AEPD (Spain) - PS/00140/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 63: Line 63:
}}
}}


The Spanish DPA fined KFC a total of €25,000 euros for using generic language when defining the purposes of data processing and for failing to appoint a DPO, in violation of [[Article 13 GDPR|Articles 13]] and [[Article 37 GDPR|37 GDPR]].
The Spanish DPA fined KFC a total of €25,000 for using generic language when defining the purposes of data processing and for failing to appoint a DPO, in violation of [[Article 13 GDPR|Articles 13]] and [[Article 37 GDPR|37 GDPR]].


== English Summary ==
== English Summary ==

Revision as of 12:28, 26 April 2023

AEPD - PS/00140/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 37(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 28.05.2021
Decided:
Published:
Fine: 25,000 EUR
Parties: KFC Restaurants
National Case Number/Name: PS/00140/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Bernardo Armentano

The Spanish DPA fined KFC a total of €25,000 for using generic language when defining the purposes of data processing and for failing to appoint a DPO, in violation of Articles 13 and 37 GDPR.

English Summary

Facts

On May 28, 2021, the data subject filed a complaint with the Spanish DPA, claiming that, when creating an account on the controller’s website, it was only possible to register after accepting the terms and conditions and consenting to the sending of special offers and promotions. Moreover, they argued that the controller failed to provide information about: (a) the recipients of personal data; b) the possibility of making international transfers; c) the retention period. Finally, it argued that no DPO was appointed.

In response, the controller admitted that there was a problem in the configuration of the registration form, which erroneously included a consent request for special offers and promotions. Likewise, it recognized that the link in such form mistakenly directed the user to a legal note instead of the page with the privacy policy. However, it claimed that these errors were fixed. Also according to the controller, the website provided double-layer data protection information and the second layer contained all the details required by Article 13 GDPR.

As for the appointment of a DPO, the controller argued that Article 37(1) GDPR was not applicable since the data processing was merely auxiliary to its core activity, that is, the provision of meals. Finally, the controller argued that, as the general privacy policy applied to all its brands in different jurisdictions, it was not possible to provide complete information about the recipients beforehand.

Holding

During the investigation, the DPA verified that the “Data Privacy Policy” was divided among three documents: a) terms of use of the website; b)a general privacy policy for all countries and c) a specific privacy policy for European Economic Area (EEA) countries, United Kingdom and Switzerland.

By reviewing the documents, the DPA noted that the Privacy Policy adequately indicated the legal basis for each processing operation and that the subscription to receive advertising messages and special offers was voluntary. Therefore, it considered that the processing was lawful in accordance with Article 6 GDPR. However, it held that the documents did not offer precise information on the purposes of data processing as it used undefined expressions such as "we can use...". It emphasized that “language qualifiers such as 'may', 'might', 'some', 'often' and 'possible' should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing” (Article 29 Working Party Guidelines on Transparency under GDPR). In the case at hand, the DPA found that no valid justification was given for the use of generic language and imposed a fine of €5,000 for the violation of Article 13 GDPR.

With regard to the appointment of a DPO, the DPA recalled that Article 37(1)(b) GDPR provides for 3 elements that must be examined: “core activity”, “usual and systematic monitoring” and “large scale”. To interpret these terms, the Guidelines of the Article 29 Working Party were again used. Therefore, “core activity” was understood as the key operations necessary to achieve the controller’s or processor’s goals. However, it should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity. In turn, the concept of “usual and systematic monitoring” was defined as including all forms of ongoing, recurring or constant tracking/profiling of data subjects, either online or offline, in a pre-arranged, organised or methodical manner. Finally, to to determine whether the processing is carried out on a “large scale”, the DPA assessed: the number of data subjects concerned; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; and the geographical extent of the processing activity. Taking all these criteria as met, the DPA stated that the controller failed to comply with its obligation to appoint a DPO and imposed a a fine of €20,000 for a violation of Article 37 GDPR.

In addition, DPA has ordered the controller to adjust its actions to data protection regulations with regard to these infringements.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/50








     Procedure No.: PS/00140/2022.

               RESOLUTION OF THE SANCTION PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:
                                   BACKGROUND


FIRST: Dated 05/28/21, you have entered this Agency, writing presented by
D.A.A.A. (hereinafter, "the claimant"), against the entity, KFC RESTAURANTS
SPAIN, S.L., (KFC) with CIF.: B86281599, owner of the website, https://www.kfc.es,
(hereinafter, "the claimed party") for the alleged violation of the regulations of
data protection: Regulation (EU) 2016/679, of the European Parliament and of the
Council, of 04/27/16, regarding the Protection of Physical Persons in what

regarding the Processing of Personal Data and the Free Circulation of these Data
(GDPR), Organic Law 3/2018, of December 5, on Data Protection
Personal and Digital Rights Guarantee (LOPDGDD).

The claim stated the following:


       "The company KFC Restaurants Spain SL does not follow the guidelines of the GDPR in
       its website https://www.kfc.es. All violations are detailed below:

    - The privacy policy for users cannot be easily accessed
        of the EEA adapted to the GDPR (https://www.kfc.es/multimarcas), since the link

        privacy policy publicly visible at the bottom of the web
        leads to one for the US (https://www.kfc.es/privacidad).

    - When creating an account on the website (https://www.kfc.es/cuenta/registro), it is not
        registration is possible without selecting the box "I accept the terms and conditions

        of use to receive special offers and promotions from KFC and
        Franchisees", that is, they force you to receive special offers and promotions.
        At no time is it mentioned or linked to the privacy policy or its
        acceptance at the time of registration, only to "terms and conditions of use",
        which leads to a legal notice.


    - The defendant is an entity that develops advertising activities and
        commercial prospecting, and carry out treatments based on the
        preferences of the people affected or carry out activities that imply the
        elaboration of profiles of the same according to its policy of cookies and policy of
        privacy, so they are obliged to have a person Delegate of

        Data Protection, and they don't have it.

    - In the privacy policy: (a) the recipients of the information are not detailed
        personal information · (b) the data of the person in charge does not appear detailed in
        data protection matters (company name, NIF, registered office); (c) if

        details the possibility of making international data transfers, and it is not
        informs the interested party of the existence of adequacy decisions, guarantees,
        binding corporate rules or specific applicable situations. I only know
        they use generic formulas as suitable guarantees. Nor is it explained

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/50








       procedure to obtain a copy of these or that they were lent; (d) no
       the time of conservation of the data is detailed, formulas are used
       generic as "for as long as necessary"


SECOND: On 06/29/21 and 07/12/21, in accordance with the provisions of the
Article 65.4 of the LOPDGDD Law, by this Agency, transfer of said
claim to the claimed party, to proceed to its analysis and report, in the
period of one month, on what was stated in the claim document.


According to the certificate of the Electronic Notifications and Electronic Address Service, the
Application letter sent to the claimed party, on 06/29/21, through the service
of electronic notifications "NOTIFIC@", was rejected at destination on 07/10/21.

According to the certificate of the State Postal and Telegraph Society, the application document

sent to the claimed party, on 07/12/21 through the notification service
Postal service, was notified at destination on 07/22/21.

THIRD: On 08/20/21, the claimed entity submitted a written
response to the request made from this Agency, in which, among others,
stated:


       “a.- The website www.kfc.es provides data protection information in double
       layer: The first layer is located at the URL www.kfc.es/privacidad and includes
       information on the processing of personal data carried out by the
       different brands of the company and details, among others, the following: a) The

       type of information processed; b) The purposes of the treatment; c) The
       automated processing that can be performed; d) The categories of
       data recipients; e) The options and control over the information; F)
       How the data is stored and protected; g) Link to the privacy policy
       for the European Economic Area and the United Kingdom; h) Information regarding the

       privacy of minors; i) Contact information.

       The second layer is located at the URL www.kfc.es/multimarcas, and details,
       completing the first layer information, the rest of the information required
       by article 13 of the GDPR: a. Legal basis of the treatment; b.
       Data storage and transfer; c. Rights Information

       that assist the interested parties and how to exercise them; d. Contact information;
       and. Annexes detailing the categories of personal data processed, the
       purposes of the treatment and the legal bases for the treatment of the
       themselves.


       This second layer is directly accessible at the bottom of the page
       from "Privacy Notice" that leads to the URL www.kfc.es/multimarcas with
       information specific to EEA and UK residents and includes
       the rest of the information required by article 13 of the GDPR.


       Similarly, the Privacy Policy must include the following statement
       at the top to direct users to disclosures
       particular jurisdictions: “Consult our Global Privacy Policy at
       below in effect for your jurisdiction. See section 7 Disclosures

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/50








       jurisdictions to find specific additional privacy information
       of your state or country.


       Not having this statement is an omission regarding our policies
       Privacy Policy, which we will correct along with any other changes and
       improvements to be made and derived from this claim. Date
       implementation: these changes will be applied as of September 30, 2021.

       b.- Impossibility of creating an account if the sending of offers is not accepted

       specials and promotions:

       The web account creation space is designed to allow the creation
       of accounts without having to accept the sending of special offers and
       promotions. However, due to an error or failure in the configuration of the

       form, the texts corresponding to both acceptance checkboxes,
       include authorization to receive special offers and promotions.

       The text of the first checkbox is correct, this being the one corresponding to the
       express acceptance by the user to receive offers and promotions
       from KFC and is dial-optional.


       The text of the second checkbox should only include the acceptance of
       the terms, conditions of use and the privacy policy, although by mistake
       the tag "to receive special offers and promotions" was included when
       should state "I accept the terms and conditions of use and the privacy policy

       privacy to register at www.kfc.es”, and it is compulsory. Yeah
       well the text of the checkbox indicates that the authorization refers to the reception
       of offers and promotions, the internal treatment of the authorization is limited to the
       acceptance for the creation of the user account.


       Once the error is detected, KFC will proceed to correct it and
       modification so that the texts of the checkboxes correspond to the
       authorizations. Implementation Date: These changes have already been applied.

       A screenshot of the account creation form is attached.- Annex II.


       c.- The form does not provide a link to the privacy policies
       time these have to be accepted for the creation of an account.

       The web account creation form link is designed to
       allow access to the terms and conditions of use and the privacy policy.


       However, due to an error or failure in the configuration of the hyperlink, this
       points to the Legal Note instead of the correct texts.

       Once the error is detected, KFC will proceed to correct it and

       modification so that the hyperlink points to the terms and conditions of
       use. Implementation Date: These changes have already been applied.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/50








       d.- A Data Protection Officer has not been appointed, taking into account
       that the entity develops advertising and commercial prospecting activities and
       carries out treatments based on people's preferences

       affected or carry out activities that imply the elaboration of profiles of the
       same.

       From KFC we interpret that, due to the nature of data processing
       carried out, we are not obliged to designate a
       Data Protection Officer since we are not in any

       of the specific cases established by article 37.1 of the GDPR.

       In relation to these assumptions, we must emphasize the provisions of section
       b of article 37.1 of the GDPR establishes that you will be obliged to designate a
       DPO "when the main activities of the person in charge or in charge

       consist of processing operations which, due to their nature, reach
       or purposes, require regular and systematic observation of stakeholders at large
       scale".

       As established in recital 97 of the RGP, it is understood that the
       The main activities of a manager are related to "their

       primary activities and are not related to data processing
       personal as auxiliary activities, therefore, the main activities»
       can be considered the key operations necessary to achieve the objectives
       of the person in charge or of the person in charge of the treatment”.


       In this regard, KFC's core business does not focus on processing
       data of users of the website www.kfc.es, but rather this is a
       auxiliary activity to the main one, which is the provision of services
       restoration to our clients, and this is carried out, mainly, without the
       need to process their personal data and in person at

       our restaurants and venues. Orders placed remotely, either at
       through the website www.kfc.es, or through other channels, are treated as activity
       auxiliary to the main one and, due to the nature of the service, require the
       treatment of certain data of users and clients for the
       billing and delivery of orders.


       In the same way, for the obligation to designate a DPD to result, the
       Treatment should require regular and systematic observation of
       interested.

       In this regard, the Article 29 Working Group interprets "usual" with

       one or more of the following meanings:  continued or that occurs at
       specified intervals during a specified period;  recurring or repeated in
       preset times;  Occurs constantly or periodically.

       And “systematic” with one or more of the following meanings:  that is

       produces according to a system;  prearranged, organized or methodical;
        that it takes place as part of an overall data collection plan; 
       carried out as part of a strategy.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/50








       In this regard, due to the nature and purpose of data processing,
       As indicated above, the management and billing of orders
       made at the request of customers and users through the website,

       We consider that it cannot be considered as a habitual observation and
       interest system.

       In the same way, for the obligation to designate a DPD to arise, the
       Processing of personal data must be carried out on a large scale. Despite
       The GDPR does not define what is meant by large-scale processing, both the

       recital 91 of the GDPR as the Working Party of article 29 give
       guidance in this regard, taking into account the following factors when
       to determine if a treatment is carried out on a large scale: the number of
       affected stakeholders, either as a specific number or as a proportion of the
       corresponding population; the volume of data or the variety of data elements

       data that is subject to treatment; the duration, or permanence, of the
       data processing activity; the geographical scope of the activity of
       treatment.

       Data processing is limited to those customers and users who wish to
       place orders through our website, there are other channels to

       remote ordering. The volume or variety of data object of the
       treatment is limited to those necessary to carry out orders in
       compliance with the principle of data minimization. Similarly, the
       total number of users registered on the website www.kfc.es does not exceed
       20,000 and is limited to customers and users within the national territory,

       Spain. KFC does not meet any of the above factors so it does not
       We consider the processing of customer and user data carried out on a large
       scale.

       For all of the above, from KFC we have been considering

       that we were not obliged to designate a Protection Delegate
       of data. However, and based on the claim received, if from the AEPD
       believe that there is sufficient evidence that certain government activities
       treatment require us to appoint a Data Protection Officer,
       we will take it into consideration to re-evaluate the legal requirements for your
       designation.


       e.- In the privacy policies:

       The recipients of personal data are not detailed. the policy of
       general privacy included in the URL www.kfc.es/privacidad includes in its

       section 4 the information regarding how the information of the users is shared
       users, and in section 7 jurisdictional disclosures, in relation to the
       communication of data made to public authorities based on the
       state or country of residence of the user. Section 4 of the privacy policy
       Privacy describes up to 10 different categories of recipients of the

       data.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/50








       In this regard, the GDPR in its article 13.1 e) indicates that the person responsible for the
       Treatment must inform the recipients or the categories of
       recipients of personal data, if applicable.


       In the same way, the AEPD itself in its Guide for the fulfillment of duty
       to inform in its heading 7.4 Recipients, indicates the following: "When
       has planned to transfer or communicate, legitimately, the personal data that is
       collected will be informed about the identity of the recipients, if they are
       clearly predetermined, or of the categories of recipients, if these do not

       are predetermined."

       In this case and since it is a general privacy policy that
       applies to all brands and for different territories, recipients do not
       are predetermined and therefore only information is provided on the

       categories of recipients to whom the data may be communicated,
       including the purpose or purpose of the communication of these.

       We understand that the information provided in the general privacy policy
       complies with the requirements of article 13.1 e) of the GDPR regarding the
       provision of information regarding the categories of recipients.


       On the non-appearance of the details of the person in charge of protection
       of data. In this case, due to the general nature of both privacy policies,
       privacy included in the web www.kfc.es -general applicable to all
       territories and specific to residents of the EEA, UK and Switzerland-, identification

       of the data controller can be found in the Legal Notice.

       We take note of this shortcoming and we will incorporate this improvement to provide
       greater clarity and transparency to the information provided in the policies of
       privacy, redirecting users to the Legal Notice in the privacy policy

       privacy for the identification of the person in charge of the treatment in each
       territory, including Spain. These changes will be applied at the end of Sep.
       2021.

       The possibility of making international data transfers is detailed, but
       the interested party is not informed of the existence of adequacy decisions,

       guarantees, binding corporate rules or specific situations
       applicable.

       The specific privacy notice for the EEA and the United Kingdom informs the
       users of the possibility of making international transfers, it includes

       mention that, if done, KFC will ensure that:

       a) the personal information is transferred to countries recognized for offering a
       equivalent level of protection; either


       b) the transfer is made in accordance with appropriate safeguards,
       such as the standard clauses on data protection adopted by the Commission
       European. Notwithstanding these measures, the country and jurisdiction to which


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/50








       transferring the data can provide a level of data protection
       lower than that provided for in EEA or UK law.


       Although this information may seem too generic, we take note and
       we will incorporate an improvement to provide greater clarity and transparency to the
       training provided in the privacy policy, redirecting users to
       the contact addresses of each person in charge in each territory, so that
       may request additional information on international transfers
       that can be realized and the appropriate guarantees used to guarantee the

       adequate level of security in them.

       Attached is a screenshot of the information provided about
       international transfers as Annex III. Implementation date: these
       Changes will be applied as of September 30, 2021.


       d. The time of conservation of the data is not detailed.

       The privacy policy included in the URL www.kfc.es/privacidad includes in
       its section 6 the information regarding the data retention period.


       Article 13.1 a) of the GDPR indicates that the data controller
       must inform the period during which the personal data will be kept
       or, when this is not possible, the criteria used to determine this term.

       In this case and since it is a general privacy policy that

       applies to all brands and for different territories, the retention periods
       of the data are not predetermined and therefore it is provided only
       information regarding their conservation criteria, indicating
       that they will be kept “for the time reasonably necessary to maintain the
       Service, comply with legal and accounting obligations, and other purposes

       described in this Policy, or as otherwise required or permitted by law.”

       The information related to the retention period of the data is attached as Annex IV.
       data. Therefore, we understand that the information provided in the privacy policy
       general privacy complies with the requirements of article 13.1 a) of the GDPR in
       regarding the provision of information regarding the conservation periods

       of the data or the criteria to establish said deadlines.

       However, and as though this information may seem too much
       generic, we take note and will incorporate an improvement to provide greater
       clarity and transparency to the information provided in the privacy policy,

       we will incorporate conservation criteria or longer conservation periods
       specific to the privacy notice specific to the EEA and UK. Date
       implementation: these changes will be applied as of September 30, 2021.

FOURTH: On 10/25/21, by the Director of the Spanish Agency for

Protection of Data, an agreement is issued to admit the processing of the claim
presented, in accordance with article 65 of the LPDGDD Law, when assessing possible
rational indications of a violation of the rules in the field of competences
of the Spanish Data Protection Agency.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/50









FIFTH: Dated 11/30/21 and 02/09/22, within the framework of the actions carried out
by the General Sub-directorate of Data Inspection in order to clarify certain

facts of which this Spanish Agency for the Protection of
Data, and in use of the powers conferred by article 58.1 GDPR and art. 67
LOPDGDD required the requested entity to provide further information on: a).- the
list of activities of the entity that involve processing of personal data,
expressly detailing if client treatments are carried out for purposes
advertising; b).- For each activity, the following must be provided: number of customer data that

treat, variety of data elements of each client that are subject to treatment,
time during which the data of each client is processed and detail of the permanence
of such data in their information systems; the geographical or territorial scope of
the treatments detailing if their systems process data related to clients of a
certain territorial scope or of the entire national territory and c).- summary of the

analysis carried out by your entity to assess the need to appoint a DPD,
indicating if they have named it and if so if it has been communicated and published.

SIXTH: On 03/01/22 and 03/10/22, the claimed entity sent to this Agency,
two separate writings in response to the requirement made by this Agency, in the
which, among others, informs about the following aspects:


       "An extract from the Record of Treatment Activities (RAT) is provided in
       where all the processing activities carried out by
       KFC in connection with advertising activities with customers, indicating the
       number of customer data whose data is processed and the type of data

       treated for each activity, as well as the time during which they are treated
       said data.

       In this regard, KFC has a conservation calendar for
       data and internal protocol of conservation / deletion of personal data

       they have ceased to be necessary. It should be noted that from KFC it is not
       under no circumstances perform profile analysis; processing activities
       related to the sending of commercial information are carried out based on the
       user consent (opt-in system) and without user segmentation.

       The processing activities related to advertising are carried out

       always with the prior consent of the user, unlike the
       processing activities related to the fulfillment of requests for
       users that are carried out on the basis of the performance of a contract.
       The geographical scope of the treatment activities is Spain, being the
       Centralized data management for the entire national territory.


       Regarding the analyzes carried out by your entity to assess the need for
       appoint a DPO, indicating whether they have been appointed and if so, whether they are
       communicated and published:


       In this regard, from KFC it has been understood that there is no obligation to
       appointment of the DPO, because the processing activities carried out
       They are not limited to those of article 37 GDPR nor is the entity among the
       obligated in article 34 LOPDGDD.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/50









       In the same way, compliance management in terms of data protection
       It has been exercised by internal personnel specialized in data protection,

       in particular, from the UK, through B.B.B., Global Privacy Lead CounselHead
       and the consultancy of external experts in each of the countries from which
       it is operated.

       However, and as previously indicated, internally we will proceed to
       periodically evaluate the need for its designation, based on the

       possible operational changes as well as the start of new business branches
       that may involve the incorporation of new processing activities, the
       in order to offer greater guarantees of compliance to our clients
       and users regarding the activities and procedures in the treatment of
       personal data, in particular, if processing activities are initiated to

       profiling.

       II.- That on March 1, 2022, a written request for
       extension of term given the complexity and volume of
       information and/or documentation to be managed in order to be available to
       complete the aforementioned requirement in the most appropriate way possible to

       the good end of the processing of the requirement, as well as the need to
       coordinate response with US parent company, Yum
       Restaurants International Management LLC, confirming by the AEPD the
       granting said extension of term.


       III.- That, by virtue of the aforementioned requirement, this Agency is provided with the
       documentation required as follows: Copy of extract Registration of
       Processing activities related to clients and purposes
       advertising as Annex I and Copy of Internal Analysis carried out to evaluate the
       need to name DPD as Annex II


SEVENTH: On 03/21/22, by this Agency, when accessing the "Policy of
Privacy” of the web page, www.kfc.es , it was possible to verify the following
characteristics:

a).- On obtaining the consent of users for the treatment of their

personal information:

1º.- Through the link: <<Create your account>>, located at the top of the page
main page, the website redirects to a new page https://www.kfc.es/cuenta/registro where
The user can register on the web and where the name, surname,

phone, email and credit card number.

In order to send the form, the user must necessarily click the option:

       _ I accept the <<Terms of use>>.


There is also the possibility of registering voluntarily, to receive offers
specials and promotions, clicking on the option


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/50








       _ I want to sign up to receive special offers, raffles and promotions for
       part of KFC and/or its franchisees. For more information, visit our
       <<Privacy Policy>>. <<Create my Pollo Pollo account>>


2º.- Through the link: <<Start Order>>, located at the top of the
main page, the web redirects to a new page https://www.kfc.es/store-selection
where you can make the selection of the order and the option to receive it at home
or pick it up at the establishment.


Once the order has been selected, to process it, the website redirects the user to a new
page https://www.kfc.es/checkout, where personal data must be entered
of the user: name, surname, telephone, email and credit card number.

In order to send the form, the user must necessarily click the option:


       _ I accept the <<Terms of use>>.

There is also the possibility of registering voluntarily, to receive offers
specials and promotions, clicking on the option


       _ I want to sign up to receive special offers, raffles and promotions for
       part of KFC and/or its franchisees. For more information, visit our
       <<Privacy Policy>>.
                                       <<Order Now>>


3º.- Through the link: <<Work with us>>, located in the menu on the
upper right, the web redirects to a new
https://www.kfc.es/nosotros/trabaja-en-kfc where the user can register or register
Register, to receive job offers, at the link: https://kfc.epreselect.com/General/
Alta.aspx


Once the personal data has been entered: name, surname, email, ID, the user
You must necessarily click on the boxes:

       _ I am not a robot.


       _ I have read, understand and accept the <<Privacy Policy>>

There is also a banner with the following information:

       Basic Information on Data Protection: Responsible: KFC IBERIA;

       Purposes: Include in the database of candidates of the Company the data
       of the curriculum vitae that you provide us when you create your account with us to
       use them in future selection processes in which your profile may fit;
       Legitimation: Consent of the interested party; Recipients: We will not communicate
       your data to third parties except legal obligation and to the companies indicated in

       the additional information.

4º.- Finally, there is also the possibility of providing personal data to the
entity through the subscription page for special offers and promotions,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/50








https://www.kfc.es/subscripcion, where the user must provide the name,
last name and email.

Before being able to send the subscription newsletter, the user must click on the option
to accept it:


       _ I want to sign up to receive special offers, raffles and promotions for
       part of KFC and/or its franchisees. For more information, visit our
       <<Privacy Policy>>.

b).- Regarding the “Privacy Policy”:


1º.- If the clauses of the "Terms of Use" of the web are accessed, through the
existing links in the different forms or through the link exists in the part
bottom of the main page, the web redirects to a new page
https://www.kfc.es/nota-legal , where information is provided, among others, on

the following aspects:

       (…) Contact: the websites are owned and managed by kfc restaurant spain
       s.l. a company registered in Spain, whose registered office is at
       Serrano Galvache 56, Madroño building, 3rd floor, KFC, Madrid, 28033. CIF:
       B86281599. To contact us, call +34 917

       68 07 30.

       Registration: Data protection: we will collect, store and process your
       personal information in accordance with our privacy policy. please,
       please read our <<privacy policy>> to make sure you are satisfied
       and understand its content before creating an account.


       Terms and conditions for orders placed via mobile:

       data protection: we will collect, store and process your
       personal information in accordance with our <<privacy policy>>. by
       Please read our privacy policy to make sure you are satisfied.

       and understand its content before creating an account.

       If you are not satisfied with the service you have received, please contact
       us through clientes@kfc.es or +34 91 904 18 81 (…)

2º.- If you access the "Privacy Policy" of the web, through the links

existing in the different forms or through the link exists at the bottom
from the main page, the web redirects to a new page
https://www.kfc.es/privacidad, where information is provided, among others, on
the following aspects:


       “About the personal information they collect; How they use the information
       staff; What information may be collected automatically; As
       share the collected information; About the options and control over the
       information collected, how they store and protect the information; On
       European jurisdictional regulations expressly indicate the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/50








       "When we have an establishment in the European Economic Area
       (“EEA”), the United Kingdom or Switzerland, or we are processing personal data
       relating to persons located in the EEA, UK or Switzerland, please click

       <<click here>> for additional information about our privacy practices
       data privacy; About children's privacy; About links to others
       websites and services; How to contact the site managers
       Web; And about the changes in the privacy policy (…)”.

3º.- If you access the "Privacy Notice" of the web, through the link that exists in the

bottom of the main page, the web redirects to a new page
https://www.kfc.es/multimarcas, where specific information is provided on the
processing of personal data obtained in the EEA, United Kingdom or Switzerland and between
it, you will find the following information:


       About the Treatment Manager: KFC Spain: KFC Restaurants
       Spain, S.L. with NIF B86281599 and address at Calle Serrano Galvache (Pq.
       Business Pq. Norte), 56 - Edif. Olmo Fifth Floor, Madrid, Madrid. Mail
       Email: clientes@kfc.es. Telephone: 91 904 18 81. On the legal basis
       for data processing. On the basis of the consent given and
       on the right to withdraw your consent at any time, when

       have granted. About the storage and transfer of data in the EEA and
       the United Kingdom. On the individual rights of EEA residents and
       how to exercise it, and the right to file a claim with your authority
       local. How to contact the person in charge of the web.


In addition to the information provided in the "Privacy Policy" and in the "Notice
of Privacy” two annexes are attached with the following information:

    - Annex 1 sets out in detail the categories of personal information re-
       collected, as well as the legal basis on which they are based to treat the information

       personal information and the recipients of such personal information.

    - Annex 2 sets out the categories of personal information that they collect and
       how they use that information. The table also lists the legal basis in
       on which they are based to treat personal information and the recipients of such
       personal information.


EIGHTH: On 05/31/22, by the Board of Directors of the Spanish Agency for
Data Protection, a sanctioning procedure is initiated against the claimed entity, at
appreciate reasonable indications of violation of the provisions of the articles:


       a).- Violation of article 6.1 of the GDPR due to the non-existence of a mechanism
       that allows users to give their consent to the processing of their data
       personal data for each and every one of the purposes for which the
       personal data, when applicable, with an initial penalty of 30,000
       euros (thirty thousand euros).


       b).- Violation of article 37 of the GDPR, due to the failure to appoint a
       Data Protection Officer; with an initial sanction of 20,000 euros
       (twenty thousand euros)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/50









       c).- Violation of article 13 of the GDPR, due to the lack of information provided
       in the "Privacy Policy" on the processing of personal data

       obtained, with an initial penalty of 5,000 euros (five thousand euros).

As certified by the Single Authorized Electronic Address Service (DEHÚ), the letter
of initiation of the file sent to the claimed party, on 05/31/22 through the
electronic notification service "NOTIFIC@", was made available to the
claimed party 06/01/2022, appearing in the certificate as the date of rejection

automatic, on 06/12/22.

Although the notification was validly made by electronic means, assuming that
carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, under
informative, a copy of the document to initiate the file was sent by postal mail

which was delivered at destination on 07/26/22.

NINTH: Notified the initiation agreement to the claimed party, the latter in writing
dated 08/09/22 formulated, in summary, the following allegations:

       FIRST.- REGARDING THE PROPOSED SANCTION FOR

       VIOLATION OF ARTICLE 6.1. OF GDPR.

       1.1. THE RESEARCH ACTIVITY OF THE AEPD IS INSUFFICIENT TO
       ORDER THE START OF THE SANCTION PROCEDURE


       Article 53 of Organic Law 3/2018, of December 5, of
       Protection of Personal Data and guarantee of digital rights (in
       forward, "LOPDGDD"):

       "1. Those who carry out the research activity may collect the

       precise information for the fulfillment of its functions, carry out
       inspections, require the display or sending of documents and data
       necessary, examine them in the place where they are deposited or in
       where the treatments are carried out, obtain a copy of them, inspect
       the physical and logical equipment and require the execution of treatments and
       treatment management and support programs or procedures subject to

       investigation".

       For its part, article 67 of the LOPDGDD provides the following: 1. Before
       the adoption of the agreement to start the procedure, and once admitted to
       process the claim, if any, the Spanish Agency for the Protection of

       Data may carry out preliminary investigation actions in order to achieve
       a better determination of the facts that justify the procedure”.

       In other words, the AEPD is responsible for carrying out the investigation tasks
       sufficient to determine the scope of potential infringements committed

       prior to issuing the agreement to initiate any procedure
       sanctioning. And this in accordance with the provisions of article 68 of the
       LOPDGDD; specifying said article that the initiation of the procedure for the
       exercise of the sanctioning power will proceed once the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/50








       investigative actions of the AEPD and, in any case, if as a result of
       said investigations, it is appropriate to initiate such a procedure.

       Based on the foregoing, it should be noted that the reasons why the AEPD
       proposes a penalty of 30,000 euros in the framework of this procedure

       sanctioning are exposed on pages 31 and 32 of the Agreement of
       Beginning of Sanctioning Procedure. These reasons are summarized in that KFC
       carries out personal data processing for purposes "written in accordance with
       generic form, which allow unlimited post-processing, once
       fulfilled the purpose for which they were obtained."


       In this regard, the AEPD upholds its decision – without taking into account the
       aggravating circumstances, which will be duly refuted later
       in this writing– SOLELY AND EXCLUSIVELY in the wording of the privacy policy
       privacy that is published on the KFC website at the time of carrying out
       carried out by the AEPD its investigative work. And this without taking into account that:


       The purposes indicated in the privacy policy on which it is proposed
       sanction describe potential situations and do not imply that they are
       actually carried out, or are carried out in a manner
       totally lawful as will be exposed; and most importantly, such further
       Treatments for which a sanction is proposed are not included in the Registry

       of Treatment Activities already provided to the AEPD, which represents a clear
       lack of contrast on the part of the AEPD when determining the eventual
       existence and scope of the presumed infringement committed and the calculation of the
       proposed sanction.

       KFC is at all times in compliance with its obligations regarding

       protection and data and specifically with those derived from the legality of the
       processing of personal data that it does carry out in accordance with the
       Article 6 of the GDPR. Without going any further, the AEPD says nothing about the forms
       collection of personal data transcribed on pages 13 to 16 of the
       Agreement to Initiate Sanctioning Procedure. They show the
       good behavior of KFC and the correct management that it does when picking up

       personal data of its interested parties and the adjusted information by layers that
       provides about the treatments that it actually performs.

       However, the AEPD proposes a sanction for the violation of article 6 of the
       GDPR against KFC for the inclusion in its privacy policy of treatments
       which include terms such as: “we may use”; or "we can share" that

       they cannot at all conclude that KFC actually carries out treatment
       some. The AEPD in its Agreement to Initiate Sanctioning Procedure is
       talking about hypothetical treatments without any supporting evidence
       that they are actually being carried out.


       Furthermore, as explained in the prior information phase that precedes
       this disciplinary procedure, the Registry of Data Treatment Activities
       KFC requested and duly provided in due time and form before the AEPD,
       incorporates customer treatments for advertising purposes. between sayings
       There are none of the treatments that the AEPD now mentions.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/50








       to propose sanction. As much as KFC's privacy policy left
       open the possibility of processing data for the purposes of "profiling, programs
       reward or customer loyalty; to share, sell or

       disclose the information obtained to the parent company, to other companies in the
       group or subsidiaries other than for administrative management or to sell,
       share or disclose the personal data obtained", the truth is that said
       treatments are not currently carried out by KFC, as stated
       duly of the aforementioned Registry of Treatment Activities provided to the
       file, which does not say anything about said treatments, nor

       about the data communications to third parties that are mentioned (and cannot be
       say so, because these treatments are not carried out by our company).

       In addition, KFC does not conduct any activity related to a food program.
       reward or customer loyalty. This has not been confirmed by the AEPD

       in the transcription of the privacy texts contributed to this procedure
       nor by the complainant in his claim.

       The investigative activity of the AEPD in these proceedings was
       exclusively to require KFC to provide:


       «List of activities of the entity that involve data processing
       personal, expressly detailing if client treatments are carried out
       for advertising purposes For each activity you must provide:

       O number of customer data they process, O variety of data elements

       of each client who are the subject of treatment, OR time during which
       treat the data of each client and details of the permanence of said data in
       its information systems; Or the geographic or territorial scope of the
       processing detailing whether their systems process data relating to clients of a
       certain territorial area or the entire national territory.


       Having observed the existing inconsistencies between what is described in the
       Record of KFC Treatment Activities and what is reported in its privacy policy
       privacy, the AEPD should have continued its investigative work and not
       should have proposed a sanction given the clear and evident lack of elements of
       conviction that would even allow us to intuit that KFC had committed

       any breach of the GDPR of the nature described here.

       By way of illustration, the RAT provided to the procedure of
       Information request E/12752/2021 followed by this Agency: 1.2.
       IN THE PRIVACY POLICY INVESTIGATED THERE ARE IDENTIFIED

       TREATMENTS THAT CAN BE CARRIED OUT AND THERE IS A BASIS
       ENOUGH LEGITIMATING FOR IT

       Notwithstanding what is described in Claim 1.1. above, and that KFC never
       has carried out the treatments described in the Initiation Agreement

       Sanctioning Procedure of the AEPD, it is noteworthy that even in the case
       that the processing of personal data indicated by the AEPD had
       took place, they are identified in the KFC privacy policy
       which is transcribed in the aforementioned Agreement to Initiate Proceedings

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/50








       Sanctioning and without foundation to propose a sanction based on the article
       6.1 of the GDPR.


       The AEPD proposes a sanction to KFC for carrying out subsequent treatments to those
       identified in the KFC privacy policy based on article 6.1 of the
       GDPR, but really the only way you are aware of such
       treatments is precisely for what is indicated in the privacy policy of
       KFC.


       That is, a sanction is being proposed for carrying out further processing
       that they are identified in KFC's own privacy policy. Of
       In fact, it is the AEPD itself that, to justify its sanction proposal, extracts
       paragraphs of KFC's privacy policy stating that KFC
       may carry out said treatments with respect to its interested parties.


       What should not be confused is the execution of processing for purposes
       further, on the one hand, with the duty of transparency ex article 13 of the GDPR
       on the other, when describing said treatments and their legitimizing bases. AND
       is that, for this, the AEPD is already proposing a sanction as can be seen in the
       page 40 of the Agreement to Initiate Sanctioning Procedure. I already know KFC

       is proposing a sanction for breach of the duty of transparency, and the
       The reality is that the AEPD is making up a second sanction for lack of
       transparency shielded by an implausible violation of article 6.1 of the GDPR
       based on evidence that is precisely obtained from the policy of
       KFC privacy. It is completely incongruous to propose a sanction to a

       controller for carrying out further processing
       identified in its own privacy policy precisely because the
       The main reason for sanctioning for further processing resides in a
       data processing for a purpose other than that initially informed –
       Considering 50 GDPR–.


       In any case, we can speak of an omission to identify the bases
       legitimizing of each of the treatments that the AEPD identifies in its
       Agreement to Start the Sanctioning Procedure, but as will be seen, the lack
       of transparency on the identification of the legitimizing bases does not imply
       unlawful processing of personal data:


       When talking about "personalizing your experience with us" the
       AEPD is confusing profiling with a mere activity
       segmentation for the sole purpose of carrying out marketing activities
       perfectly compatible with the rules of protection of

       data and with the criteria of the European Committee for Data Protection, as well as
       of the Article 29 Working Group. The fact that KFC adjusts the offer of
       your products and services to the preferences expressed by your customers
       during the purchase of products is inherent to the activity of any
       company that is duly organized and that carries out an activity

       diligent and oriented to the best service to its clients.

       The Article 29 Working Group, in its Guidelines on Decisions
       automated individual and profiling purposes for the purposes of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/50








       Regulation 2016/679, of October 3, 2017, indicates that the activities of
       user segmentation can be treated with different legitimizing bases,
       among them, the execution of the contractual relationship between the client and the

       controller, and the legitimate interest pursued by the controller
       of the treatment, in this case KFC.

       The truth is that, to date, the AEPD has not required KFC to indicate the
       legitimizing basis of this processing of personal data insofar as it is
       proposing a sanction for an unfortunate and non-existent infraction.

       Likewise, the segmentation that emerges from the wording of the privacy policy
       KFC's privacy matches the parameters set forth by the Group of
       Work of Article 29 to base such treatment either on the execution of the
       contractual relationship, or in the legitimate interest of KFC: from reading the
       privacy policy does not follow the elaboration by KFC of a

       exhaustive or detailed profile subject to the prior consent of the interested party,
       especially if we take into account the main activity of KFC, which is none other than
       the sale of fried chicken in physical establishments.

       What can be the degree of completeness of the profiling for the sale of
       products of this type? If the customer prefers a bucket of fried chicken or a

       chicken burguer? Of course, it cannot be concluded that
       profiling activities are taking place subject to consent to
       based on the information available to the AEPD.

       Regarding the geolocation treatment indicated by the Agency,

       It should be emphasized that our privacy policy clearly states in
       section "5. Your Choices and Control Over Your Information" which will only be discussed
       under the consent of the interested party: consent that, in addition, comes
       complemented by the privacy configuration options that are
       offer to users and that are clearly explained in our privacy policy.

       privacy.

       The other treatment identified by the AEPD is "promoting our
       affinity and rewards programs” – this can clearly be done by KFC,
       both for those clients who have given their consent for
       promotions, as for any other client in accordance with the provisions of the

       Article 21 of Law 34/2002, of July 11, on Services of the Society of the
       Information and Electronic Commerce. In addition to the fact that, as indicated,
       it is not a further treatment, it is a treatment clearly identified in the
       privacy policy and clearly linked to KFC's own activity
       linked to the treatment of the data of the people who, voluntarily,

       register on our website.

       Regarding the communication of personal data both with third parties
       as an intragroup, indicate that section 4 of the KFC privacy policy
       identifies all categories of third parties that can access data

       data subjects and under what circumstances. Not again
       We are talking about a matter of subsequent processing ex article 6.1.
       of the GDPR but whether the information provided is sufficiently


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/50








       transparent, for which, a sanction is already being proposed (so the one that
       is now proposed is not applicable, based on the principle of non bis in idem).


       Lastly, in terms of considering the reference in the
       our privacy policy to "service providers" as recipients
       of the data of our registered web users, it could not be more outside
       instead, for the following reasons:

       We reiterate: in any case, the foregoing would imply an alleged violation

       of article 13 GDPR, for the alleged violation of which by KFC already
       proposes sanction for which, again, it is not appropriate to sanction again based on
       to article 6.1 GDPR by application of the non bis in idem principle;

       But it is also that sharing data from our registered users with

       service providers, with whom KFC has duly signed the
       corresponding custom treatment contracts, it is not at all
       no data processing subsequent to the main processing of the data
       said users, but something intrinsically linked to said treatment
       major. Anyone with elementary knowledge of economics knows
       of the existence of the value chain, and that all economic activity is

       supported by the concurrence of external providers to whom it is entrusted
       more efficient management of production processes of any
       organization

       If the above were not enough, the art itself. 13 GDPR allows for

       expressly identify the recipients of data by "categories" of the same,
       with which, with the reference to external providers, it is complied with
       said precept when providing information to our users
       registered.


       SECOND.- REGARDING THE PROPOSED SANCTION FOR
       VIOLATION OF ARTICLE 37 OF THE GDPR.

       The AEPD identifies a possible offense committed by KFC for not having
       appointed a data protection delegate being obliged to do so according to
       the criteria of article 37 of the GDPR, mentioning the established criteria

       by the Article 29 Working Group to determine the need for
       designate a data protection officer.

       Where this part does not coincide with the actions of the AEPD in the present
       procedure is in the form of applying the Guidelines on Delegates of

       Data Protection to the present factual assumption to conclude that KFC
       You must designate a data protection officer.

       Next, the conclusions reached by this part are exposed to
       consider that the elements indicated in article 37.1 b) of the GDPR are not

       comply and that, therefore, it is not necessary to designate a delegate of
       Data Protection:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/50








       (i) Regarding the "main activity": In accordance with what is specified by the
       Working Group of Article 29, the main activities must be associated with
       those activities and “key operations necessary to achieve the objectives”

       of any company in its commercial activity.

       The AEPD makes use of examples such as hospitals or companies of
       private security whose operations and activities are closely linked
       to the processing of personal data – health data, and systematic surveillance
       respectively-. However, the main activity of KFC is the provision of

       catering services at physical points of sale through its
       franchisees without the need for any personal data processing
       relating to consumers of such products.

       It does not make sense that the AEPD on page 43 of the Agreement to Begin

       Sanctioning Procedure, indicate that the corporate purpose is not related to
       the main activity, and then use the KFC corporate object to say that you are
       obliged to designate a data protection officer. But it is that, in addition,
       our website is by no means the center of KFC's activity,
       rather, it is only one of the channels that KFC uses to put into
       contact consumers of our products with franchisees at

       through which our products can be purchased (among other
       channels that KFC uses to achieve this purpose is advertising
       in the media, advertising on public roads, advertising campaigns
       sponsorship and sponsorship, alliances with third-party organizations, etc…).


       Consequently, it is clear that KFC does not use its website as a
       main selling point of its products (such main selling points are
       and they will always be the establishments of its franchisee network). As
       As indicated above, KFC online sales during 2021 rose
       to 2,530,000 euros. This is 1.1% of total KFC sales in

       Spain through its franchisees; therefore, indicate that «nature
       of the plaintiff's activity inextricably requires the treatment of
       personal data, without which its development would be impossible" is a
       conclusion that is not only erroneous and imprecise from the moment in which the
       The bulk of KFC's income in Spain comes from sales other than those of
       its web page, but also lacks any proof from

       from the agency.

       The RGPD pronounces precisely in this line in its Recital
       97 when understanding that «the main activities of a person in charge are
       related to their primary activities and are not related to the

       processing of personal data as ancillary activities”. Having in
       account the disproportion of KFC's online sales with respect to its volume
       of total sales, it can hardly be understood that such activity is
       considered as primary and, therefore, as principal.


       In short, if the criteria set forth by the AEPD were followed, any company that
       Have a website as a complementary channel for your activity
       would be obliged to designate a data protection officer, and this
       conclusion would void articles 37 of the GDPR and 34 of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/50








       LOPDGDD, and it would be clearly contrary to the letter and the spirit of the norm
       Regarding this specific obligation to designate a person responsible for
       ensure compliance with privacy regulations.

       Regarding "regular and systematic observation": The

       KFC activity on its website with the definitions given by the
       AEPD itself, since there is neither "a general data collection plan" nor is it
       carried out "as part of a strategy", neither the AEPD provides proof nor
       any evidence of such accusations. The only thing that happens to the data
       personal information processed in the KFC web environment of its customers is that they carry out
       orders to receive food at home or pick it up in establishments

       KFC franchisees and promotional campaigns and actions are carried out to
       retain customers. In no case carrying out a systematic follow-up of
       the interested. Geolocation tasks only occur, as is
       obvious and evident, when the interested party wishes to locate a store near him,
       when you want to receive the order at your home, or when -existing base

       appropriate legitimizing – wishes to receive promotional information from the place in which
       which is found This is by no means constant over time and can only be
       produced at the request of the user who makes use of the KFC website and after having
       obtained your consent.

       Regarding "large-scale" treatment: At this point, we

       We fully refer to what is indicated in the Fourth Subsequent Allegation. He
       volume of data from customers who placed orders in the online environment of
       KFC in 2021 amounts to 110,000 registrations, which made 153,439
       orders; another 100,000 records are those that received communications
       commercial during 2021. All of them, limited to the geographical area of
       Spain for specific purposes and identified in the policy of

       privacy.

       Added to this, the risk in the treatment is low, since they are not treated
       data of the categories established in articles 9 and 35 of the GDPR, as well as
       nor do the circumstances indicated for this purpose in the guidelines
       and guidelines of the Article 29 Working Group, nor in the conditions

       indicated in article 28 of the LOPDGDD. All of this, as can be seen
       Record of Treatment Activities of constant reference.

       Added to this, it should be made clear that the AEPD throughout the phase of
       investigation has not been able to link the data processed by KFC on its page
       web to any app, much less to a widely implemented app (which

       is too ambiguous a term to be considered a sufficient criterion
       enough to propose a sanction of 20,000 euros).

       Lastly, with regard to geolocation, it should be noted that,
       As specified before, said activity is not included in

       no data protection regulations as high-risk data or
       especially protectable. The only example can be found in the article
       28.2 section d) of the LOPDGDD, and in this regard it must be qualified that said
       geolocation, actually corresponds to a monitoring
       system intended for profiling and based on the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/50








       geolocation and movement tracking; which it does not do at all
       KFC.

       The previous elements, valued as a whole, can in no way
       determine that KFC must designate a data protection officer and

       confirm the legal analysis of the information request procedure
       E/12752/2021, in which KFC confirmed having carried out the analyzes
       pertinent and concluded that they did not need to designate such a figure. Which
       makes this second sanction proposal inadmissible.

       THIRD.- REGARDING THE PROPOSED SANCTION FOR

       VIOLATION OF ARTICLE 13 OF THE GDPR.

       The AEPD considers that after reading the privacy policy of
       KFC and the description of the purposes of the treatment that is carried out in it,
       KFC is committing a violation of article 13 of the GDPR in that it does not

       is complying with the duty of transparency that is required of it when informing
       its interested parties about the purposes of the treatments it carries out.

       For this, it applies the criteria established in article 74 of the LOPDGDD and
       qualifies the infraction as minor. In this regard, KFC has nothing to add
       and refers to what is indicated in the First Allegation of this brief of

       allegations, without prejudice to pointing out that, as the AEPD itself confirms in its
       resolution to initiate disciplinary proceedings, throughout the process of
       previous information that precedes this KFC procedure has been
       improving its privacy policy in those aspects in which, according to
       the information requirements received from the AEPD itself, it has been
       understood they were susceptible to improvement. However, the AEPD imposes for such

       non-compliance a sanction that exceeds the criteria for the imposition of
       sanctions established in the GDPR itself. Without going any further, Recital
       148 of the GDPR establishes the following:

        "In order to strengthen the application of the rules of this Regulation,
       any violation of this must be punished with sanctions, including fines

       administrative, in addition to appropriate measures imposed by the
       supervisory authority under this Regulation, or in substitution of
       are. In the event of a minor infraction, or if the fine likely to be
       imposed constitutes a disproportionate burden on a natural person,
       Instead of a sanction by means of a fine, a warning may be imposed.


       The truth is that there are no sanctioning precedents in terms of
       protection of data that compromise KFC, and the entity is already in
       procedures to update the information that it provides to its stakeholders in environments
       digital. KFC considers that in the absence of aggravating circumstances for
       the imposition of any sanction –as explained below– and

       taking into account what was stated in the different allegations, as well as that the
       offense has been classified as minor, a warning corresponds as
       sanction instead of the fine of 5,000 euros proposed by the AEPD.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/50








       FOURTH.- THERE ARE NO AGGRAVATING CIRCUMSTANCES THAT
       INCREASE THE AMOUNT OF THE PROPOSED SANCTIONS


       To determine the amount of the sanctions proposed by the AEPD for
       amount of 30,000 and 20,000 euros, the Agency itself resorts to two elements
       which are nowhere near the reality of KFC's commercial activity in
       Spain.

       The first of them refers to the intention of the infringement

       committed. For this, the AEPD bases its reasoning on the Judgment of the
       National Court of October 17, 2007. Said sentence specifies that
       to assess the degree of diligence required of the person responsible for the treatment must
       attention to determine if "the appellant's activity is constant and
       copious handling of personal data.


        The truth is that, although activities are carried out in digital environments -the
       sale of KFC products on the internet – and it can be deduced that he takes a
       constant data processing, UNDER NO CIRCUMSTANCES such processing
       of constant data should automatically be understood by abundant, by the
       mere fact that KFC is a recognized brand in Spain. The Registry of

       Treatment Activities contributed to the procedure for requesting
       information E/12752/2021 clearly indicates that the total number of users
       registered through the KFC website in Spain in 2021 does not exceed
       110,000, who placed 153,439 orders in 2021, and the number of
       records that receive commercial communications (opt-in) is 100,000;

       these being the maximum data of interested parties linked to the treatments
       for which the AEPD proposes sanction.

       We must remember that the Working Group of Article 29, Guidelines on
       data protection delegates (DPD), specifies what criteria must be

       be taken into account to consider that there is a large-scale data processing
       scale, or abundant, as indicated by the National Court:

       "In any case, the Working Group recommends that consideration be given to
       the following factors, in particular, when determining whether the treatment
       is done on a large scale:


       the number of stakeholders affected, either as a specific number or as a
       proportion of the corresponding population; the volume of data or variety
       of data elements that are subject to processing; the duration, or
       permanence of the data processing activity; the geographic scope of

       processing activity.

       In the present case, it must be indicated that the data of on-line users by
       of KFC (110,000 registered users), with respect to the total population
       Spanish who buys online (28.5 million citizens) is negligible, so

       it is only 0.00385% of the total. The variety of data from such users
       registered KFC, as the AEPD itself acknowledges, is also reduced because
       only contact data, location data and data are processed
       identifiers to provide the services and provide the products offered. The

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/50








       duration of the treatment as indicated in the Register of Activities of
       Treatment is 5 years maximum. And the geographic scope is limited
       to Spain.

       For all these reasons, the application of this aggravating factor is entirely

       unfair. In addition, and with regard particularly to the sanction
       regarding not designating a data protection officer, it is absolutely
       inappropriate to apply such an aggravation of guilt, since KFC has
       carried out –and has demonstrated it– the pertinent evaluations for
       consider that it is not necessary to designate a data protection officer.
       If the sanction is confirmed, such an aggravating circumstance should not be taken into account by

       how much KFC has taken all precautions fulfilling its duty to
       proactive responsibility to analyze the need to appoint a delegate of
       protection not considering it necessary.

       Secondly, and regarding the second aggravating circumstance proposed by the AEPD,

       It is hard to believe that an aggravating circumstance is imposed on KFC in the sanction proposed by
       "the level of implementation of the KFC entity in the country's economy". To the
       In this regard, the following data is highlighted:

       According to the data of the National Institute of Statistics in its Survey
       on the use of ICT and electronic commerce in companies of the Year 2020 –

       First quarter of 2021 (https://www.ine.es/prensa/tic_e_2020_2021.pdf)-, the
       volume of sales made by companies through electronic commerce
       in 2020 it amounted to 275,011,398,000 euros. The 2.5 million euros of
       sales made by KFC through its website does not amount to more than the
       negligible 0.00009% of the national total of sales made by trade
       electronic.


       Likewise, according to the study published by the entity Adevinta and
       called "online commerce is consolidated in Spain: 86% of the
       population buys and sells through the internet»
       (https://www.adevinta.es/stories/articles/comercio-onlineconsolida-pulso-
       digital), «48% of the Spanish population carried out the entire purchase process

       by Internet". That is, almost 23 million people in Spain. The 110,000
       Registered users on the KFC website represent the tiny proportion
       of 0.00478% of the aforementioned 23 million.

       Of course, the aggravating criterion raised by the AEPD has no place
       since it is highly questionable that KFC for its activity on-

       line and in view of the exposed data, have a level of implementation
       relevant in the Spanish economy, especially if one takes into account that the 2.5
       million euros billed by KFC do not mean anything with respect to the
       total sales identified by the National Institute of Statistics and that the
       110,000 registered users on its website represent a very

       small part of the total population that buys online in Spain.

       TO THE AEPD I REQUEST: Consider this document, its copies,
       admits them, and considers the previous allegations formulated in the Agreement of
       Initiation of Sanctioning Procedure PS/00140/2022, so that by joining

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/50








       to the same, issue a resolution annulling the sanction proposals
       formulated and file without further formalities the aforementioned procedure
       sanctioning.


       SUBSIDIARILY, TO THE AEPD I REQUEST: In the case of considering that
       KFC has committed any of the violations described in its proposition of
       sanction, sanction KFC only with respect to the one relating to non-compliance with
       the obligations of transparency indicated in article 13 of the GDPR, and with
       warning, given that there is no record of sanctions against this

       Agency, the lightness of the offense committed in the terms of the
       AEPD, KFC's patent will to improve its level of compliance
       normative demonstrated in the prior information procedures that precede the
       present procedure, and the non-commission of the other offenses indicated in
       its Agreement to Start the Sanctioning File”.


TENTH: On 11/16/22, the proposed resolution is sent to the claimant in the
which, it was proposed that, by the Director of the Spanish Agency for Data Protection
proceed to penalize the entity, in accordance with the provisions of articles 63 and 64
of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (LPACAP), for the following reasons:


    - Due to the infringement of article 6.1 of the GDPR, due to the non-existence of a mechanism
       form that allows users to give their consent to the processing of their data
       personal expenses for each and every one of the purposes for which they
       personal data, when applicable, with a penalty of 30,000 euros.

       rivers (thirty thousand euros).

    - For the infringement of article 37 of the GDPR, for the failure to appoint a
       Data Protection Officer, with a penalty of 20,000 euros (twenty thousand
       euro).


    - Due to the infringement of article 13 of the GDPR, due to the lack of information provided
       contained in the "Privacy Policy" on the processing of personal data
       obtained, with a penalty of 5,000 (five thousand euros).

Along with this and in accordance with article 58.2 of the GDPR, it was proposed as

corrective measures to be imposed on the defendant:

    - To implement, within a month, the necessary corrective measures to
       adapt their actions to the regulations for the protection of personal data, named
       establishing a Data Protection Officer, as stipulated in article 37 of the

       GDPR, as well as to inform this Agency within the same term about the measures
       measures taken.

    - To implement, within a month, the necessary corrective measures to
       adapt their actions to the personal data protection regulations, with the

       inclusion in the "Privacy Policy" of the necessary information on the e-
       creation of loyalty profiles and their legal basis, as well as the identification
       of the third parties to whom the personal data obtained are transferred, as well as
       to inform this Agency within the same period of the measures adopted.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/50









As certified by the Single Authorized Electronic Address Service (DEHÚ), the letter
of the file proposal made available to the claimed party, the day

11/19/22 through the electronic notification service "NOTIFIC@", stated in the
certified as automatic rejection date, 11/30/22.

There is no record, in this agency, of any written response to the proposal of
resolution by the claimed entity.


                                PROVEN FACTS.

Of the actions carried out in this procedure and of the information and
documentation presented by the parties, the following have been accredited
facts:


First: On the legality of the processing of personal data obtained on the web
www.kfc.es:

On the website www.kfc.es you can enter personal data of users, to
through several procedures:


       a) for the creation of a user account;
       b) to register as a job seeker in the chain;
       c) to place an online order for its products and
       d) to receive promotional offers.


Before you can submit the form for any of these procedures with the
personal data, it is necessary to have previously provided consent
for data processing, with the possibility of accessing the "Policy of
Privacy” of the web, through the link: “The conditions of Use” “Policy of

Privacy (Generic)”  “Privacy notice”, (Exclusive for EEA and United Kingdom).

There is also, in the four indicated forms, the possibility of registering
voluntarily to periodically receive promotional offers from the brand.

The "Data Privacy Policy" of the web page in question is divided into three

documents:

       a) Terms of use of the website;
       b) A generic privacy policy for all countries and
       c) A specific privacy policy for the countries of the Economic Area

       European (EEA), United Kingdom and Switzerland.

In the first document, "Terms of use" (https://www.kfc.es/nota-legal), you can
read, regarding the policy of protection of personal data obtained, the following:


       "(...) Data protection: We will collect, store and process your
       personal information in accordance with our Privacy Policy. Please,
       Please read our Privacy Policy to ensure you are satisfied and
       understand its content before creating an account (…)”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/50









If you access the "Privacy Policy" of the website www.kfc.es, in the link,
https://www.kfc.es/privacidad,  “generic policy for all countries”, you can

read, as an introduction:

       “KFC® (“KFC”, “we”, “our” or “us”) is committed to protecting your
       privacy. This KFC Privacy Policy (this “Policy”) applies to
       our websites, online experiences and mobile applications to
       mobile devices running Apple iOS, Windows, or Android that are linked to the

       Policy (collectively, our “Sites”), and describes how we collect,
       we use and disclose your personal information when you visit our Sites or
       our restaurants and in-store kiosks, or otherwise interact with
       us (collectively, our “Service”).


       By accessing or using our Service, you indicate that you have read, understood and
       You agree to our collection, storage, use and disclosure of your
       personal information as described in this Policy and in our
       Terms of use, available on our site.

       For more information about the privacy practices of other

       companies of Yum Brands, Inc. (“Yum Brands”) (the “Marks”), please visit: Policy
       YUM Brands privacy policy. PIZZA HUT® Privacy Policy. Policy
       TACO BELL® Privacy Policy. THE HABIT® Privacy Policy

Regarding the purposes to which the personal data obtained will be dedicated, among

others, the following is indicated:

       “(…) 2. HOW WE USE PERSONAL INFORMATION:

       (…) We may also use your information to personalize your experience

       with us and promote our rewards or loyalty programs.
       We also use this information to provide you with the Service in all
       our operations, including supporting your in-store experience when
       interacts with our franchisee-owned locations (…).

       4. HOW WE SHARE YOUR INFORMATION


       We may share, sell or disclose your information in cases where
       describe below. For more information about your options in
       regarding your information, see “Your Choices and Control Over Your
       information".


       Other Brands: We may share personal information with our company
       parent Yum Brands and other Yum Brands companies and our affiliates, which
       may use your information in ways similar to those described in this
       Policy. (…)


       Promotional Partners: We may share limited information with third parties
       with whom we partner to provide contests and sweepstakes, or other
       joint promotional activities. Typically, these partners

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/50








       will be clearly identified in the contest rules or in the contest materials.
       promotion.

       Selected Marketing and Strategic Business Partners: We can
       share limited data with our strategic business partners and

       preferred marketing partners so they can provide you with information and messages
       marketing about products or services that may be of interest to you. This parts
       may use your information in accordance with their own privacy policies
       privacy.

       Online Advertising Partners: We may share information with online advertising partners.

       third-party online advertising or allowing these partners to collect information
       from you directly on our Sites to facilitate online advertising.
       For more information, see our Cookie Policy and
       advertisements, available on our Site. (…)


       Other cases in which we may share your personal information:

       Service Providers and Consultants: Personal information may
       shared with third-party vendors and other service providers who
       provide services to us or on our behalf. This may include vendors and
       distributors who engage in marketing or advertising activities or who

       provide postal or electronic mail services, fiscal services and
       Accounting, Product Fulfillment, Delivery Services, Processing
       payments, data improvement services, fraud prevention, web hosting or
       analytical services.

       In connection with any of the above, we may share

       information with other parties in an aggregated or anonymized form that does not
       reasonably identify”.

       If you access the complementary Privacy Policy for countries, EEA and
       United Kingdom of the web www.kcf.es, in the link,
       https://www.kfc.es/multimarcas, you can read about the purposes for which

       the personal data obtained and the legal basis for that
       treatment, the following:

       “This EEA and UK Privacy Notice supplements the
       information contained in our Privacy Policy and applies only
       to natural persons residing in the European Economic Area ("you" and to

       the Sites and Services available in the EEA, as well as in the United Kingdom that
       link to this Privacy Notice).

       Unless expressly stated otherwise, all terms have the
       same meaning as that defined in our Privacy Policy or that

       is otherwise defined in the General Data Protection Regulation of the
       EU 2016/679 of the European Parliament and of the Council (“GDPR”).

       Annex 1 sets out in detail the categories of information
       information we collect about you and how we use that information

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/50








       when you use the Service, as well as the legal basis on which you
       we use to process personal information and the recipients of such
       information.


       In addition, the table in Annex 2 sets out in detail the categories of
       personal information we collect about you automatically and how
       we use such information. The table also lists the legal basis in the
       on which we rely to process personal information and the recipients of
       such personal information.


       APPENDIX 1

       a).- Profile information such as your name, telephone number, date of
       birth and profile picture.


       a.1. We may use this information to set up and authenticate your account.
       in the Service: Processing is necessary to perform a contract with you and
       to take steps before entering into a contract with you.

       a.2. We may use this information to contact you, including

       the sending of communications related to the service: The treatment is
       necessary to perform a contract with you.

       a.3. We may use this information to send you marketing communications.
       marketing in accordance with your preferences: We will only use your

       personal information in this way to the extent that you have given us
       your consent to do so.

       a.4. We may use this information to deal with inquiries and complaints
       made by or about you in connection with the Service: The treatment

       it is necessary for our legitimate interests, in particular to administer the
       Service and communicate with you effectively to respond to your
       inquiries or complaints.

       b).- Information on payments and transactions, including information on
       payments (such as credit or debit card details or account details

       banking), and the time, date and value of the transactions.

       b.1.- We use this information to facilitate transactions and
       provide you with the Service: Processing is necessary to fulfill a contract
       with you.


       b.2.- We use this information for customer service: The treatment is
       necessary to perform a contract with you.

       b.3.- We use this information to detect and prevent fraud: The

       Processing is necessary for our legitimate interests, in particular the
       detection and prevention of fraud.

       c).- Location data

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/50









       c.1. We use GPS technology to determine your current location in order to
       to provide you with relevant content and show where you have made that

       content: Processing is necessary for our legitimate interests, in
       specifically to administer the Service. We will only use your personal information
       in this way to the extent that you have given us your consent
       to do it.

       d).- Comments, chat and opinions


       d.1. When you contact us directly (eg by email
       email, phone, postal mail or through an online form or chat
       online), we can record your comments and opinions: The treatment is
       necessary for our legitimate interests, in particular to respond to your

       question or comment, to evaluate and improve our products and services and
       to inform about our marketing and advertising.

       e).- Information received from third parties, such as social networks. If you interact with the
       Service through a social network we can receive information from the network
       such as your name, profile information, and any other information that

       you allow the social network to share with third parties. The data we receive
       they depend on your privacy settings on the social network.

       e.1.- We can use this information to authenticate you and allow you to access
       to the Service: Processing is necessary to fulfill a contract with you.


       e.2.- We can use this information to adapt how it is shown to you (such as
       the language in which it is presented to you): The processing is necessary for our
       legitimate interests, in particular to adapt the Service to make it more
       relevant to our users.


       f).- Usage information, such as the time during which you use our
       products, your results when you use our products, any
       problem experienced when you use our products and any other
       Product-generated information about how you use our products.


       f.1.- We can use this information to analyze how the Service works,
       fix problems with the Service, improve the Service and develop new
       products and services: Processing is necessary for our interests
       legitimate, in particular to improve our products and services, treat
       any errors in our products and services and develop new

       products and services.

       f.2.- We can use this information to develop new products and
       features available through the Service or to improve it in any way
       way the Service: Processing is necessary for our interests

       legitimate, in particular to develop and improve the Service.

       g).- All the personal information indicated above.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/50








       g.1.- We can use all the personal information we collect to
       operate, maintain and provide you with the features and functionality of the
       Service, communicate with you, monitor and improve the Service and the

       business, and develop new products and services: Treatment is
       necessary for our legitimate interests, in particular to administer and
       improve the Service.

       APPENDIX 2


       a).- Information on how you access the Service and use it. For example, the
       frequency with which you access the Service, the time at which you access the Service and
       how long you use it for, the approximate location from which you access it
       to the Service, if you access the Service from various devices and other actions
       yours on the Service.


       a.1.- We can use information about how you use and connect to the Service
       to present the Service to you on your device: Processing is necessary to
       our legitimate interests, in particular to tailor the Service to the user.

       a.2.- We can use this information to determine products and Services

       that may be of interest for marketing purposes: The treatment is
       necessary for our legitimate interests, in particular to report on
       our direct marketing

       a.3.- We can use this information to monitor and improve the Service and

       the business, solve problems and inform the development of new products
       and services: Processing is necessary for our legitimate interests, in
       specifically to monitor and fix problems with the Service and to improve the
       Service in general.


       b).- Log files and information about your device. Also
       we collect information about the tablet, smartphone or other device
       email you use to connect to the Service. This information can
       include details about the type of device, unique identification numbers
       of the device, operating systems, browsers and applications connected to the
       Service through the device, its mobile network, IP address and number of

       your device's phone number (if you have one).

       b.1.- We can use information about how you use and connect to the Service
       to present the Service to you on your device: Processing is necessary to
       our legitimate interests, in particular to tailor the Service to the user.


       b.2.- We can use this information to determine products and Services
       that may be of interest for marketing purposes: The treatment is
       necessary for our legitimate interests, in particular to report on
       our direct marketing


       b.3.- We can use this information to monitor and improve the Service and
       the business, prevent and detect fraud, solve problems and report the
       development of new products and services: Processing is necessary to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/50








       our legitimate interests, in particular to monitor and resolve
       problems with the Service and to improve the Service in general.


Second: Regarding the "Privacy Policy" on the website www.kfc.es:

On the web page in question, the information offered to its users,
regarding the processing of your personal data, is offered through the
following documents posted on the web: a) document: "Terms of Use" or "Note
Legal”, https://www.kfc.es/nota-legal; ; b) document: "Privacy Policy",

https://www.kfc.es/privacidad, and c) document: "Privacy Notice",
https://www.kfc.es/multimarcas.

All of them, accessible from the different forms (indicated in the section
above) and through the existing links at the bottom of the main page.


The information offered in the different documents indicated above is
The next:

A).- In the document "Terms of Use" or "Legal Notice" (https://www.kfc.es/nota-legal)
We can find the following information, regarding the treatment of data

personal obtained:

       REGISTRATION: "(...) Data protection: We will collect, store and
       We will treat your personal information in accordance with our Privacy Policy.
       Privacy. Please read our Privacy Policy to make sure

       that you are satisfied and understand its content before creating an account.

B).- In the document "Privacy Policy" (https://www.kfc.es/privacidad)
We can find the following information, regarding the treatment of data
information obtained: 1. what type of information they collect 2. how they use the information

personal information they collect 3. what information they collect automatically 4.
how they share the information collected. 5. About the options and control of the
information collected.6. how they store and protect information 7.
jurisdictional disclosures 8. children's privacy 9. links to other websites and
services 10. how to contact the data controller.


C).- In the document "Privacy Notice" (https://www.kfc.es/multimarcas),
We can find, among others, the following information, regarding the treatment
of the personal data obtained:

       Regarding the person responsible for the treatment, it is indicated: KFC Restaurants Spain, S.L.

       with NIF B86281599 and address at Calle Serrano Galvache (Pq. Empresarial
       Pq. Norte), 56 - Edif. Olmo Fifth Floor, Madrid, Madrid. Email:
       clientes@kfc.es. Telephone: 91 904 18 81

On the legal basis for the treatment in the EEA and the United Kingdom it is indicated:


       The table in Annex 1 sets forth the categories of personal information that
       collect, as well as the legal basis and recipients of such information
       staff.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/50









       The table in Annex 2 sets forth the categories of personal information that
       collected automatically. The table also lists the legal basis in the

       that are based to treat personal information and the recipients of said
       personal information.

It informs about the storage and transfer of data.

Information is provided on the individual rights of residents in the EEA: Right to

object. Right of access. Right of rectification. Right of erasure. Also
You have the right to file a claim with your data protection authority.

On the conservation of personal data it is reported: In the case of people
who reside in the EEA we retain personal data for the maximum time

necessary to fulfill the purposes for which we collected the data, such as the
delivery of your order, maintenance of our service, compliance with
our legal obligations and dispute resolution. We will keep your data
personal in accordance with the prescription periods, legal and applicable, of
accordance with the tax and accounting regulations of each EEA country. At the completion of
said terms, or prior to your request, the data will be deleted or

anonymized so that they can already identify you, unless we are legally
authorized or obliged to keep personal data for a longer time.

                           FUNDAMENTALS OF LAW


                                           YO-
                                     Competence.

In accordance with the powers that article 58.2 of the RGPD grants to each authority of
control and according to what is established in articles 47 and 48.1 of the LOPDGDD, it is

competent to resolve this procedure, the Director of the Spanish Agency for
Data Protection.

Likewise, article 63.2 of the LOPDGDD determines that: "Procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures”.

                                          II.-
    a).- On the legality of the processing of personal data obtained on the web

                                      www.kfc.es:

It has been verified that data can be entered on the website www.kfc.es
personal data of its users, through various procedures: a) for the
creation of a user account; b) to register as a job seeker

In the chain; c) to place an online order for your products and d) to receive
offer promotional



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/50








Before you can submit the form for any of these procedures with the
personal data it is necessary to have previously provided consent
for data processing, with the possibility of accessing the "Policy of
Privacy” of the web, through the link: “The conditions of Use” “Policy of
Privacy (Generic)”  “Privacy notice”, (Exclusive for EEA and United Kingdom).


There is also, in the four indicated forms, the possibility of registering
voluntarily to periodically receive promotional offers from the brand.

As indicated by the entity, the "Data Privacy Policy" is divided
in three documents: a) Terms of use of the website; b) A privacy policy

generic for all countries and c) A specific privacy policy for
countries of the European Economic Area (EEA), United Kingdom and Switzerland.

In the first document, "Terms of use" (https://www.kfc.es/nota-legal), you can
read, regarding the policy of protection of personal data obtained, the following:


       "(...) Data protection: We will collect, store and process your
       personal information in accordance with our Privacy Policy. Please,
       Please read our Privacy Policy to ensure you are satisfied and
       understand its content before creating an account (…)”.


If you access the "Privacy Policy" of the website www.kfc.es,
(https://www.kfc.es/privacidad), generic policy for all countries, can be read,
as an introduction:

       “KFC® (“KFC”, “we”, “our” or “us”) is committed to protecting your
       privacy. This KFC Privacy Policy (this “Policy”) applies to

       our websites, online experiences and mobile applications to
       mobile devices running Apple iOS, Windows, or Android that are linked to the
       Policy (collectively, our “Sites”), and describes how we collect,
       we use and disclose your personal information when you visit our Sites or
       our restaurants and in-store kiosks, or otherwise interact with
       us (collectively, our “Service”).


       By accessing or using our Service, you indicate that you have read, understood and
       You agree to our collection, storage, use and disclosure of your
       personal information as described in this Policy and in our
       Terms of use, available on our site.


       For more information about the privacy practices of other
       companies of Yum Brands, Inc. (“Yum! Brands”) (the “Brands”), please visit: Policy
       YUM Brands privacy policy. PIZZA HUT® Privacy Policy. Policy
       TACO BELL® Privacy Policy. THE HABIT® Privacy Policy


       Well, regarding the purposes to which they will dedicate the personal data
       obtained, among others, the following is indicated: "(...)

       2. HOW WE USE PERSONAL INFORMATION:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/50








       (…) We may also use your information to personalize your experience
       with us and promote our rewards or loyalty programs.
       We also use this information to provide you with the Service in all

       our operations, including supporting your in-store experience when
       interacts with our franchisee-owned locations (…).

       4. HOW WE SHARE YOUR INFORMATION

       We may share, sell or disclose your information in cases where

       describe below. For more information about your options in
       regarding your information, see “Your Choices and Control Over Your
       information".

       Other Brands: We may share personal information with our company

       parent Yum Brands and other Yum Brands companies and our affiliates, which
       may use your information in ways similar to those described in this
       Policy. (…)

       Promotional Partners: We may share limited information with third parties
       with whom we partner to provide contests and sweepstakes, or other

       joint promotional activities. Typically, these partners
       will be clearly identified in the contest rules or in the contest materials.
       promotion.

       Selected Marketing and Strategic Business Partners: We can

       share limited data with our strategic business partners and
       preferred marketing partners so they can provide you with information and messages
       marketing about products or services that may be of interest to you. This parts
       may use your information in accordance with their own privacy policies
       privacy.


       Online Advertising Partners: We may share information with online advertising partners.
       third-party online advertising or allowing these partners to collect information
       from you directly on our Sites to facilitate online advertising.
       For more information, see our Cookie Policy and
       advertisements, available on our Site. (…)


       Other cases in which we may share your personal information:

       Service Providers and Consultants: Personal information may
       shared with third-party vendors and other service providers who

       provide services to us or on our behalf. This may include vendors and
       distributors who engage in marketing or advertising activities or who
       provide postal or electronic mail services, fiscal services and
       Accounting, Product Fulfillment, Delivery Services, Processing
       payments, data improvement services, fraud prevention, web hosting or

       analytical services.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/50








       In connection with any of the above, we may share
       information with other parties in an aggregated or anonymized form that does not
       reasonably identify.


       If you access the complementary Privacy Policy for countries, EEA and
       United Kingdom of the web www.kcf.es, ( https://www.kfc.es/multimarcas ),
       You can read about the purposes for which the personal data will be used
       obtained and the legal basis for that treatment, the following:


       “This EEA and UK Privacy Notice supplements the
       information contained in our Privacy Policy and applies only
       to natural persons residing in the European Economic Area ("you" and to
       the Sites and Services available in the EEA, as well as in the United Kingdom that
       link to this Privacy Notice).


       Unless expressly stated otherwise, all terms have the
       same meaning as that defined in our Privacy Policy or that
       is otherwise defined in the General Data Protection Regulation of the
       EU 2016/679 of the European Parliament and of the Council (“GDPR”).


       The table in Annex 1 sets out in detail the categories of
       personal information we collect about you and how we use that information
       information when you use the Service, as well as the legal basis on which
       we rely on to process personal information and the recipients of such
       information.


       In addition, the table in Annex 2 sets out in detail the categories of
       personal information we collect about you automatically and how
       we use such information. The table also lists the legal basis in the
       on which we rely to process personal information and the recipients of

       such personal information.

       APPENDIX 1

       a).- Profile information such as your name, telephone number, date of
       birth and profile picture.


       a.1. We may use this information to set up and authenticate your account.
       in the Service: Processing is necessary to perform a contract with you and
       to take steps before entering into a contract with you.


       a.2. We may use this information to contact you, including
       the sending of communications related to the service: The treatment is
       necessary to perform a contract with you.

       a.3. We may use this information to send you marketing communications.

       marketing in accordance with your preferences: We will only use your
       personal information in this way to the extent that you have given us
       your consent to do so.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/50








       a.4. We may use this information to deal with inquiries and complaints
       made by or about you in connection with the Service: The treatment
       it is necessary for our legitimate interests, in particular to administer the

       Service and communicate with you effectively to respond to your
       inquiries or complaints.

       b).- Information on payments and transactions, including information on
       payments (such as credit or debit card details or account details
       banking), and the time, date and value of the transactions.


       b.1.- We use this information to facilitate transactions and
       provide you with the Service: Processing is necessary to fulfill a contract
       with you.


       b.2.- We use this information for customer service: The treatment is
       necessary to perform a contract with you.

       b.3.- We use this information to detect and prevent fraud: The
       Processing is necessary for our legitimate interests, in particular the
       detection and prevention of fraud.


       c).- Location data

       c.1. We use GPS technology to determine your current location in order to
       to provide you with relevant content and show where you have made that

       content: Processing is necessary for our legitimate interests, in
       specifically to administer the Service. We will only use your personal information
       in this way to the extent that you have given us your consent
       to do it.


       d).- Comments, chat and opinions

       d.1. When you contact us directly (eg by email
       email, phone, postal mail or through an online form or chat
       online), we can record your comments and opinions: The treatment is
       necessary for our legitimate interests, in particular to respond to your

       question or comment, to evaluate and improve our products and services and
       to inform about our marketing and advertising.

       e).- Information received from third parties, such as social networks. If you interact with the
       Service through a social network we can receive information from the network

       such as your name, profile information, and any other information that
       you allow the social network to share with third parties. The data we receive
       they depend on your privacy settings on the social network.

       e.1.- We can use this information to authenticate you and allow you to access

       to the Service: Processing is necessary to fulfill a contract with you.

       e.2.- We can use this information to adapt how it is shown to you (such as
       the language in which it is presented to you): The processing is necessary for our

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/50








       legitimate interests, in particular to adapt the Service to make it more
       relevant to our users.


       f).- Usage information, such as the time during which you use our
       products, your results when you use our products, any
       problem experienced when you use our products and any other
       Product-generated information about how you use our products.

       f.1.- We can use this information to analyze how the Service works,

       fix problems with the Service, improve the Service and develop new
       products and services: Processing is necessary for our interests
       legitimate, in particular to improve our products and services, treat
       any errors in our products and services and develop new
       products and services.


       f.2.- We can use this information to develop new products and
       features available through the Service or to improve it in any way
       way the Service: Processing is necessary for our interests
       legitimate, in particular to develop and improve the Service.


       g).- All the personal information indicated above.

       g.1.- We can use all the personal information we collect to
       operate, maintain and provide you with the features and functionality of the
       Service, communicate with you, monitor and improve the Service and the

       business, and develop new products and services: Treatment is
       necessary for our legitimate interests, in particular to administer and
       improve the Service.

       APPENDIX 2


       a).- Information on how you access the Service and use it. For example, the
       frequency with which you access the Service, the time at which you access the Service and
       how long you use it for, the approximate location from which you access it
       to the Service, if you access the Service from various devices and other actions
       yours on the Service.


       a.1.- We can use information about how you use and connect to the Service
       to present the Service to you on your device: Processing is necessary to
       our legitimate interests, in particular to tailor the Service to the user.


       a.2.- We can use this information to determine products and Services
       that may be of interest for marketing purposes: The treatment is
       necessary for our legitimate interests, in particular to report on
       our direct marketing


       a.3.- We can use this information to monitor and improve the Service and
       the business, solve problems and inform the development of new products
       and services: Processing is necessary for our legitimate interests, in


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/50








       specifically to monitor and fix problems with the Service and to improve the
       Service in general.


       b).- Log files and information about your device. Also
       we collect information about the tablet, smartphone or other device
       email you use to connect to the Service. This information can
       include details about the type of device, unique identification numbers
       of the device, operating systems, browsers and applications connected to the
       Service through the device, its mobile network, IP address and number of

       your device's phone number (if you have one).

       b.1.- We can use information about how you use and connect to the Service
       to present the Service to you on your device: Processing is necessary to
       our legitimate interests, in particular to tailor the Service to the user.


       b.2.- We can use this information to determine products and Services
       that may be of interest for marketing purposes: The treatment is
       necessary for our legitimate interests, in particular to report on
       our direct marketing


       b.3.- We can use this information to monitor and improve the Service and
       the business, prevent and detect fraud, solve problems and report the
       development of new products and services: Processing is necessary to
       our legitimate interests, in particular to monitor and resolve
       problems with the Service and improve the Service in general


In the present case, given that in the "Privacy Policy" of the website www.k-
fc.es describes some purposes for the processing of personal data and mentions
the basis of legitimacy of each one of them, the treatment of the data for these fi-
purposes would not be further treatment.


On the other hand, it must be taken into account that the defendant entity, in its allegations
states the following: "The purposes indicated in the privacy policy on which
that the sanction is proposed describe potential situations and do not imply that they are
effectively carried out, or are carried out in a completely lawful manner
how it will be exhibited; and most importantly, such subsequent treatments by which

proposes a sanction are not included in the Record of Treatment Activities
already contributed to the AEPD…”

Therefore, in the present case, according to the evidence set forth in this
moment, it is considered that the description of the purposes of data processing

personal data together with the basis of legitimacy of each one of them, does not correspond
with a subsequent treatment so that it does not contradict what is stipulated in the article
6.1 of the GDPR, without implying an assessment of the adequacy of the legitimate basis.
tion that includes the privacy policy for each of the different treatments to the
not constitute the object of this procedure.


                                           III.-
               a.- Regarding the "Privacy Policy" on the website www.kfc.es:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/50








As it has been possible to verify, on the web page in question, the information that is
offers to the users of the same, with respect to the treatment of their data
personal, is offered through the following documents posted on the web: a)

document: “Terms of Use” or “Legal Notice”, https://www.kfc.es/nota-legal; ; b)
document: "Privacy Policy", https://www.kfc.es/privacidad, and c) document:
"Privacy Notice", https://www.kfc.es/multimarcas. All of them, accessible from
the different forms (indicated in the previous section) and through the links
existing at the bottom of the main page.


The information offered in the different documents indicated above is
The next:

A).- In the document "Terms of Use" or "Legal Notice" (https://www.kfc.es/nota-legal)
We can find the following information, regarding the treatment of data

personal obtained:

       REGISTRATION: "(...) Data protection: We will collect, store and
       We will treat your personal information in accordance with our Privacy Policy.
       Privacy. Please read our Privacy Policy to make sure
       that you are satisfied and understand its content before creating an account.


B).- In the document "Privacy Policy" (https://www.kfc.es/privacidad)
We can find the following information, regarding the treatment of data
information obtained: 1. what type of information they collect 2. how they use the information
personal information they collect 3. what information they collect automatically 4.

how they share the information collected. 5. About the options and control of the
information collected.6. how they store and protect information 7.
jurisdictional disclosures 8. children's privacy 9. links to other websites and
services 10. how to contact the data controller.


C).- In the document "Privacy Notice" (https://www.kfc.es/multimarcas),
We can find, among others, the following information, regarding the treatment
of the personal data obtained:

Regarding the person responsible for the treatment, it is indicated:


       KFC Restaurants Spain, S.L. with NIF B86281599 and address at Calle Serrano
       Galvache (Business Pq. North Pq.), 56 - Edif. Olmo Fifth Floor, Madrid,
       Madrid. Email: clientes@kfc.es. Telephone: 91 904 18 81

On the legal basis for the treatment in the EEA and the United Kingdom it is indicated:


       The table in Annex 1 sets forth the categories of personal information that
       collect, as well as the legal basis and recipients of such information
       staff. The table in Annex 2 shows the categories of information
       staff that collect automatically. The table also lists the base

       legal basis on which they rely to process personal information and
       recipients of such personal information.

It informs about the storage and transfer of data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/50









Information is provided on the individual rights of residents in the EEA: Right to
object. Right of access. Right of rectification. Right of erasure. Also

You have the right to file a claim with your data protection authority.

On the conservation of personal data it is reported: In the case of people
who reside in the EEA we retain personal data for the maximum time
necessary to fulfill the purposes for which we collected the data, such as the
delivery of your order, maintenance of our service, compliance with

our legal obligations and dispute resolution. We will keep your data
personal in accordance with the prescription periods, legal and applicable, of
accordance with the tax and accounting regulations of each EEA country. At the completion of
said terms, or prior to your request, the data will be deleted or
anonymized so that they can already identify you, unless we are legally

authorized or obliged to keep personal data for a longer time.

In the present case, we must also take into account that, in the policy of
privacy of the website www.kfc.es does not offer precise information on the
purposes of data processing, when using indefinite expressions such as "we can
use...", without the claimant having proven the reason for which it was made.

necessary to use them, as required by the Guidelines on the
transparency under Regulation (EU) 2016/679 of GT29, last revised
time and adopted on April 11, 2018, and where the following is established:

       “13. The use of qualifiers such as "may", "could",

       “some”, “often” and “possible”. When those responsible for
       treatment choose to use undefined language, they must be able to demonstrate,
       according to the principle of proactive responsibility, why it could not be avoided
       use this language and why it does not undermine treatment loyalty. (…)”


                                          III.-
                     b).- Classification and classification of the offense

Regarding the information that the data controller must provide to the
interested when they are obtained from it,


Recital 60) of the GDPR indicates:

       "The principles of fair and transparent treatment require that the
       concerned of the existence of the processing operation and its purposes. He
       responsible for the treatment must provide the interested party with all the information

       supplementary information is necessary to guarantee fair treatment and
       transparent, taking into account the specific circumstances and context in
       personal data is processed. The interested party must also be informed of
       the existence of profiling and the consequences of such profiling
       elaboration. If the personal data is obtained from the data subjects, also

       they must be informed of whether they are obliged to provide them and of the consequences
       in case they didn't. Such information may be transmitted in
       combination with some standardized icons that offer, easily
       visible, intelligible and clearly legible, an adequate overview of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/50








       planned treatment. Icons presented in electronic format
       They must be machine readable.


Recital 61) of the GDPR indicates the following:

       "Stakeholders must be provided with information on the treatment of their
       personal data at the time it is obtained from them or, if obtained
       from another source, within a reasonable time, depending on the circumstances of the
       case. If the personal data can be legitimately communicated to another

       addressee, the interested party must be informed at the time the
       communicated to the recipient for the first time. The data controller who
       plans to process the data for a purpose other than that for which they were collected
       must provide the data subject, prior to such further processing,
       information about that other purpose and other necessary information. when the origin

       of personal data cannot be provided to the interested party because it has been used
       various sources, general information should be provided.

For its part, article 13 of the GDPR details the information that must be provided to the
interested when his personal data is obtained directly from him,
establishing the following:


       "1. When personal data relating to him or her is obtained from an interested party, the
       responsible for the treatment, at the time they are obtained,
       will provide: a) the identity and contact details of the person in charge and, where appropriate,
       of his representative; b) the contact details of the data protection officer

       data, if applicable; c) the purposes of the processing for which the data is intended
       personal data and the legal basis of the treatment; d) when the treatment is based
       in article 6, paragraph 1, letter f), the legitimate interests of the controller or
       a third; e) the recipients or categories of recipients of the data
       personal, if applicable; f) where appropriate, the intention of the person responsible for transferring

       personal data to a third country or international organization and the existence or
       absence of an adequacy decision from the Commission, or, in the case of
       transfers indicated in Articles 46 or 47 or Article 49(1),
       second paragraph, reference to the adequate or appropriate guarantees and the
       means to obtain a copy of these or the fact that they have been provided.


       2. In addition to the information mentioned in section 1, the person responsible for the
       processing will provide the interested party, at the time the data is obtained
       personal data, the following information necessary to guarantee a
       fair and transparent data processing:


       a) the period during which the personal data will be kept or, when not
       where possible, the criteria used to determine this term; b) the existence
       of the right to request access to the data from the data controller
       personal information relating to the interested party, and its rectification or deletion, or the limitation
       of their treatment, or to oppose the treatment, as well as the right to

       data portability; c) when the treatment is based on article 6,
       paragraph 1(a) or Article 9(2)(a), the existence of the
       right to withdraw consent at any time, without affecting
       the legality of the treatment based on the consent prior to its withdrawal; of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/50








       right to file a claim with a control authority; e) if the
       communication of personal data is a legal or contractual requirement, or a
       necessary requirement to sign a contract, and if the interested party is obliged to
       provide personal data and is informed of the possible consequences
       not to provide such data; f) the existence of automated decisions,

       including profiling, referred to in article 22, paragraphs 1 and
       4, and, at least in such cases, meaningful information about the applied logic,
       as well as the importance and expected consequences of said treatment
       for the interested party”.

Well, according to section c) of article 13.1 GDPR, users must be informed

users of the purposes of the treatment to which their personal data will be used and the
applicable legal basis for this (art. 6 GDPR), avoiding practices such as including
purposes that are too generic or unspecific, which may lead to treatments
that exceed the reasonable expectations of the interested party.


If we access the "Privacy Policy" of the website, www.kfc.es
(https://www.kfc.es/privacidad) we can read, regarding the purposes for which
The personal data obtained will be used, among others, for the following:

       “(…) personalize your experience with us and promote our programs
       of rewards or loyalty (…)”,


       “(…) share, sell or disclose your information with: Other Brands: We can
       share personal information with our parent company: Yum Brands and
       other Yum Brands companies and our affiliates, who may use your
       information in a manner similar to that described in this Policy.


Or, for example, when the entity states that it may share personal data
obtained with its external suppliers. Stated this, in a generic way and
abstract, without identifying the providers or the legal basis on which it is based:

       “(…) to share with external providers (…).


Based on the legal grounds set forth above, the facts indicated
in the previous section are constitutive of an infringement of article 13 GDPR.

                                           III.-
                                  c.- Penalty imposed


This infraction can be sanctioned with a fine of a maximum of €20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the
of greater amount, in accordance with article 83.5.b) of the GDPR.


In this sense, article 74.a) of the LOPDGDD, considers light, for the purposes of
prescription, "Breach of the principle of transparency of information or the
right to information of the affected party for not providing all the information required by the
articles 13 and 14 of Regulation (EU) 2016/679”.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/50








The balance of the circumstances contemplated, with respect to the infraction committed,
by violating the provisions of article 13 of the GDPR, it allows an initial sanction to be set
of 5,000 euros (five thousand euros).

                                           III.-
                                       d.- Measurements

In accordance with article 58.2 of the GDPR, the corrective measure to be imposed on the owner
of the web page consists of taking the necessary measures to adapt the page
website of its ownership (www.kfc.es) to current regulations, adapting it to what is stipulated

in article 13 of the GDPR.

It is noted that not meeting the requirements of this body may be
considered as an administrative offense in accordance with the provisions of the GDPR,
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the

opening of a subsequent administrative sanctioning procedure.

                                           IV.-
             a.- On the non-existence of a Data Protection Officer.

When this Agency requested information from the KFC entity about the analyzes

carried out to assess the need to appoint or not, a DPO, the entity answered the
following:

       "(...) In this regard, from KFC it has been understood that there is no obligation
       of appointment of the DPO, because the activities of the treatment

       carried out are not limited to those of article 37 GDPR nor is the entity located
       among those required in article 34 LOPDGDD.

       In the same way, compliance management in terms of data protection
       It has been exercised by internal personnel specialized in data protection,

       in particular, from the UK, through B.B.B., Global Privacy Lead CounselHead
       and the consultancy of external experts in each of the countries from which
       it is operated.

       However, and as previously indicated to this Agency, internally
       the need for its designation will be periodically evaluated,

       depending on possible operational changes as well as the start of new
       branches of business that may involve the incorporation of new activities
       of the treatment, in order to offer greater guarantees of compliance
       to our clients and users regarding the activities and procedures in
       the processing of personal data, in particular, if the activities of the

       processing that included profiling (...)”.

                                           IV.-
                      b).- Classification and classification of the offense


Regarding the need or not to appoint a Data Protection Officer, the
article 37 GDPR, determines the following:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/50








       "1. The person in charge and the person in charge of the treatment will designate a delegate of
       data protection provided that: a) the treatment is carried out by a
       public authority or body, except courts acting in exercise

       of its judicial function; b) the main activities of the controller or the
       processor consist of processing operations which, due to their
       nature, scope and/or purposes, require regular and systematic observation
       of large-scale stakeholders, c) the main activities of the controller or
       of the processor consist of the large-scale treatment of categories
       of personal data pursuant to Article 9 and of data relating to

       convictions and criminal offenses referred to in article 10”.

In this case at hand, the case of application would be 37.1.b) of the GDPR,
where three elements must be examined: "main activity", the "observation
habitual and systematic” and “large scale”.


It is true that these are indeterminate legal concepts, but this has gone
profiling through the different opinions and opinions of the Working Group of the
Article 29:

Regarding what is a main activity, WP-243 (Guidelines for delegates of

data protection -DPD) establishes that:

       "Article 37, paragraph 1, letters b) and c) of the GDPR refers to the" activities
       principals of the person in charge or of the person in charge" and thus we have how, the
       recital 97 GDPR, specifies that the main activities of a

       responsible are related to "its primary activities and are not
       related to the processing of personal data as activities
       auxiliaries».

The “principal activities” can be considered the key operations required

to achieve the objectives of the controller or processor. Nevertheless,
the “main activities” should not be interpreted as exclusive when the
data processing is an inseparable part of the activity of the controller or
treatment manager.

For example, the main activity of a hospital is to provide health care. Without

However, a hospital would not be able to provide health care safely and effectively.
without treating data related to health, such as medical records of patients. By
Therefore, the processing of such data should be considered one of the activities
principals of any hospital and hospitals must accordingly designate a
dpd.


Another example would be that of a private security company that carries out the
surveillance of a series of private shopping centers and public spaces. The
Surveillance is the main activity, which in turn is inextricably linked to the
processing of personal data. Therefore, this company must also designate a

dpd.

On the other hand, all organizations carry out certain activities, for
For example, pay your employees or perform ordinary IT support activities.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/50








Such activities are examples of support functions required for the activity or
the main business of the organization. Although these activities are necessary or
essential, they are normally considered auxiliary functions and not the activity

major".

The second issue is habitual and systematic observance, which WP 243
determines that it is “not limited to the online environment and online monitoring must be
considered only an example of observing the behavior of data subjects.
The Article 29 Working Group interprets “usual” with one or more of the

following meanings: a). continuous or occurs at specific intervals during
a specific period; b). recurring or repeated at predetermined moments or that has
place constantly or periodically.

The Working Group interprets “systematic” as one or more of the following

meanings: a). that it is produced according to a system; b). preset,
organized or methodical; c). that takes place as part of an overall collection plan
of data; d). carried out as part of a strategy.

As an example, he cites data-driven marketing activities, carrying out
location tracking, for example, through mobile applications,

loyalty programs or behavioral advertising.

Thus, in the case examined, it complies with the criterion of habitual and in accordance with a plan
data collection to obtain customer data and increase your area of
business. You just have to take a look at their privacy policy, in which they show

that collect data of all kinds, including the IP address (a key point of
location), browsing history and user preferences, data derived
of cookies, among which there are some tracking cookies, geolocation data
or billing information, among others.


And they collect them on a regular basis, since they need them to provide their services and to
improve the performance of your business.

Among other things, they indicate in the privacy policy that the data is used for
statistics and services.


Thirdly, it will be necessary to determine if it is on a large scale, on what WP 243 establishes
certain criteria “recommends that the following factors be taken into account, in
In particular, when determining whether the treatment is carried out on a large scale: a). he
number of affected stakeholders, either as a specific number or as a proportion of the
corresponding population; b). the volume of data or the variety of data elements

data that is subject to treatment; c) the duration, or permanence, of the activity of
data treatment; d). the geographic scope of the processing activity.

And he indicates as some large-scale example "the treatment of geolocation data
in real time of customers of an international fast food chain for

statistics by a data controller specialized in providing
of these services; The treatment of customer data in the normal development of the
activity of an insurance company or a bank”.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/50








The CEPD does not determine in any case what a large scale is, but sticks to the
referenced criteria. This is stated in other documents: “The GDPR
does not precisely define what constitutes large-scale. In the WP29 guidelines on Data

Protection Officer (WP243) and on DPIA (WP248), both endorsed by Board, it has
recommended to take into account several specific factors when determining whether a
processing is carried out on a large scale. The Board is of the opinion that those
factors are sufficient to assess whether the processing of personal data is undertaken
on a large scale. Therefore, the Board requests the Supervisory Authority of the Czech
Republic to amend its list accordingly, by deleting the explicit figures in its list, and

making reference to the previously mentioned definitions of large scale”, Opinion
4/2018 on the draft list of the competent supervisory authority of Czech Republic
regarding the processing operations subject to the requirement of a data protection
impact assessment (Article 35.4 GDPR)”.


We must complete it with recital 91 of the GDPR that establishes, in terms of the
data protection impact assessments, which:

       "The foregoing must be applied, in particular, to processing operations to
       large scale that seek to process a considerable amount of data
       regional, national or supranational level and that could affect

       a large number of stakeholders and are likely to carry a high risk, e.g.
       example, due to its sensitivity, when, depending on the level of
       technical knowledge achieved, a new technology has been used to
       large-scale and other high-risk processing operations
       for the rights and freedoms of the interested parties, in particular when these

       operations makes it more difficult for the interested parties to exercise their rights.
       …”.

Large-scale processing means processing a considerable amount of data
personal information (all those mentioned in its privacy policy) in a certain area

territorial (in this case at the national level); affecting multiple stakeholders (it is about
an app widely implemented and with a large number of stakeholders); also if
They can involve high risk (one of the data they use is geolocation).

Examining the explicit parameters to the concrete assumption, obviously makes a
large-scale data processing.


The Confederation of European Data Protection Organizations (CEDPO) determines
also a series of common interpretative criteria (they are not binding or a
normative provision) and indicate, in what could serve us that:


       “Core activities” must be built in accordance with the description of the
       corporate purpose of the organization and the P&L revenues; “Large scale”
       should be understood according to a risk-based approach (rather than using
       criteria such as number of employees or the “volume” of personal data
       processed in a certain period of time alone); “Monitoring of behaviour” shall

       exclude the IT monitoring activities that any organization nowadays must carry
       out for the purposes of (i) (cyber) security; (ii) protecting the organization's
       systems and assets (including IP and confidential information as well as the
       personal data stored or otherwise processed by the organization); and (iii)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/50








       complying with laws and regulatory guidance (e.g., data protection duties, anti-
       fraud and anti-money laundering related activities)”.


In view of the allegations made in the lawsuit regarding the criteria
quantitative data that can be used by other supervisory authorities to determine when
we face a large-scale treatment, we have to mean that the AEPD is
an independent supervisory authority which, in the performance of its duties,
determines in each specific case whether or not the treatment is on a large scale, taking into account
the concurrent circumstances.


In another order of things, we will indicate that the mandatory appointment of the DPO in the
case provided for in art. 37.1.b) of the GDPR is only linked to the
compliance with the budgets established therein and not to others reported by the
applicant what are the types of data or processing. The fact of

that the main activities of the controller or processor consist of
processing operations that, due to their nature, scope and/or purposes, require
a regular and systematic observation of stakeholders on a large scale already imposes the
need to appoint a DPD, due to the risks involved, especially if it is
develops through the internet or an app as in the case examined.


The figure of the DPD as a qualified adviser to the person in charge or in charge of the
treatment is an essential reinforcement in the cases provided for in the GDPR and in
the LOPDGDD to guarantee the Fundamental Right to citizens and avoid the
materialization of the risks that a certain activity may entail.


Let's just think about identity theft (art. 28.2 of the LOPDGDD).
The trifle of risk is therefore ruled out.

In any case, not having a DPD when it is mandatory is a risk for the protection of
Personal data.


In this sense, the LOPDGDD determines in its article 34.1 and 3, on the designation
of a data protection delegate, the following:

1. "Those responsible and in charge of the treatment must designate a delegate of
data protection in the cases provided for in article 37.1 of the Regulation

(EU) 2016/679

3. Those responsible and in charge of the treatment will communicate within ten
days to the Spanish Data Protection Agency or, where appropriate, to the authorities
data protection, the designations, appointments and cessations of

the data protection delegates both in the cases in which they are
bound to their designation as in the case in which it is voluntary.”

Based on the legal grounds set forth above, the facts indicated
in the previous section are constitutive of an infringement of article 37 of the GDPR.


                                          IV.-
                                      c.- Penalty


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/50








This infraction can be sanctioned with a fine of a maximum of €10,000,000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for the

of greater amount, in accordance with article 83.4.a) RGPD.

In this sense, article 73 LOPDGDD, considers serious, for prescription purposes,
"v) Failure to comply with the obligation to designate a data protection officer
when their appointment is required in accordance with article 37 of the Regulations
(UE) 2016/679 and article 34 of this organic law."


In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to
imposed in the present case, it is considered appropriate to graduate the sanction to be imposed
in accordance with the following aggravating criteria established in article 83.2 of the
GDPR:


    - The intention of the infringement, by KFC, (section b), based on
       that it is an entity whose activity involves a continuous
       treatment of personal data of clients, it is considered of special
       It is important to remember at this point, the SAN of October 17, 2007 (rec.
       63/2006), where it is indicated that: “…the Supreme Court has understood that

       recklessness exists whenever a legal duty of care is neglected, that is
       that is, when the offender does not behave with the required diligence. And in the
       assessment of the degree of diligence, special consideration must be given to the
       professionalism or not of the subject, and there is no doubt that, in the case now
       examined, when the appellant's activity is constant and abundant

       handling of personal data must insist on rigor and exquisite
       be careful to comply with the legal provisions in this regard".

It is also considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following aggravating criteria, established in article 76.2 of the LOPDGDD:


    - The linking of the activity of the offender with the performance of treatment of
       personal data, (section b), considering the level of implementation of the
       entity KFC in the economy of the country, in which data are involved
       personal data of thousands of customers who access their services daily.


The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2
LOPDGDD, with respect to the offense committed by violating the provisions of the
Article 37.1 GDPR, allows a penalty of 20,000 euros (twenty thousand euros) to be set.

                                          IV.-

                                       Measures.

This Agency agrees to impose on the controller the adoption of appropriate measures
to adjust its performance to the regulations mentioned in this act, in accordance with the
established in the aforementioned article 58.2 d) of the GDPR, the corrective measure to be imposed on the

The owner of the website consists in the name of the Data Protection Officer,
as stipulated in article 37 of the GDPR.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/50








It is noted that not meeting the requirements of this body may be
considered as an administrative offense in accordance with the provisions of the GDPR,
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the

opening of a subsequent administrative sanctioning procedure.

Therefore, in accordance with the applicable legislation, the Director of the Agency
Spanish Data Protection
                                     RESOLVES


FIRST: PROCEED TO THE ARCHIVE of the present actions to the entity, KFC
RESTAURANTS SPAIN, S.L., (KFC) with CIF.: B86281599, owner of the website,
https://www.kfc.es regarding article 6.1 of the GDPR.

SECOND: IMPOSE the entity, KFC RESTAURANTS SPAIN, S.L., (KFC) with

CIF.: B86281599, owner of the website, https://www.kfc.es in accordance with the
provided in articles 63 and 64 of the LPACAP, for the violation of article 37 of the
GDPR, due to the lack of appointment of a Data Protection Officer, a
penalty of 20,000 euros (twenty thousand euros).

THIRD: IMPOSE the entity, KFC RESTAURANTS SPAIN, S.L., (KFC) with

CIF.: B86281599, owner of the website, https://www.kfc.es in accordance with the
provided in articles 63 and 64 of the LPACAP, for the violation of article 13 of the
GDPR, due to the lack of information provided in the "Privacy Policy" on the
treatment of personal data obtained, with a penalty of 5,000 (five thousand
euro).


FOURTH: ORDER the entity KFC RESTAURANTS SPAIN, S.L., to implement,
within a month, the necessary corrective measures to adapt its performance
to the personal data protection regulations, as well as to inform this
Agency in the same term on the measures adopted, appointing a Delegate of

Data Protection, as stipulated in article 37 of the GDPR.

FIFTH: TO ORDER the entity KFC RESTAURANTS SPAIN, S.L., to implement, in
within a month, the necessary corrective measures to adapt its action to the
personal data protection regulations, as well as to inform this Agency in
the same term on the measures adopted, adapting the "Privacy Policy" of

its website www.kfc.es to the provisions of article 13 of the GDPR.

SIXTH: NOTIFY this resolution to the entity KFC RESTAURANTS SPAIN,
S.L., (KFC) with CIF.: B86281599,


Warn the penalized party that the sanction imposed must make it effective once it is
enforce this resolution, in accordance with the provisions of article 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations, within the voluntary payment term indicated in article 68 of the
General Collection Regulations, approved by Royal Decree 939/2005, of 29

July, in relation to art. 62 of Law 58/2003, of December 17, through its
Income in the restricted account No. ES00 0000 0000 0000 0000, opened in the name of
the Spanish Data Protection Agency in the bank CAIXABANK, S.A.
or otherwise, it will be collected in the executive period.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/50









Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment

voluntary will be until the 20th day of the following or immediately following business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative procedure (article 48.6 of the
LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations, interested parties may optionally file

appeal for reversal by the Director of the Spanish Agency for Data Protection in
within one month from the day following the notification of this resolution
or directly contentious-administrative appeal before the Contentious-
of the National Court, in accordance with the provisions of article 25 and
in section 5 of the fourth additional provision of Law 29/1998, of July 13,
of the Contentious-Administrative Jurisdiction, within a period of two months from

count from the day following the notification of this act, as provided in the
Article 46.1 of the aforementioned legal text.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015,
of October 1, of the Common Administrative Procedure of the Administrations

Public, the firm resolution may be temporarily suspended in administrative proceedings if
The interested party declares his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-

web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.



Mar Spain Marti
Director of the Spanish Data Protection Agency













C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es