be considered a sufficient criterion enough to propose a sanction of 20,000 euros). Lastly, with regard to geolocation, it should be noted that, As specified before, said activity is not included in no data protection regulations as high-risk data or especially protectable. The only example can be found in the article 28.2 section d) of the LOPDGDD, and in this regard it must be qualified that said geolocation, actually corresponds to a monitoring system intended for profiling and based on the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/50 geolocation and movement tracking; which it does not do at all KFC. The previous elements, valued as a whole, can in no way determine that KFC must designate a data protection officer and confirm the legal analysis of the information request procedure E/12752/2021, in which KFC confirmed having carried out the analyzes pertinent and concluded that they did not need to designate such a figure. Which makes this second sanction proposal inadmissible. THIRD.- REGARDING THE PROPOSED SANCTION FOR VIOLATION OF ARTICLE 13 OF THE GDPR. The AEPD considers that after reading the privacy policy of KFC and the description of the purposes of the treatment that is carried out in it, KFC is committing a violation of article 13 of the GDPR in that it does not is complying with the duty of transparency that is required of it when informing its interested parties about the purposes of the treatments it carries out. For this, it applies the criteria established in article 74 of the LOPDGDD and qualifies the infraction as minor. In this regard, KFC has nothing to add and refers to what is indicated in the First Allegation of this brief of allegations, without prejudice to pointing out that, as the AEPD itself confirms in its resolution to initiate disciplinary proceedings, throughout the process of previous information that precedes this KFC procedure has been improving its privacy policy in those aspects in which, according to the information requirements received from the AEPD itself, it has been understood they were susceptible to improvement. However, the AEPD imposes for such non-compliance a sanction that exceeds the criteria for the imposition of sanctions established in the GDPR itself. Without going any further, Recital 148 of the GDPR establishes the following: "In order to strengthen the application of the rules of this Regulation, any violation of this must be punished with sanctions, including fines administrative, in addition to appropriate measures imposed by the supervisory authority under this Regulation, or in substitution of are. In the event of a minor infraction, or if the fine likely to be imposed constitutes a disproportionate burden on a natural person, Instead of a sanction by means of a fine, a warning may be imposed. The truth is that there are no sanctioning precedents in terms of protection of data that compromise KFC, and the entity is already in procedures to update the information that it provides to its stakeholders in environments digital. KFC considers that in the absence of aggravating circumstances for the imposition of any sanction –as explained below– and taking into account what was stated in the different allegations, as well as that the offense has been classified as minor, a warning corresponds as sanction instead of the fine of 5,000 euros proposed by the AEPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/50 FOURTH.- THERE ARE NO AGGRAVATING CIRCUMSTANCES THAT INCREASE THE AMOUNT OF THE PROPOSED SANCTIONS To determine the amount of the sanctions proposed by the AEPD for amount of 30,000 and 20,000 euros, the Agency itself resorts to two elements which are nowhere near the reality of KFC's commercial activity in Spain. The first of them refers to the intention of the infringement committed. For this, the AEPD bases its reasoning on the Judgment of the National Court of October 17, 2007. Said sentence specifies that to assess the degree of diligence required of the person responsible for the treatment must attention to determine if "the appellant's activity is constant and copious handling of personal data. The truth is that, although activities are carried out in digital environments -the sale of KFC products on the internet – and it can be deduced that he takes a constant data processing, UNDER NO CIRCUMSTANCES such processing of constant data should automatically be understood by abundant, by the mere fact that KFC is a recognized brand in Spain. The Registry of Treatment Activities contributed to the procedure for requesting information E/12752/2021 clearly indicates that the total number of users registered through the KFC website in Spain in 2021 does not exceed 110,000, who placed 153,439 orders in 2021, and the number of records that receive commercial communications (opt-in) is 100,000; these being the maximum data of interested parties linked to the treatments for which the AEPD proposes sanction. We must remember that the Working Group of Article 29, Guidelines on data protection delegates (DPD), specifies what criteria must be be taken into account to consider that there is a large-scale data processing scale, or abundant, as indicated by the National Court: "In any case, the Working Group recommends that consideration be given to the following factors, in particular, when determining whether the treatment is done on a large scale: the number of stakeholders affected, either as a specific number or as a proportion of the corresponding population; the volume of data or variety of data elements that are subject to processing; the duration, or permanence of the data processing activity; the geographic scope of processing activity. In the present case, it must be indicated that the data of on-line users by of KFC (110,000 registered users), with respect to the total population Spanish who buys online (28.5 million citizens) is negligible, so it is only 0.00385% of the total. The variety of data from such users registered KFC, as the AEPD itself acknowledges, is also reduced because only contact data, location data and data are processed identifiers to provide the services and provide the products offered. The C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/50 duration of the treatment as indicated in the Register of Activities of Treatment is 5 years maximum. And the geographic scope is limited to Spain. For all these reasons, the application of this aggravating factor is entirely unfair. In addition, and with regard particularly to the sanction regarding not designating a data protection officer, it is absolutely inappropriate to apply such an aggravation of guilt, since KFC has carried out –and has demonstrated it– the pertinent evaluations for consider that it is not necessary to designate a data protection officer. If the sanction is confirmed, such an aggravating circumstance should not be taken into account by how much KFC has taken all precautions fulfilling its duty to proactive responsibility to analyze the need to appoint a delegate of protection not considering it necessary. Secondly, and regarding the second aggravating circumstance proposed by the AEPD, It is hard to believe that an aggravating circumstance is imposed on KFC in the sanction proposed by "the level of implementation of the KFC entity in the country's economy". To the In this regard, the following data is highlighted: According to the data of the National Institute of Statistics in its Survey on the use of ICT and electronic commerce in companies of the Year 2020 – First quarter of 2021 (https://www.ine.es/prensa/tic_e_2020_2021.pdf)-, the volume of sales made by companies through electronic commerce in 2020 it amounted to 275,011,398,000 euros. The 2.5 million euros of sales made by KFC through its website does not amount to more than the negligible 0.00009% of the national total of sales made by trade electronic. Likewise, according to the study published by the entity Adevinta and called "online commerce is consolidated in Spain: 86% of the population buys and sells through the internet» (https://www.adevinta.es/stories/articles/comercio-onlineconsolida-pulso- digital), «48% of the Spanish population carried out the entire purchase process by Internet". That is, almost 23 million people in Spain. The 110,000 Registered users on the KFC website represent the tiny proportion of 0.00478% of the aforementioned 23 million. Of course, the aggravating criterion raised by the AEPD has no place since it is highly questionable that KFC for its activity on- line and in view of the exposed data, have a level of implementation relevant in the Spanish economy, especially if one takes into account that the 2.5 million euros billed by KFC do not mean anything with respect to the total sales identified by the National Institute of Statistics and that the 110,000 registered users on its website represent a very small part of the total population that buys online in Spain. TO THE AEPD I REQUEST: Consider this document, its copies, admits them, and considers the previous allegations formulated in the Agreement of Initiation of Sanctioning Procedure PS/00140/2022, so that by joining C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/50 to the same, issue a resolution annulling the sanction proposals formulated and file without further formalities the aforementioned procedure sanctioning. SUBSIDIARILY, TO THE AEPD I REQUEST: In the case of considering that KFC has committed any of the violations described in its proposition of sanction, sanction KFC only with respect to the one relating to non-compliance with the obligations of transparency indicated in article 13 of the GDPR, and with warning, given that there is no record of sanctions against this Agency, the lightness of the offense committed in the terms of the AEPD, KFC's patent will to improve its level of compliance normative demonstrated in the prior information procedures that precede the present procedure, and the non-commission of the other offenses indicated in its Agreement to Start the Sanctioning File”. TENTH: On 11/16/22, the proposed resolution is sent to the claimant in the which, it was proposed that, by the Director of the Spanish Agency for Data Protection proceed to penalize the entity, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPACAP), for the following reasons: - Due to the infringement of article 6.1 of the GDPR, due to the non-existence of a mechanism form that allows users to give their consent to the processing of their data personal expenses for each and every one of the purposes for which they personal data, when applicable, with a penalty of 30,000 euros. rivers (thirty thousand euros). - For the infringement of article 37 of the GDPR, for the failure to appoint a Data Protection Officer, with a penalty of 20,000 euros (twenty thousand euro). - Due to the infringement of article 13 of the GDPR, due to the lack of information provided contained in the "Privacy Policy" on the processing of personal data obtained, with a penalty of 5,000 (five thousand euros). Along with this and in accordance with article 58.2 of the GDPR, it was proposed as corrective measures to be imposed on the defendant: - To implement, within a month, the necessary corrective measures to adapt their actions to the regulations for the protection of personal data, named establishing a Data Protection Officer, as stipulated in article 37 of the GDPR, as well as to inform this Agency within the same term about the measures measures taken. - To implement, within a month, the necessary corrective measures to adapt their actions to the personal data protection regulations, with the inclusion in the "Privacy Policy" of the necessary information on the e- creation of loyalty profiles and their legal basis, as well as the identification of the third parties to whom the personal data obtained are transferred, as well as to inform this Agency within the same period of the measures adopted. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/50 As certified by the Single Authorized Electronic Address Service (DEHÚ), the letter of the file proposal made available to the claimed party, the day 11/19/22 through the electronic notification service "NOTIFIC@", stated in the certified as automatic rejection date, 11/30/22. There is no record, in this agency, of any written response to the proposal of resolution by the claimed entity. PROVEN FACTS. Of the actions carried out in this procedure and of the information and documentation presented by the parties, the following have been accredited facts: First: On the legality of the processing of personal data obtained on the web www.kfc.es: On the website www.kfc.es you can enter personal data of users, to through several procedures: a) for the creation of a user account; b) to register as a job seeker in the chain; c) to place an online order for its products and d) to receive promotional offers. Before you can submit the form for any of these procedures with the personal data, it is necessary to have previously provided consent for data processing, with the possibility of accessing the "Policy of Privacy” of the web, through the link: “The conditions of Use” “Policy of Privacy (Generic)” “Privacy notice”, (Exclusive for EEA and United Kingdom). There is also, in the four indicated forms, the possibility of registering voluntarily to periodically receive promotional offers from the brand. The "Data Privacy Policy" of the web page in question is divided into three documents: a) Terms of use of the website; b) A generic privacy policy for all countries and c) A specific privacy policy for the countries of the Economic Area European (EEA), United Kingdom and Switzerland. In the first document, "Terms of use" (https://www.kfc.es/nota-legal), you can read, regarding the policy of protection of personal data obtained, the following: "(...) Data protection: We will collect, store and process your personal information in accordance with our Privacy Policy. Please, Please read our Privacy Policy to ensure you are satisfied and understand its content before creating an account (…)”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/50 If you access the "Privacy Policy" of the website www.kfc.es, in the link, https://www.kfc.es/privacidad, “generic policy for all countries”, you can read, as an introduction: “KFC® (“KFC”, “we”, “our” or “us”) is committed to protecting your privacy. This KFC Privacy Policy (this “Policy”) applies to our websites, online experiences and mobile applications to mobile devices running Apple iOS, Windows, or Android that are linked to the Policy (collectively, our “Sites”), and describes how we collect, we use and disclose your personal information when you visit our Sites or our restaurants and in-store kiosks, or otherwise interact with us (collectively, our “Service”). By accessing or using our Service, you indicate that you have read, understood and You agree to our collection, storage, use and disclosure of your personal information as described in this Policy and in our Terms of use, available on our site. For more information about the privacy practices of other companies of Yum Brands, Inc. (“Yum Brands”) (the “Marks”), please visit: Policy YUM Brands privacy policy. PIZZA HUT® Privacy Policy. Policy TACO BELL® Privacy Policy. THE HABIT® Privacy Policy Regarding the purposes to which the personal data obtained will be dedicated, among others, the following is indicated: “(…) 2. HOW WE USE PERSONAL INFORMATION: (…) We may also use your information to personalize your experience with us and promote our rewards or loyalty programs. We also use this information to provide you with the Service in all our operations, including supporting your in-store experience when interacts with our franchisee-owned locations (…). 4. HOW WE SHARE YOUR INFORMATION We may share, sell or disclose your information in cases where describe below. For more information about your options in regarding your information, see “Your Choices and Control Over Your information". Other Brands: We may share personal information with our company parent Yum Brands and other Yum Brands companies and our affiliates, which may use your information in ways similar to those described in this Policy. (…) Promotional Partners: We may share limited information with third parties with whom we partner to provide contests and sweepstakes, or other joint promotional activities. Typically, these partners C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/50 will be clearly identified in the contest rules or in the contest materials. promotion. Selected Marketing and Strategic Business Partners: We can share limited data with our strategic business partners and preferred marketing partners so they can provide you with information and messages marketing about products or services that may be of interest to you. This parts may use your information in accordance with their own privacy policies privacy. Online Advertising Partners: We may share information with online advertising partners. third-party online advertising or allowing these partners to collect information from you directly on our Sites to facilitate online advertising. For more information, see our Cookie Policy and advertisements, available on our Site. (…) Other cases in which we may share your personal information: Service Providers and Consultants: Personal information may shared with third-party vendors and other service providers who provide services to us or on our behalf. This may include vendors and distributors who engage in marketing or advertising activities or who provide postal or electronic mail services, fiscal services and Accounting, Product Fulfillment, Delivery Services, Processing payments, data improvement services, fraud prevention, web hosting or analytical services. In connection with any of the above, we may share information with other parties in an aggregated or anonymized form that does not reasonably identify”. If you access the complementary Privacy Policy for countries, EEA and United Kingdom of the web www.kcf.es, in the link, https://www.kfc.es/multimarcas, you can read about the purposes for which the personal data obtained and the legal basis for that treatment, the following: “This EEA and UK Privacy Notice supplements the information contained in our Privacy Policy and applies only to natural persons residing in the European Economic Area ("you" and to the Sites and Services available in the EEA, as well as in the United Kingdom that link to this Privacy Notice). Unless expressly stated otherwise, all terms have the same meaning as that defined in our Privacy Policy or that is otherwise defined in the General Data Protection Regulation of the EU 2016/679 of the European Parliament and of the Council (“GDPR”). Annex 1 sets out in detail the categories of information information we collect about you and how we use that information C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/50 when you use the Service, as well as the legal basis on which you we use to process personal information and the recipients of such information. In addition, the table in Annex 2 sets out in detail the categories of personal information we collect about you automatically and how we use such information. The table also lists the legal basis in the on which we rely to process personal information and the recipients of such personal information. APPENDIX 1 a).- Profile information such as your name, telephone number, date of birth and profile picture. a.1. We may use this information to set up and authenticate your account. in the Service: Processing is necessary to perform a contract with you and to take steps before entering into a contract with you. a.2. We may use this information to contact you, including the sending of communications related to the service: The treatment is necessary to perform a contract with you. a.3. We may use this information to send you marketing communications. marketing in accordance with your preferences: We will only use your personal information in this way to the extent that you have given us your consent to do so. a.4. We may use this information to deal with inquiries and complaints made by or about you in connection with the Service: The treatment it is necessary for our legitimate interests, in particular to administer the Service and communicate with you effectively to respond to your inquiries or complaints. b).- Information on payments and transactions, including information on payments (such as credit or debit card details or account details banking), and the time, date and value of the transactions. b.1.- We use this information to facilitate transactions and provide you with the Service: Processing is necessary to fulfill a contract with you. b.2.- We use this information for customer service: The treatment is necessary to perform a contract with you. b.3.- We use this information to detect and prevent fraud: The Processing is necessary for our legitimate interests, in particular the detection and prevention of fraud. c).- Location data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/50 c.1. We use GPS technology to determine your current location in order to to provide you with relevant content and show where you have made that content: Processing is necessary for our legitimate interests, in specifically to administer the Service. We will only use your personal information in this way to the extent that you have given us your consent to do it. d).- Comments, chat and opinions d.1. When you contact us directly (eg by email email, phone, postal mail or through an online form or chat online), we can record your comments and opinions: The treatment is necessary for our legitimate interests, in particular to respond to your question or comment, to evaluate and improve our products and services and to inform about our marketing and advertising. e).- Information received from third parties, such as social networks. If you interact with the Service through a social network we can receive information from the network such as your name, profile information, and any other information that you allow the social network to share with third parties. The data we receive they depend on your privacy settings on the social network. e.1.- We can use this information to authenticate you and allow you to access to the Service: Processing is necessary to fulfill a contract with you. e.2.- We can use this information to adapt how it is shown to you (such as the language in which it is presented to you): The processing is necessary for our legitimate interests, in particular to adapt the Service to make it more relevant to our users. f).- Usage information, such as the time during which you use our products, your results when you use our products, any problem experienced when you use our products and any other Product-generated information about how you use our products. f.1.- We can use this information to analyze how the Service works, fix problems with the Service, improve the Service and develop new products and services: Processing is necessary for our interests legitimate, in particular to improve our products and services, treat any errors in our products and services and develop new products and services. f.2.- We can use this information to develop new products and features available through the Service or to improve it in any way way the Service: Processing is necessary for our interests legitimate, in particular to develop and improve the Service. g).- All the personal information indicated above. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/50 g.1.- We can use all the personal information we collect to operate, maintain and provide you with the features and functionality of the Service, communicate with you, monitor and improve the Service and the business, and develop new products and services: Treatment is necessary for our legitimate interests, in particular to administer and improve the Service. APPENDIX 2 a).- Information on how you access the Service and use it. For example, the frequency with which you access the Service, the time at which you access the Service and how long you use it for, the approximate location from which you access it to the Service, if you access the Service from various devices and other actions yours on the Service. a.1.- We can use information about how you use and connect to the Service to present the Service to you on your device: Processing is necessary to our legitimate interests, in particular to tailor the Service to the user. a.2.- We can use this information to determine products and Services that may be of interest for marketing purposes: The treatment is necessary for our legitimate interests, in particular to report on our direct marketing a.3.- We can use this information to monitor and improve the Service and the business, solve problems and inform the development of new products and services: Processing is necessary for our legitimate interests, in specifically to monitor and fix problems with the Service and to improve the Service in general. b).- Log files and information about your device. Also we collect information about the tablet, smartphone or other device email you use to connect to the Service. This information can include details about the type of device, unique identification numbers of the device, operating systems, browsers and applications connected to the Service through the device, its mobile network, IP address and number of your device's phone number (if you have one). b.1.- We can use information about how you use and connect to the Service to present the Service to you on your device: Processing is necessary to our legitimate interests, in particular to tailor the Service to the user. b.2.- We can use this information to determine products and Services that may be of interest for marketing purposes: The treatment is necessary for our legitimate interests, in particular to report on our direct marketing b.3.- We can use this information to monitor and improve the Service and the business, prevent and detect fraud, solve problems and report the development of new products and services: Processing is necessary to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/50 our legitimate interests, in particular to monitor and resolve problems with the Service and to improve the Service in general. Second: Regarding the "Privacy Policy" on the website www.kfc.es: On the web page in question, the information offered to its users, regarding the processing of your personal data, is offered through the following documents posted on the web: a) document: "Terms of Use" or "Note Legal”, https://www.kfc.es/nota-legal; ; b) document: "Privacy Policy", https://www.kfc.es/privacidad, and c) document: "Privacy Notice", https://www.kfc.es/multimarcas. All of them, accessible from the different forms (indicated in the section above) and through the existing links at the bottom of the main page. The information offered in the different documents indicated above is The next: A).- In the document "Terms of Use" or "Legal Notice" (https://www.kfc.es/nota-legal) We can find the following information, regarding the treatment of data personal obtained: REGISTRATION: "(...) Data protection: We will collect, store and We will treat your personal information in accordance with our Privacy Policy. Privacy. Please read our Privacy Policy to make sure that you are satisfied and understand its content before creating an account. B).- In the document "Privacy Policy" (https://www.kfc.es/privacidad) We can find the following information, regarding the treatment of data information obtained: 1. what type of information they collect 2. how they use the information personal information they collect 3. what information they collect automatically 4. how they share the information collected. 5. About the options and control of the information collected.6. how they store and protect information 7. jurisdictional disclosures 8. children's privacy 9. links to other websites and services 10. how to contact the data controller. C).- In the document "Privacy Notice" (https://www.kfc.es/multimarcas), We can find, among others, the following information, regarding the treatment of the personal data obtained: Regarding the person responsible for the treatment, it is indicated: KFC Restaurants Spain, S.L. with NIF B86281599 and address at Calle Serrano Galvache (Pq. Empresarial Pq. Norte), 56 - Edif. Olmo Fifth Floor, Madrid, Madrid. Email: clientes@kfc.es. Telephone: 91 904 18 81 On the legal basis for the treatment in the EEA and the United Kingdom it is indicated: The table in Annex 1 sets forth the categories of personal information that collect, as well as the legal basis and recipients of such information staff. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/50 The table in Annex 2 sets forth the categories of personal information that collected automatically. The table also lists the legal basis in the that are based to treat personal information and the recipients of said personal information. It informs about the storage and transfer of data. Information is provided on the individual rights of residents in the EEA: Right to object. Right of access. Right of rectification. Right of erasure. Also You have the right to file a claim with your data protection authority. On the conservation of personal data it is reported: In the case of people who reside in the EEA we retain personal data for the maximum time necessary to fulfill the purposes for which we collected the data, such as the delivery of your order, maintenance of our service, compliance with our legal obligations and dispute resolution. We will keep your data personal in accordance with the prescription periods, legal and applicable, of accordance with the tax and accounting regulations of each EEA country. At the completion of said terms, or prior to your request, the data will be deleted or anonymized so that they can already identify you, unless we are legally authorized or obliged to keep personal data for a longer time. FUNDAMENTALS OF LAW YO- Competence. In accordance with the powers that article 58.2 of the RGPD grants to each authority of control and according to what is established in articles 47 and 48.1 of the LOPDGDD, it is competent to resolve this procedure, the Director of the Spanish Agency for Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: "Procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures”. II.- a).- On the legality of the processing of personal data obtained on the web www.kfc.es: It has been verified that data can be entered on the website www.kfc.es personal data of its users, through various procedures: a) for the creation of a user account; b) to register as a job seeker In the chain; c) to place an online order for your products and d) to receive offer promotional C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/50 Before you can submit the form for any of these procedures with the personal data it is necessary to have previously provided consent for data processing, with the possibility of accessing the "Policy of Privacy” of the web, through the link: “The conditions of Use” “Policy of Privacy (Generic)” “Privacy notice”, (Exclusive for EEA and United Kingdom). There is also, in the four indicated forms, the possibility of registering voluntarily to periodically receive promotional offers from the brand. As indicated by the entity, the "Data Privacy Policy" is divided in three documents: a) Terms of use of the website; b) A privacy policy generic for all countries and c) A specific privacy policy for countries of the European Economic Area (EEA), United Kingdom and Switzerland. In the first document, "Terms of use" (https://www.kfc.es/nota-legal), you can read, regarding the policy of protection of personal data obtained, the following: "(...) Data protection: We will collect, store and process your personal information in accordance with our Privacy Policy. Please, Please read our Privacy Policy to ensure you are satisfied and understand its content before creating an account (…)”. If you access the "Privacy Policy" of the website www.kfc.es, (https://www.kfc.es/privacidad), generic policy for all countries, can be read, as an introduction: “KFC® (“KFC”, “we”, “our” or “us”) is committed to protecting your privacy. This KFC Privacy Policy (this “Policy”) applies to our websites, online experiences and mobile applications to mobile devices running Apple iOS, Windows, or Android that are linked to the Policy (collectively, our “Sites”), and describes how we collect, we use and disclose your personal information when you visit our Sites or our restaurants and in-store kiosks, or otherwise interact with us (collectively, our “Service”). By accessing or using our Service, you indicate that you have read, understood and You agree to our collection, storage, use and disclosure of your personal information as described in this Policy and in our Terms of use, available on our site. For more information about the privacy practices of other companies of Yum Brands, Inc. (“Yum! Brands”) (the “Brands”), please visit: Policy YUM Brands privacy policy. PIZZA HUT® Privacy Policy. Policy TACO BELL® Privacy Policy. THE HABIT® Privacy Policy Well, regarding the purposes to which they will dedicate the personal data obtained, among others, the following is indicated: "(...) 2. HOW WE USE PERSONAL INFORMATION: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/50 (…) We may also use your information to personalize your experience with us and promote our rewards or loyalty programs. We also use this information to provide you with the Service in all our operations, including supporting your in-store experience when interacts with our franchisee-owned locations (…). 4. HOW WE SHARE YOUR INFORMATION We may share, sell or disclose your information in cases where describe below. For more information about your options in regarding your information, see “Your Choices and Control Over Your information". Other Brands: We may share personal information with our company parent Yum Brands and other Yum Brands companies and our affiliates, which may use your information in ways similar to those described in this Policy. (…) Promotional Partners: We may share limited information with third parties with whom we partner to provide contests and sweepstakes, or other joint promotional activities. Typically, these partners will be clearly identified in the contest rules or in the contest materials. promotion. Selected Marketing and Strategic Business Partners: We can share limited data with our strategic business partners and preferred marketing partners so they can provide you with information and messages marketing about products or services that may be of interest to you. This parts may use your information in accordance with their own privacy policies privacy. Online Advertising Partners: We may share information with online advertising partners. third-party online advertising or allowing these partners to collect information from you directly on our Sites to facilitate online advertising. For more information, see our Cookie Policy and advertisements, available on our Site. (…) Other cases in which we may share your personal information: Service Providers and Consultants: Personal information may shared with third-party vendors and other service providers who provide services to us or on our behalf. This may include vendors and distributors who engage in marketing or advertising activities or who provide postal or electronic mail services, fiscal services and Accounting, Product Fulfillment, Delivery Services, Processing payments, data improvement services, fraud prevention, web hosting or analytical services. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/50 In connection with any of the above, we may share information with other parties in an aggregated or anonymized form that does not reasonably identify. If you access the complementary Privacy Policy for countries, EEA and United Kingdom of the web www.kcf.es, ( https://www.kfc.es/multimarcas ), You can read about the purposes for which the personal data will be used obtained and the legal basis for that treatment, the following: “This EEA and UK Privacy Notice supplements the information contained in our Privacy Policy and applies only to natural persons residing in the European Economic Area ("you" and to the Sites and Services available in the EEA, as well as in the United Kingdom that link to this Privacy Notice). Unless expressly stated otherwise, all terms have the same meaning as that defined in our Privacy Policy or that is otherwise defined in the General Data Protection Regulation of the EU 2016/679 of the European Parliament and of the Council (“GDPR”). The table in Annex 1 sets out in detail the categories of personal information we collect about you and how we use that information information when you use the Service, as well as the legal basis on which we rely on to process personal information and the recipients of such information. In addition, the table in Annex 2 sets out in detail the categories of personal information we collect about you automatically and how we use such information. The table also lists the legal basis in the on which we rely to process personal information and the recipients of such personal information. APPENDIX 1 a).- Profile information such as your name, telephone number, date of birth and profile picture. a.1. We may use this information to set up and authenticate your account. in the Service: Processing is necessary to perform a contract with you and to take steps before entering into a contract with you. a.2. We may use this information to contact you, including the sending of communications related to the service: The treatment is necessary to perform a contract with you. a.3. We may use this information to send you marketing communications. marketing in accordance with your preferences: We will only use your personal information in this way to the extent that you have given us your consent to do so. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/50 a.4. We may use this information to deal with inquiries and complaints made by or about you in connection with the Service: The treatment it is necessary for our legitimate interests, in particular to administer the Service and communicate with you effectively to respond to your inquiries or complaints. b).- Information on payments and transactions, including information on payments (such as credit or debit card details or account details banking), and the time, date and value of the transactions. b.1.- We use this information to facilitate transactions and provide you with the Service: Processing is necessary to fulfill a contract with you. b.2.- We use this information for customer service: The treatment is necessary to perform a contract with you. b.3.- We use this information to detect and prevent fraud: The Processing is necessary for our legitimate interests, in particular the detection and prevention of fraud. c).- Location data c.1. We use GPS technology to determine your current location in order to to provide you with relevant content and show where you have made that content: Processing is necessary for our legitimate interests, in specifically to administer the Service. We will only use your personal information in this way to the extent that you have given us your consent to do it. d).- Comments, chat and opinions d.1. When you contact us directly (eg by email email, phone, postal mail or through an online form or chat online), we can record your comments and opinions: The treatment is necessary for our legitimate interests, in particular to respond to your question or comment, to evaluate and improve our products and services and to inform about our marketing and advertising. e).- Information received from third parties, such as social networks. If you interact with the Service through a social network we can receive information from the network such as your name, profile information, and any other information that you allow the social network to share with third parties. The data we receive they depend on your privacy settings on the social network. e.1.- We can use this information to authenticate you and allow you to access to the Service: Processing is necessary to fulfill a contract with you. e.2.- We can use this information to adapt how it is shown to you (such as the language in which it is presented to you): The processing is necessary for our C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 37/50 legitimate interests, in particular to adapt the Service to make it more relevant to our users. f).- Usage information, such as the time during which you use our products, your results when you use our products, any problem experienced when you use our products and any other Product-generated information about how you use our products. f.1.- We can use this information to analyze how the Service works, fix problems with the Service, improve the Service and develop new products and services: Processing is necessary for our interests legitimate, in particular to improve our products and services, treat any errors in our products and services and develop new products and services. f.2.- We can use this information to develop new products and features available through the Service or to improve it in any way way the Service: Processing is necessary for our interests legitimate, in particular to develop and improve the Service. g).- All the personal information indicated above. g.1.- We can use all the personal information we collect to operate, maintain and provide you with the features and functionality of the Service, communicate with you, monitor and improve the Service and the business, and develop new products and services: Treatment is necessary for our legitimate interests, in particular to administer and improve the Service. APPENDIX 2 a).- Information on how you access the Service and use it. For example, the frequency with which you access the Service, the time at which you access the Service and how long you use it for, the approximate location from which you access it to the Service, if you access the Service from various devices and other actions yours on the Service. a.1.- We can use information about how you use and connect to the Service to present the Service to you on your device: Processing is necessary to our legitimate interests, in particular to tailor the Service to the user. a.2.- We can use this information to determine products and Services that may be of interest for marketing purposes: The treatment is necessary for our legitimate interests, in particular to report on our direct marketing a.3.- We can use this information to monitor and improve the Service and the business, solve problems and inform the development of new products and services: Processing is necessary for our legitimate interests, in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 38/50 specifically to monitor and fix problems with the Service and to improve the Service in general. b).- Log files and information about your device. Also we collect information about the tablet, smartphone or other device email you use to connect to the Service. This information can include details about the type of device, unique identification numbers of the device, operating systems, browsers and applications connected to the Service through the device, its mobile network, IP address and number of your device's phone number (if you have one). b.1.- We can use information about how you use and connect to the Service to present the Service to you on your device: Processing is necessary to our legitimate interests, in particular to tailor the Service to the user. b.2.- We can use this information to determine products and Services that may be of interest for marketing purposes: The treatment is necessary for our legitimate interests, in particular to report on our direct marketing b.3.- We can use this information to monitor and improve the Service and the business, prevent and detect fraud, solve problems and report the development of new products and services: Processing is necessary to our legitimate interests, in particular to monitor and resolve problems with the Service and improve the Service in general In the present case, given that in the "Privacy Policy" of the website www.k- fc.es describes some purposes for the processing of personal data and mentions the basis of legitimacy of each one of them, the treatment of the data for these fi- purposes would not be further treatment. On the other hand, it must be taken into account that the defendant entity, in its allegations states the following: "The purposes indicated in the privacy policy on which that the sanction is proposed describe potential situations and do not imply that they are effectively carried out, or are carried out in a completely lawful manner how it will be exhibited; and most importantly, such subsequent treatments by which proposes a sanction are not included in the Record of Treatment Activities already contributed to the AEPD…” Therefore, in the present case, according to the evidence set forth in this moment, it is considered that the description of the purposes of data processing personal data together with the basis of legitimacy of each one of them, does not correspond with a subsequent treatment so that it does not contradict what is stipulated in the article 6.1 of the GDPR, without implying an assessment of the adequacy of the legitimate basis. tion that includes the privacy policy for each of the different treatments to the not constitute the object of this procedure. III.- a.- Regarding the "Privacy Policy" on the website www.kfc.es: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 39/50 As it has been possible to verify, on the web page in question, the information that is offers to the users of the same, with respect to the treatment of their data personal, is offered through the following documents posted on the web: a) document: “Terms of Use” or “Legal Notice”, https://www.kfc.es/nota-legal; ; b) document: "Privacy Policy", https://www.kfc.es/privacidad, and c) document: "Privacy Notice", https://www.kfc.es/multimarcas. All of them, accessible from the different forms (indicated in the previous section) and through the links existing at the bottom of the main page. The information offered in the different documents indicated above is The next: A).- In the document "Terms of Use" or "Legal Notice" (https://www.kfc.es/nota-legal) We can find the following information, regarding the treatment of data personal obtained: REGISTRATION: "(...) Data protection: We will collect, store and We will treat your personal information in accordance with our Privacy Policy. Privacy. Please read our Privacy Policy to make sure that you are satisfied and understand its content before creating an account. B).- In the document "Privacy Policy" (https://www.kfc.es/privacidad) We can find the following information, regarding the treatment of data information obtained: 1. what type of information they collect 2. how they use the information personal information they collect 3. what information they collect automatically 4. how they share the information collected. 5. About the options and control of the information collected.6. how they store and protect information 7. jurisdictional disclosures 8. children's privacy 9. links to other websites and services 10. how to contact the data controller. C).- In the document "Privacy Notice" (https://www.kfc.es/multimarcas), We can find, among others, the following information, regarding the treatment of the personal data obtained: Regarding the person responsible for the treatment, it is indicated: KFC Restaurants Spain, S.L. with NIF B86281599 and address at Calle Serrano Galvache (Business Pq. North Pq.), 56 - Edif. Olmo Fifth Floor, Madrid, Madrid. Email: clientes@kfc.es. Telephone: 91 904 18 81 On the legal basis for the treatment in the EEA and the United Kingdom it is indicated: The table in Annex 1 sets forth the categories of personal information that collect, as well as the legal basis and recipients of such information staff. The table in Annex 2 shows the categories of information staff that collect automatically. The table also lists the base legal basis on which they rely to process personal information and recipients of such personal information. It informs about the storage and transfer of data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 40/50 Information is provided on the individual rights of residents in the EEA: Right to object. Right of access. Right of rectification. Right of erasure. Also You have the right to file a claim with your data protection authority. On the conservation of personal data it is reported: In the case of people who reside in the EEA we retain personal data for the maximum time necessary to fulfill the purposes for which we collected the data, such as the delivery of your order, maintenance of our service, compliance with our legal obligations and dispute resolution. We will keep your data personal in accordance with the prescription periods, legal and applicable, of accordance with the tax and accounting regulations of each EEA country. At the completion of said terms, or prior to your request, the data will be deleted or anonymized so that they can already identify you, unless we are legally authorized or obliged to keep personal data for a longer time. In the present case, we must also take into account that, in the policy of privacy of the website www.kfc.es does not offer precise information on the purposes of data processing, when using indefinite expressions such as "we can use...", without the claimant having proven the reason for which it was made. necessary to use them, as required by the Guidelines on the transparency under Regulation (EU) 2016/679 of GT29, last revised time and adopted on April 11, 2018, and where the following is established: “13. The use of qualifiers such as "may", "could", “some”, “often” and “possible”. When those responsible for treatment choose to use undefined language, they must be able to demonstrate, according to the principle of proactive responsibility, why it could not be avoided use this language and why it does not undermine treatment loyalty. (…)” III.- b).- Classification and classification of the offense Regarding the information that the data controller must provide to the interested when they are obtained from it, Recital 60) of the GDPR indicates: "The principles of fair and transparent treatment require that the concerned of the existence of the processing operation and its purposes. He responsible for the treatment must provide the interested party with all the information supplementary information is necessary to guarantee fair treatment and transparent, taking into account the specific circumstances and context in personal data is processed. The interested party must also be informed of the existence of profiling and the consequences of such profiling elaboration. If the personal data is obtained from the data subjects, also they must be informed of whether they are obliged to provide them and of the consequences in case they didn't. Such information may be transmitted in combination with some standardized icons that offer, easily visible, intelligible and clearly legible, an adequate overview of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 41/50 planned treatment. Icons presented in electronic format They must be machine readable. Recital 61) of the GDPR indicates the following: "Stakeholders must be provided with information on the treatment of their personal data at the time it is obtained from them or, if obtained from another source, within a reasonable time, depending on the circumstances of the case. If the personal data can be legitimately communicated to another addressee, the interested party must be informed at the time the communicated to the recipient for the first time. The data controller who plans to process the data for a purpose other than that for which they were collected must provide the data subject, prior to such further processing, information about that other purpose and other necessary information. when the origin of personal data cannot be provided to the interested party because it has been used various sources, general information should be provided. For its part, article 13 of the GDPR details the information that must be provided to the interested when his personal data is obtained directly from him, establishing the following: "1. When personal data relating to him or her is obtained from an interested party, the responsible for the treatment, at the time they are obtained, will provide: a) the identity and contact details of the person in charge and, where appropriate, of his representative; b) the contact details of the data protection officer data, if applicable; c) the purposes of the processing for which the data is intended personal data and the legal basis of the treatment; d) when the treatment is based in article 6, paragraph 1, letter f), the legitimate interests of the controller or a third; e) the recipients or categories of recipients of the data personal, if applicable; f) where appropriate, the intention of the person responsible for transferring personal data to a third country or international organization and the existence or absence of an adequacy decision from the Commission, or, in the case of transfers indicated in Articles 46 or 47 or Article 49(1), second paragraph, reference to the adequate or appropriate guarantees and the means to obtain a copy of these or the fact that they have been provided. 2. In addition to the information mentioned in section 1, the person responsible for the processing will provide the interested party, at the time the data is obtained personal data, the following information necessary to guarantee a fair and transparent data processing: a) the period during which the personal data will be kept or, when not where possible, the criteria used to determine this term; b) the existence of the right to request access to the data from the data controller personal information relating to the interested party, and its rectification or deletion, or the limitation of their treatment, or to oppose the treatment, as well as the right to data portability; c) when the treatment is based on article 6, paragraph 1(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 42/50 right to file a claim with a control authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences not to provide such data; f) the existence of automated decisions, including profiling, referred to in article 22, paragraphs 1 and 4, and, at least in such cases, meaningful information about the applied logic, as well as the importance and expected consequences of said treatment for the interested party”. Well, according to section c) of article 13.1 GDPR, users must be informed users of the purposes of the treatment to which their personal data will be used and the applicable legal basis for this (art. 6 GDPR), avoiding practices such as including purposes that are too generic or unspecific, which may lead to treatments that exceed the reasonable expectations of the interested party. If we access the "Privacy Policy" of the website, www.kfc.es (https://www.kfc.es/privacidad) we can read, regarding the purposes for which The personal data obtained will be used, among others, for the following: “(…) personalize your experience with us and promote our programs of rewards or loyalty (…)”, “(…) share, sell or disclose your information with: Other Brands: We can share personal information with our parent company: Yum Brands and other Yum Brands companies and our affiliates, who may use your information in a manner similar to that described in this Policy. Or, for example, when the entity states that it may share personal data obtained with its external suppliers. Stated this, in a generic way and abstract, without identifying the providers or the legal basis on which it is based: “(…) to share with external providers (…). Based on the legal grounds set forth above, the facts indicated in the previous section are constitutive of an infringement of article 13 GDPR. III.- c.- Penalty imposed This infraction can be sanctioned with a fine of a maximum of €20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of greater amount, in accordance with article 83.5.b) of the GDPR. In this sense, article 74.a) of the LOPDGDD, considers light, for the purposes of prescription, "Breach of the principle of transparency of information or the right to information of the affected party for not providing all the information required by the articles 13 and 14 of Regulation (EU) 2016/679”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 43/50 The balance of the circumstances contemplated, with respect to the infraction committed, by violating the provisions of article 13 of the GDPR, it allows an initial sanction to be set of 5,000 euros (five thousand euros). III.- d.- Measurements In accordance with article 58.2 of the GDPR, the corrective measure to be imposed on the owner of the web page consists of taking the necessary measures to adapt the page website of its ownership (www.kfc.es) to current regulations, adapting it to what is stipulated in article 13 of the GDPR. It is noted that not meeting the requirements of this body may be considered as an administrative offense in accordance with the provisions of the GDPR, classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent administrative sanctioning procedure. IV.- a.- On the non-existence of a Data Protection Officer. When this Agency requested information from the KFC entity about the analyzes carried out to assess the need to appoint or not, a DPO, the entity answered the following: "(...) In this regard, from KFC it has been understood that there is no obligation of appointment of the DPO, because the activities of the treatment carried out are not limited to those of article 37 GDPR nor is the entity located among those required in article 34 LOPDGDD. In the same way, compliance management in terms of data protection It has been exercised by internal personnel specialized in data protection, in particular, from the UK, through B.B.B., Global Privacy Lead CounselHead and the consultancy of external experts in each of the countries from which it is operated. However, and as previously indicated to this Agency, internally the need for its designation will be periodically evaluated, depending on possible operational changes as well as the start of new branches of business that may involve the incorporation of new activities of the treatment, in order to offer greater guarantees of compliance to our clients and users regarding the activities and procedures in the processing of personal data, in particular, if the activities of the processing that included profiling (...)”. IV.- b).- Classification and classification of the offense Regarding the need or not to appoint a Data Protection Officer, the article 37 GDPR, determines the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 44/50 "1. The person in charge and the person in charge of the treatment will designate a delegate of data protection provided that: a) the treatment is carried out by a public authority or body, except courts acting in exercise of its judicial function; b) the main activities of the controller or the processor consist of processing operations which, due to their nature, scope and/or purposes, require regular and systematic observation of large-scale stakeholders, c) the main activities of the controller or of the processor consist of the large-scale treatment of categories of personal data pursuant to Article 9 and of data relating to convictions and criminal offenses referred to in article 10”. In this case at hand, the case of application would be 37.1.b) of the GDPR, where three elements must be examined: "main activity", the "observation habitual and systematic” and “large scale”. It is true that these are indeterminate legal concepts, but this has gone profiling through the different opinions and opinions of the Working Group of the Article 29: Regarding what is a main activity, WP-243 (Guidelines for delegates of data protection -DPD) establishes that: "Article 37, paragraph 1, letters b) and c) of the GDPR refers to the" activities principals of the person in charge or of the person in charge" and thus we have how, the recital 97 GDPR, specifies that the main activities of a responsible are related to "its primary activities and are not related to the processing of personal data as activities auxiliaries». The “principal activities” can be considered the key operations required to achieve the objectives of the controller or processor. Nevertheless, the “main activities” should not be interpreted as exclusive when the data processing is an inseparable part of the activity of the controller or treatment manager. For example, the main activity of a hospital is to provide health care. Without However, a hospital would not be able to provide health care safely and effectively. without treating data related to health, such as medical records of patients. By Therefore, the processing of such data should be considered one of the activities principals of any hospital and hospitals must accordingly designate a dpd. Another example would be that of a private security company that carries out the surveillance of a series of private shopping centers and public spaces. The Surveillance is the main activity, which in turn is inextricably linked to the processing of personal data. Therefore, this company must also designate a dpd. On the other hand, all organizations carry out certain activities, for For example, pay your employees or perform ordinary IT support activities. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 45/50 Such activities are examples of support functions required for the activity or the main business of the organization. Although these activities are necessary or essential, they are normally considered auxiliary functions and not the activity major". The second issue is habitual and systematic observance, which WP 243 determines that it is “not limited to the online environment and online monitoring must be considered only an example of observing the behavior of data subjects. The Article 29 Working Group interprets “usual” with one or more of the following meanings: a). continuous or occurs at specific intervals during a specific period; b). recurring or repeated at predetermined moments or that has place constantly or periodically. The Working Group interprets “systematic” as one or more of the following meanings: a). that it is produced according to a system; b). preset, organized or methodical; c). that takes place as part of an overall collection plan of data; d). carried out as part of a strategy. As an example, he cites data-driven marketing activities, carrying out location tracking, for example, through mobile applications, loyalty programs or behavioral advertising. Thus, in the case examined, it complies with the criterion of habitual and in accordance with a plan data collection to obtain customer data and increase your area of business. You just have to take a look at their privacy policy, in which they show that collect data of all kinds, including the IP address (a key point of location), browsing history and user preferences, data derived of cookies, among which there are some tracking cookies, geolocation data or billing information, among others. And they collect them on a regular basis, since they need them to provide their services and to improve the performance of your business. Among other things, they indicate in the privacy policy that the data is used for statistics and services. Thirdly, it will be necessary to determine if it is on a large scale, on what WP 243 establishes certain criteria “recommends that the following factors be taken into account, in In particular, when determining whether the treatment is carried out on a large scale: a). he number of affected stakeholders, either as a specific number or as a proportion of the corresponding population; b). the volume of data or the variety of data elements data that is subject to treatment; c) the duration, or permanence, of the activity of data treatment; d). the geographic scope of the processing activity. And he indicates as some large-scale example "the treatment of geolocation data in real time of customers of an international fast food chain for statistics by a data controller specialized in providing of these services; The treatment of customer data in the normal development of the activity of an insurance company or a bank”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 46/50 The CEPD does not determine in any case what a large scale is, but sticks to the referenced criteria. This is stated in other documents: “The GDPR does not precisely define what constitutes large-scale. In the WP29 guidelines on Data Protection Officer (WP243) and on DPIA (WP248), both endorsed by Board, it has recommended to take into account several specific factors when determining whether a processing is carried out on a large scale. The Board is of the opinion that those factors are sufficient to assess whether the processing of personal data is undertaken on a large scale. Therefore, the Board requests the Supervisory Authority of the Czech Republic to amend its list accordingly, by deleting the explicit figures in its list, and making reference to the previously mentioned definitions of large scale”, Opinion 4/2018 on the draft list of the competent supervisory authority of Czech Republic regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR)”. We must complete it with recital 91 of the GDPR that establishes, in terms of the data protection impact assessments, which: "The foregoing must be applied, in particular, to processing operations to large scale that seek to process a considerable amount of data regional, national or supranational level and that could affect a large number of stakeholders and are likely to carry a high risk, e.g. example, due to its sensitivity, when, depending on the level of technical knowledge achieved, a new technology has been used to large-scale and other high-risk processing operations for the rights and freedoms of the interested parties, in particular when these operations makes it more difficult for the interested parties to exercise their rights. …”. Large-scale processing means processing a considerable amount of data personal information (all those mentioned in its privacy policy) in a certain area territorial (in this case at the national level); affecting multiple stakeholders (it is about an app widely implemented and with a large number of stakeholders); also if They can involve high risk (one of the data they use is geolocation). Examining the explicit parameters to the concrete assumption, obviously makes a large-scale data processing. The Confederation of European Data Protection Organizations (CEDPO) determines also a series of common interpretative criteria (they are not binding or a normative provision) and indicate, in what could serve us that: “Core activities” must be built in accordance with the description of the corporate purpose of the organization and the P&L revenues; “Large scale” should be understood according to a risk-based approach (rather than using criteria such as number of employees or the “volume” of personal data processed in a certain period of time alone); “Monitoring of behaviour” shall exclude the IT monitoring activities that any organization nowadays must carry out for the purposes of (i) (cyber) security; (ii) protecting the organization's systems and assets (including IP and confidential information as well as the personal data stored or otherwise processed by the organization); and (iii) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 47/50 complying with laws and regulatory guidance (e.g., data protection duties, anti- fraud and anti-money laundering related activities)”. In view of the allegations made in the lawsuit regarding the criteria quantitative data that can be used by other supervisory authorities to determine when we face a large-scale treatment, we have to mean that the AEPD is an independent supervisory authority which, in the performance of its duties, determines in each specific case whether or not the treatment is on a large scale, taking into account the concurrent circumstances. In another order of things, we will indicate that the mandatory appointment of the DPO in the case provided for in art. 37.1.b) of the GDPR is only linked to the compliance with the budgets established therein and not to others reported by the applicant what are the types of data or processing. The fact of that the main activities of the controller or processor consist of processing operations that, due to their nature, scope and/or purposes, require a regular and systematic observation of stakeholders on a large scale already imposes the need to appoint a DPD, due to the risks involved, especially if it is develops through the internet or an app as in the case examined. The figure of the DPD as a qualified adviser to the person in charge or in charge of the treatment is an essential reinforcement in the cases provided for in the GDPR and in the LOPDGDD to guarantee the Fundamental Right to citizens and avoid the materialization of the risks that a certain activity may entail. Let's just think about identity theft (art. 28.2 of the LOPDGDD). The trifle of risk is therefore ruled out. In any case, not having a DPD when it is mandatory is a risk for the protection of Personal data. In this sense, the LOPDGDD determines in its article 34.1 and 3, on the designation of a data protection delegate, the following: 1. "Those responsible and in charge of the treatment must designate a delegate of data protection in the cases provided for in article 37.1 of the Regulation (EU) 2016/679 3. Those responsible and in charge of the treatment will communicate within ten days to the Spanish Data Protection Agency or, where appropriate, to the authorities data protection, the designations, appointments and cessations of the data protection delegates both in the cases in which they are bound to their designation as in the case in which it is voluntary.” Based on the legal grounds set forth above, the facts indicated in the previous section are constitutive of an infringement of article 37 of the GDPR. IV.- c.- Penalty C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 48/50 This infraction can be sanctioned with a fine of a maximum of €10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the of greater amount, in accordance with article 83.4.a) RGPD. In this sense, article 73 LOPDGDD, considers serious, for prescription purposes, "v) Failure to comply with the obligation to designate a data protection officer when their appointment is required in accordance with article 37 of the Regulations (UE) 2016/679 and article 34 of this organic law." In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to imposed in the present case, it is considered appropriate to graduate the sanction to be imposed in accordance with the following aggravating criteria established in article 83.2 of the GDPR: - The intention of the infringement, by KFC, (section b), based on that it is an entity whose activity involves a continuous treatment of personal data of clients, it is considered of special It is important to remember at this point, the SAN of October 17, 2007 (rec. 63/2006), where it is indicated that: “…the Supreme Court has understood that recklessness exists whenever a legal duty of care is neglected, that is that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to the professionalism or not of the subject, and there is no doubt that, in the case now examined, when the appellant's activity is constant and abundant handling of personal data must insist on rigor and exquisite be careful to comply with the legal provisions in this regard". It is also considered that it is appropriate to graduate the sanction to be imposed in accordance with the following aggravating criteria, established in article 76.2 of the LOPDGDD: - The linking of the activity of the offender with the performance of treatment of personal data, (section b), considering the level of implementation of the entity KFC in the economy of the country, in which data are involved personal data of thousands of customers who access their services daily. The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 LOPDGDD, with respect to the offense committed by violating the provisions of the Article 37.1 GDPR, allows a penalty of 20,000 euros (twenty thousand euros) to be set. IV.- Measures. This Agency agrees to impose on the controller the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the established in the aforementioned article 58.2 d) of the GDPR, the corrective measure to be imposed on the The owner of the website consists in the name of the Data Protection Officer, as stipulated in article 37 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 49/50 It is noted that not meeting the requirements of this body may be considered as an administrative offense in accordance with the provisions of the GDPR, classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the applicable legislation, the Director of the Agency Spanish Data Protection RESOLVES FIRST: PROCEED TO THE ARCHIVE of the present actions to the entity, KFC RESTAURANTS SPAIN, S.L., (KFC) with CIF.: B86281599, owner of the website, https://www.kfc.es regarding article 6.1 of the GDPR. SECOND: IMPOSE the entity, KFC RESTAURANTS SPAIN, S.L., (KFC) with CIF.: B86281599, owner of the website, https://www.kfc.es in accordance with the provided in articles 63 and 64 of the LPACAP, for the violation of article 37 of the GDPR, due to the lack of appointment of a Data Protection Officer, a penalty of 20,000 euros (twenty thousand euros). THIRD: IMPOSE the entity, KFC RESTAURANTS SPAIN, S.L., (KFC) with CIF.: B86281599, owner of the website, https://www.kfc.es in accordance with the provided in articles 63 and 64 of the LPACAP, for the violation of article 13 of the GDPR, due to the lack of information provided in the "Privacy Policy" on the treatment of personal data obtained, with a penalty of 5,000 (five thousand euro). FOURTH: ORDER the entity KFC RESTAURANTS SPAIN, S.L., to implement, within a month, the necessary corrective measures to adapt its performance to the personal data protection regulations, as well as to inform this Agency in the same term on the measures adopted, appointing a Delegate of Data Protection, as stipulated in article 37 of the GDPR. FIFTH: TO ORDER the entity KFC RESTAURANTS SPAIN, S.L., to implement, in within a month, the necessary corrective measures to adapt its action to the personal data protection regulations, as well as to inform this Agency in the same term on the measures adopted, adapting the "Privacy Policy" of its website www.kfc.es to the provisions of article 13 of the GDPR. SIXTH: NOTIFY this resolution to the entity KFC RESTAURANTS SPAIN, S.L., (KFC) with CIF.: B86281599, Warn the penalized party that the sanction imposed must make it effective once it is enforce this resolution, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, within the voluntary payment term indicated in article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of 29 July, in relation to art. 62 of Law 58/2003, of December 17, through its Income in the restricted account No. ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency in the bank CAIXABANK, S.A. or otherwise, it will be collected in the executive period. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 50/50 Once the notification has been received and once executed, if the execution date is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following or immediately following business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative procedure (article 48.6 of the LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, interested parties may optionally file appeal for reversal by the Director of the Spanish Agency for Data Protection in within one month from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious- of the National Court, in accordance with the provisions of article 25 and in section 5 of the fourth additional provision of Law 29/1998, of July 13, of the Contentious-Administrative Jurisdiction, within a period of two months from count from the day following the notification of this act, as provided in the Article 46.1 of the aforementioned legal text. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public, the firm resolution may be temporarily suspended in administrative proceedings if The interested party declares his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative proceedings within a period of two months from the day following the Notification of this resolution would terminate the precautionary suspension. Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es