AEPD (Spain) - PS/00140/2022: Difference between revisions
From GDPRhub
No edit summary |
(→Facts) |
||
| Line 70: | Line 70: | ||
On May 28, 2021, the data subject filed a complaint with the Spanish DPA, claiming that, when creating an account on the controller’s website, it was only possible to register after accepting the terms and conditions and consenting to the sending of special offers and promotions. Moreover, they argued that the controller failed to provide information about: (a) the recipients of personal data; b) the possibility of making international transfers; c) the retention period. Finally, it argued that no DPO was appointed. | On May 28, 2021, the data subject filed a complaint with the Spanish DPA, claiming that, when creating an account on the controller’s website, it was only possible to register after accepting the terms and conditions and consenting to the sending of special offers and promotions. Moreover, they argued that the controller failed to provide information about: (a) the recipients of personal data; b) the possibility of making international transfers; c) the retention period. Finally, it argued that no DPO was appointed. | ||
In response, the controller admitted that there was a problem in the configuration of the registration form, which erroneously included a consent request for special offers and promotions. Likewise, it recognized that the link in such form mistakenly directed the user to a legal note instead of the page with the privacy policy. However, it claimed that these errors were fixed. Also according to the controller, the website provided double-layer data protection information and the second layer contained all the details required by [[Article 13 GDPR]]. As for the appointment of a DPO, | In response, the controller admitted that there was a problem in the configuration of the registration form, which erroneously included a consent request for special offers and promotions. Likewise, it recognized that the link in such form mistakenly directed the user to a legal note instead of the page with the privacy policy. However, it claimed that these errors were fixed. Also according to the controller, the website provided double-layer data protection information and the second layer contained all the details required by [[Article 13 GDPR]]. | ||
As for the appointment of a DPO, the controller argued that [[Article 37 GDPR|Article 37]](1) was not applicable since the data processing was merely auxiliary to its core activity, that is, the provision of meals. Finally, the controller argued that, as the general privacy policy applied to all its brands in different jurisdictions, it was not possible to provide complete information about the recipients beforehand. | |||
=== Holding === | === Holding === | ||
During the investigation, DPA verified that the “Data Privacy Policy” was divided among three documents: a) terms of use of the website; b)a general privacy policy for all countries and c) a specific privacy policy for European Economic Area (EEA) countries, United Kingdom and Switzerland. | During the investigation, the DPA verified that the “Data Privacy Policy” was divided among three documents: a) terms of use of the website; b)a general privacy policy for all countries and c) a specific privacy policy for European Economic Area (EEA) countries, United Kingdom and Switzerland. | ||
By reviewing the documents, the DPA noted that the Privacy Policy adequately indicated the legal basis for each processing operation and that the subscription to receive advertising messages and special offers was voluntary. Therefore, it considered that the processing was lawful in accordance with [[Article 6 GDPR]]. However, it held that the documents did not offer precise information on the purposes of data processing as it used undefined expressions such as "we can use...". It emphasized that “language qualifiers such as 'may', 'might', 'some', 'often' and 'possible' should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing” ([https://ec.europa.eu/newsroom/article29/items/622227 Article 29 Working Party Guidelines on Transparency under GDPR]). In the case at hand, the DPA found that no valid justification was given for the use of generic language and imposed a fine of €5,000 | By reviewing the documents, the DPA noted that the Privacy Policy adequately indicated the legal basis for each processing operation and that the subscription to receive advertising messages and special offers was voluntary. Therefore, it considered that the processing was lawful in accordance with [[Article 6 GDPR]]. However, it held that the documents did not offer precise information on the purposes of data processing as it used undefined expressions such as "we can use...". It emphasized that “language qualifiers such as 'may', 'might', 'some', 'often' and 'possible' should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing” ([https://ec.europa.eu/newsroom/article29/items/622227 Article 29 Working Party Guidelines on Transparency under GDPR]). In the case at hand, the DPA found that no valid justification was given for the use of generic language and imposed a fine of €5,000 for the violation of [[Article 13 GDPR]]. | ||
With regard to the appointment of a DPO, the DPA recalled that [[Article 37 GDPR|Article 37(1)(b) GDPR]] provides for 3 elements that must be examined: “core activity”, “usual and systematic monitoring” and “large scale”. To interpret these terms, the [https://ec.europa.eu/newsroom/article29/items/612048/en Guidelines of the Article 29 Working Party] were again used. Therefore, “core activity” was understood as the key operations necessary to achieve the controller’s or processor’s goals. However, it should not be interpreted as excluding activities where the processing of | With regard to the appointment of a DPO, the DPA recalled that [[Article 37 GDPR|Article 37(1)(b) GDPR]] provides for 3 elements that must be examined: “core activity”, “usual and systematic monitoring” and “large scale”. To interpret these terms, the [https://ec.europa.eu/newsroom/article29/items/612048/en Guidelines of the Article 29 Working Party] were again used. Therefore, “core activity” was understood as the key operations necessary to achieve the controller’s or processor’s goals. However, it should not be interpreted as excluding activities where the processing of | ||
data forms an inextricable part of the controller’s or processor’s activity. In turn, the concept of “usual and systematic monitoring” was defined as including all forms of ongoing, recurring or constant tracking/profiling of data subjects, either online or offline, in a pre-arranged, organised or methodical manner. Finally, to to determine whether the processing is carried out on a “large scale”, the DPA assessed: the number of data subjects concerned; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; and the geographical extent of the processing activity. Taking these criteria as met, the DPA stated that the controller failed to comply with its obligation to appoint a DPO and imposed a a fine of €20,000 for a violation of [[Article 37 GDPR]]. | data forms an inextricable part of the controller’s or processor’s activity. In turn, the concept of “usual and systematic monitoring” was defined as including all forms of ongoing, recurring or constant tracking/profiling of data subjects, either online or offline, in a pre-arranged, organised or methodical manner. | ||
Finally, to to determine whether the processing is carried out on a “large scale”, the DPA assessed: the number of data subjects concerned; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; and the geographical extent of the processing activity. Taking these criteria as met, the DPA stated that the controller failed to comply with its obligation to appoint a DPO and imposed a a fine of €20,000 for a violation of [[Article 37 GDPR]]. | |||
In addition, DPA has ordered the controller to adjust its actions to data protection regulations with regard to these infringements. | In addition, DPA has ordered the controller to adjust its actions to data protection regulations with regard to these infringements. | ||
Revision as of 14:33, 25 April 2023
| AEPD - PS/00140/2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 13 GDPR Article 37(1) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 28.05.2021 |
| Decided: | |
| Published: | |
| Fine: | 25,000 EUR |
| Parties: | KFC Restaurants |
| National Case Number/Name: | PS/00140/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Bernardo Armentano |
The Spanish DPA fined KFC a total of €25,000 euros for using generic language when defining the purposes of data processing and for failing to appoint a DPO, in violation of Articles 13 and 37 GDPR.
English Summary
Facts
On May 28, 2021, the data subject filed a complaint with the Spanish DPA, claiming that, when creating an account on the controller’s website, it was only possible to register after accepting the terms and conditions and consenting to the sending of special offers and promotions. Moreover, they argued that the controller failed to provide information about: (a) the recipients of personal data; b) the possibility of making international transfers; c) the retention period. Finally, it argued that no DPO was appointed.
In response, the controller admitted that there was a problem in the configuration of the registration form, which erroneously included a consent request for special offers and promotions. Likewise, it recognized that the link in such form mistakenly directed the user to a legal note instead of the page with the privacy policy. However, it claimed that these errors were fixed. Also according to the controller, the website provided double-layer data protection information and the second layer contained all the details required by Article 13 GDPR.
As for the appointment of a DPO, the controller argued that Article 37(1) was not applicable since the data processing was merely auxiliary to its core activity, that is, the provision of meals. Finally, the controller argued that, as the general privacy policy applied to all its brands in different jurisdictions, it was not possible to provide complete information about the recipients beforehand.
Holding
During the investigation, the DPA verified that the “Data Privacy Policy” was divided among three documents: a) terms of use of the website; b)a general privacy policy for all countries and c) a specific privacy policy for European Economic Area (EEA) countries, United Kingdom and Switzerland.
By reviewing the documents, the DPA noted that the Privacy Policy adequately indicated the legal basis for each processing operation and that the subscription to receive advertising messages and special offers was voluntary. Therefore, it considered that the processing was lawful in accordance with Article 6 GDPR. However, it held that the documents did not offer precise information on the purposes of data processing as it used undefined expressions such as "we can use...". It emphasized that “language qualifiers such as 'may', 'might', 'some', 'often' and 'possible' should also be avoided. Where data controllers opt to use indefinite language, they should be able, in accordance with the principle of accountability, to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing” (Article 29 Working Party Guidelines on Transparency under GDPR). In the case at hand, the DPA found that no valid justification was given for the use of generic language and imposed a fine of €5,000 for the violation of Article 13 GDPR.
With regard to the appointment of a DPO, the DPA recalled that Article 37(1)(b) GDPR provides for 3 elements that must be examined: “core activity”, “usual and systematic monitoring” and “large scale”. To interpret these terms, the Guidelines of the Article 29 Working Party were again used. Therefore, “core activity” was understood as the key operations necessary to achieve the controller’s or processor’s goals. However, it should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity. In turn, the concept of “usual and systematic monitoring” was defined as including all forms of ongoing, recurring or constant tracking/profiling of data subjects, either online or offline, in a pre-arranged, organised or methodical manner.
Finally, to to determine whether the processing is carried out on a “large scale”, the DPA assessed: the number of data subjects concerned; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; and the geographical extent of the processing activity. Taking these criteria as met, the DPA stated that the controller failed to comply with its obligation to appoint a DPO and imposed a a fine of €20,000 for a violation of Article 37 GDPR.
In addition, DPA has ordered the controller to adjust its actions to data protection regulations with regard to these infringements.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/50
Procedure No.: PS/00140/2022.
RESOLUTION OF THE SANCTION PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:
BACKGROUND
FIRST: Dated 05/28/21, you have entered this Agency, writing presented by
D.A.A.A. (hereinafter, "the claimant"), against the entity, KFC RESTAURANTS
SPAIN, S.L., (KFC) with CIF.: B86281599, owner of the website, https://www.kfc.es,
(hereinafter, "the claimed party") for the alleged violation of the regulations of
data protection: Regulation (EU) 2016/679, of the European Parliament and of the
Council, of 04/27/16, regarding the Protection of Physical Persons in what
regarding the Processing of Personal Data and the Free Circulation of these Data
(GDPR), Organic Law 3/2018, of December 5, on Data Protection
Personal and Digital Rights Guarantee (LOPDGDD).
The claim stated the following:
"The company KFC Restaurants Spain SL does not follow the guidelines of the GDPR in
its website https://www.kfc.es. All violations are detailed below:
- The privacy policy for users cannot be easily accessed
of the EEA adapted to the GDPR (https://www.kfc.es/multimarcas), since the link
privacy policy publicly visible at the bottom of the web
leads to one for the US (https://www.kfc.es/privacidad).
- When creating an account on the website (https://www.kfc.es/cuenta/registro), it is not
registration is possible without selecting the box "I accept the terms and conditions
of use to receive special offers and promotions from KFC and
Franchisees", that is, they force you to receive special offers and promotions.
At no time is it mentioned or linked to the privacy policy or its
acceptance at the time of registration, only to "terms and conditions of use",
which leads to a legal notice.
- The defendant is an entity that develops advertising activities and
commercial prospecting, and carry out treatments based on the
preferences of the people affected or carry out activities that imply the
elaboration of profiles of the same according to its policy of cookies and policy of
privacy, so they are obliged to have a person Delegate of
Data Protection, and they don't have it.
- In the privacy policy: (a) the recipients of the information are not detailed
personal information · (b) the data of the person in charge does not appear detailed in
data protection matters (company name, NIF, registered office); (c) if
details the possibility of making international data transfers, and it is not
informs the interested party of the existence of adequacy decisions, guarantees,
binding corporate rules or specific applicable situations. I only know
they use generic formulas as suitable guarantees. Nor is it explained
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/50
procedure to obtain a copy of these or that they were lent; (d) no
the time of conservation of the data is detailed, formulas are used
generic as "for as long as necessary"
SECOND: On 06/29/21 and 07/12/21, in accordance with the provisions of the
Article 65.4 of the LOPDGDD Law, by this Agency, transfer of said
claim to the claimed party, to proceed to its analysis and report, in the
period of one month, on what was stated in the claim document.
According to the certificate of the Electronic Notifications and Electronic Address Service, the
Application letter sent to the claimed party, on 06/29/21, through the service
of electronic notifications "NOTIFIC@", was rejected at destination on 07/10/21.
According to the certificate of the State Postal and Telegraph Society, the application document
sent to the claimed party, on 07/12/21 through the notification service
Postal service, was notified at destination on 07/22/21.
THIRD: On 08/20/21, the claimed entity submitted a written
response to the request made from this Agency, in which, among others,
stated:
“a.- The website www.kfc.es provides data protection information in double
layer: The first layer is located at the URL www.kfc.es/privacidad and includes
information on the processing of personal data carried out by the
different brands of the company and details, among others, the following: a) The
type of information processed; b) The purposes of the treatment; c) The
automated processing that can be performed; d) The categories of
data recipients; e) The options and control over the information; F)
How the data is stored and protected; g) Link to the privacy policy
for the European Economic Area and the United Kingdom; h) Information regarding the
privacy of minors; i) Contact information.
The second layer is located at the URL www.kfc.es/multimarcas, and details,
completing the first layer information, the rest of the information required
by article 13 of the GDPR: a. Legal basis of the treatment; b.
Data storage and transfer; c. Rights Information
that assist the interested parties and how to exercise them; d. Contact information;
and. Annexes detailing the categories of personal data processed, the
purposes of the treatment and the legal bases for the treatment of the
themselves.
This second layer is directly accessible at the bottom of the page
from "Privacy Notice" that leads to the URL www.kfc.es/multimarcas with
information specific to EEA and UK residents and includes
the rest of the information required by article 13 of the GDPR.
Similarly, the Privacy Policy must include the following statement
at the top to direct users to disclosures
particular jurisdictions: “Consult our Global Privacy Policy at
below in effect for your jurisdiction. See section 7 Disclosures
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/50
jurisdictions to find specific additional privacy information
of your state or country.
Not having this statement is an omission regarding our policies
Privacy Policy, which we will correct along with any other changes and
improvements to be made and derived from this claim. Date
implementation: these changes will be applied as of September 30, 2021.
b.- Impossibility of creating an account if the sending of offers is not accepted
specials and promotions:
The web account creation space is designed to allow the creation
of accounts without having to accept the sending of special offers and
promotions. However, due to an error or failure in the configuration of the
form, the texts corresponding to both acceptance checkboxes,
include authorization to receive special offers and promotions.
The text of the first checkbox is correct, this being the one corresponding to the
express acceptance by the user to receive offers and promotions
from KFC and is dial-optional.
The text of the second checkbox should only include the acceptance of
the terms, conditions of use and the privacy policy, although by mistake
the tag "to receive special offers and promotions" was included when
should state "I accept the terms and conditions of use and the privacy policy
privacy to register at www.kfc.es”, and it is compulsory. Yeah
well the text of the checkbox indicates that the authorization refers to the reception
of offers and promotions, the internal treatment of the authorization is limited to the
acceptance for the creation of the user account.
Once the error is detected, KFC will proceed to correct it and
modification so that the texts of the checkboxes correspond to the
authorizations. Implementation Date: These changes have already been applied.
A screenshot of the account creation form is attached.- Annex II.
c.- The form does not provide a link to the privacy policies
time these have to be accepted for the creation of an account.
The web account creation form link is designed to
allow access to the terms and conditions of use and the privacy policy.
However, due to an error or failure in the configuration of the hyperlink, this
points to the Legal Note instead of the correct texts.
Once the error is detected, KFC will proceed to correct it and
modification so that the hyperlink points to the terms and conditions of
use. Implementation Date: These changes have already been applied.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/50
d.- A Data Protection Officer has not been appointed, taking into account
that the entity develops advertising and commercial prospecting activities and
carries out treatments based on people's preferences
affected or carry out activities that imply the elaboration of profiles of the
same.
From KFC we interpret that, due to the nature of data processing
carried out, we are not obliged to designate a
Data Protection Officer since we are not in any
of the specific cases established by article 37.1 of the GDPR.
In relation to these assumptions, we must emphasize the provisions of section
b of article 37.1 of the GDPR establishes that you will be obliged to designate a
DPO "when the main activities of the person in charge or in charge
consist of processing operations which, due to their nature, reach
or purposes, require regular and systematic observation of stakeholders at large
scale".
As established in recital 97 of the RGP, it is understood that the
The main activities of a manager are related to "their
primary activities and are not related to data processing
personal as auxiliary activities, therefore, the main activities»
can be considered the key operations necessary to achieve the objectives
of the person in charge or of the person in charge of the treatment”.
In this regard, KFC's core business does not focus on processing
data of users of the website www.kfc.es, but rather this is a
auxiliary activity to the main one, which is the provision of services
restoration to our clients, and this is carried out, mainly, without the
need to process their personal data and in person at
our restaurants and venues. Orders placed remotely, either at
through the website www.kfc.es, or through other channels, are treated as activity
auxiliary to the main one and, due to the nature of the service, require the
treatment of certain data of users and clients for the
billing and delivery of orders.
In the same way, for the obligation to designate a DPD to result, the
Treatment should require regular and systematic observation of
interested.
In this regard, the Article 29 Working Group interprets "usual" with
one or more of the following meanings: continued or that occurs at
specified intervals during a specified period; recurring or repeated in
preset times; Occurs constantly or periodically.
And “systematic” with one or more of the following meanings: that is
produces according to a system; prearranged, organized or methodical;
that it takes place as part of an overall data collection plan;
carried out as part of a strategy.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/50
In this regard, due to the nature and purpose of data processing,
As indicated above, the management and billing of orders
made at the request of customers and users through the website,
We consider that it cannot be considered as a habitual observation and
interest system.
In the same way, for the obligation to designate a DPD to arise, the
Processing of personal data must be carried out on a large scale. Despite
The GDPR does not define what is meant by large-scale processing, both the
recital 91 of the GDPR as the Working Party of article 29 give
guidance in this regard, taking into account the following factors when
to determine if a treatment is carried out on a large scale: the number of
affected stakeholders, either as a specific number or as a proportion of the
corresponding population; the volume of data or the variety of data elements
data that is subject to treatment; the duration, or permanence, of the
data processing activity; the geographical scope of the activity of
treatment.
Data processing is limited to those customers and users who wish to
place orders through our website, there are other channels to
remote ordering. The volume or variety of data object of the
treatment is limited to those necessary to carry out orders in
compliance with the principle of data minimization. Similarly, the
total number of users registered on the website www.kfc.es does not exceed
20,000 and is limited to customers and users within the national territory,
Spain. KFC does not meet any of the above factors so it does not
We consider the processing of customer and user data carried out on a large
scale.
For all of the above, from KFC we have been considering
that we were not obliged to designate a Protection Delegate
of data. However, and based on the claim received, if from the AEPD
believe that there is sufficient evidence that certain government activities
treatment require us to appoint a Data Protection Officer,
we will take it into consideration to re-evaluate the legal requirements for your
designation.
e.- In the privacy policies:
The recipients of personal data are not detailed. the policy of
general privacy included in the URL www.kfc.es/privacidad includes in its
section 4 the information regarding how the information of the users is shared
users, and in section 7 jurisdictional disclosures, in relation to the
communication of data made to public authorities based on the
state or country of residence of the user. Section 4 of the privacy policy
Privacy describes up to 10 different categories of recipients of the
data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/50
In this regard, the GDPR in its article 13.1 e) indicates that the person responsible for the
Treatment must inform the recipients or the categories of
recipients of personal data, if applicable.
In the same way, the AEPD itself in its Guide for the fulfillment of duty
to inform in its heading 7.4 Recipients, indicates the following: "When
has planned to transfer or communicate, legitimately, the personal data that is
collected will be informed about the identity of the recipients, if they are
clearly predetermined, or of the categories of recipients, if these do not
are predetermined."
In this case and since it is a general privacy policy that
applies to all brands and for different territories, recipients do not
are predetermined and therefore only information is provided on the
categories of recipients to whom the data may be communicated,
including the purpose or purpose of the communication of these.
We understand that the information provided in the general privacy policy
complies with the requirements of article 13.1 e) of the GDPR regarding the
provision of information regarding the categories of recipients.
On the non-appearance of the details of the person in charge of protection
of data. In this case, due to the general nature of both privacy policies,
privacy included in the web www.kfc.es -general applicable to all
territories and specific to residents of the EEA, UK and Switzerland-, identification
of the data controller can be found in the Legal Notice.
We take note of this shortcoming and we will incorporate this improvement to provide
greater clarity and transparency to the information provided in the policies of
privacy, redirecting users to the Legal Notice in the privacy policy
privacy for the identification of the person in charge of the treatment in each
territory, including Spain. These changes will be applied at the end of Sep.
2021.
The possibility of making international data transfers is detailed, but
the interested party is not informed of the existence of adequacy decisions,
guarantees, binding corporate rules or specific situations
applicable.
The specific privacy notice for the EEA and the United Kingdom informs the
users of the possibility of making international transfers, it includes
mention that, if done, KFC will ensure that:
a) the personal information is transferred to countries recognized for offering a
equivalent level of protection; either
b) the transfer is made in accordance with appropriate safeguards,
such as the standard clauses on data protection adopted by the Commission
European. Notwithstanding these measures, the country and jurisdiction to which
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/50
transferring the data can provide a level of data protection
lower than that provided for in EEA or UK law.
Although this information may seem too generic, we take note and
we will incorporate an improvement to provide greater clarity and transparency to the
training provided in the privacy policy, redirecting users to
the contact addresses of each person in charge in each territory, so that
may request additional information on international transfers
that can be realized and the appropriate guarantees used to guarantee the
adequate level of security in them.
Attached is a screenshot of the information provided about
international transfers as Annex III. Implementation date: these
Changes will be applied as of September 30, 2021.
d. The time of conservation of the data is not detailed.
The privacy policy included in the URL www.kfc.es/privacidad includes in
its section 6 the information regarding the data retention period.
Article 13.1 a) of the GDPR indicates that the data controller
must inform the period during which the personal data will be kept
or, when this is not possible, the criteria used to determine this term.
In this case and since it is a general privacy policy that
applies to all brands and for different territories, the retention periods
of the data are not predetermined and therefore it is provided only
information regarding their conservation criteria, indicating
that they will be kept “for the time reasonably necessary to maintain the
Service, comply with legal and accounting obligations, and other purposes
described in this Policy, or as otherwise required or permitted by law.”
The information related to the retention period of the data is attached as Annex IV.
data. Therefore, we understand that the information provided in the privacy policy
general privacy complies with the requirements of article 13.1 a) of the GDPR in
regarding the provision of information regarding the conservation periods
of the data or the criteria to establish said deadlines.
However, and as though this information may seem too much
generic, we take note and will incorporate an improvement to provide greater
clarity and transparency to the information provided in the privacy policy,
we will incorporate conservation criteria or longer conservation periods
specific to the privacy notice specific to the EEA and UK. Date
implementation: these changes will be applied as of September 30, 2021.
FOURTH: On 10/25/21, by the Director of the Spanish Agency for
Protection of Data, an agreement is issued to admit the processing of the claim
presented, in accordance with article 65 of the LPDGDD Law, when assessing possible
rational indications of a violation of the rules in the field of competences
of the Spanish Data Protection Agency.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/50
FIFTH: Dated 11/30/21 and 02/09/22, within the framework of the actions carried out
by the General Sub-directorate of Data Inspection in order to clarify certain
facts of which this Spanish Agency for the Protection of
Data, and in use of the powers conferred by article 58.1 GDPR and art. 67
LOPDGDD required the requested entity to provide further information on: a).- the
list of activities of the entity that involve processing of personal data,
expressly detailing if client treatments are carried out for purposes
advertising; b).- For each activity, the following must be provided: number of customer data that
treat, variety of data elements of each client that are subject to treatment,
time during which the data of each client is processed and detail of the permanence
of such data in their information systems; the geographical or territorial scope of
the treatments detailing if their systems process data related to clients of a
certain territorial scope or of the entire national territory and c).- summary of the
analysis carried out by your entity to assess the need to appoint a DPD,
indicating if they have named it and if so if it has been communicated and published.
SIXTH: On 03/01/22 and 03/10/22, the claimed entity sent to this Agency,
two separate writings in response to the requirement made by this Agency, in the
which, among others, informs about the following aspects:
"An extract from the Record of Treatment Activities (RAT) is provided in
where all the processing activities carried out by
KFC in connection with advertising activities with customers, indicating the
number of customer data whose data is processed and the type of data
treated for each activity, as well as the time during which they are treated
said data.
In this regard, KFC has a conservation calendar for
data and internal protocol of conservation / deletion of personal data
they have ceased to be necessary. It should be noted that from KFC it is not
under no circumstances perform profile analysis; processing activities
related to the sending of commercial information are carried out based on the
user consent (opt-in system) and without user segmentation.
The processing activities related to advertising are carried out
always with the prior consent of the user, unlike the
processing activities related to the fulfillment of requests for
users that are carried out on the basis of the performance of a contract.
The geographical scope of the treatment activities is Spain, being the
Centralized data management for the entire national territory.
Regarding the analyzes carried out by your entity to assess the need for
appoint a DPO, indicating whether they have been appointed and if so, whether they are
communicated and published:
In this regard, from KFC it has been understood that there is no obligation to
appointment of the DPO, because the processing activities carried out
They are not limited to those of article 37 GDPR nor is the entity among the
obligated in article 34 LOPDGDD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/50
In the same way, compliance management in terms of data protection
It has been exercised by internal personnel specialized in data protection,
in particular, from the UK, through B.B.B., Global Privacy Lead CounselHead
and the consultancy of external experts in each of the countries from which
it is operated.
However, and as previously indicated, internally we will proceed to
periodically evaluate the need for its designation, based on the
possible operational changes as well as the start of new business branches
that may involve the incorporation of new processing activities, the
in order to offer greater guarantees of compliance to our clients
and users regarding the activities and procedures in the treatment of
personal data, in particular, if processing activities are initiated to
profiling.
II.- That on March 1, 2022, a written request for
extension of term given the complexity and volume of
information and/or documentation to be managed in order to be available to
complete the aforementioned requirement in the most appropriate way possible to
the good end of the processing of the requirement, as well as the need to
coordinate response with US parent company, Yum
Restaurants International Management LLC, confirming by the AEPD the
granting said extension of term.
III.- That, by virtue of the aforementioned requirement, this Agency is provided with the
documentation required as follows: Copy of extract Registration of
Processing activities related to clients and purposes
advertising as Annex I and Copy of Internal Analysis carried out to evaluate the
need to name DPD as Annex II
SEVENTH: On 03/21/22, by this Agency, when accessing the "Policy of
Privacy” of the web page, www.kfc.es , it was possible to verify the following
characteristics:
a).- On obtaining the consent of users for the treatment of their
personal information:
1º.- Through the link: <<Create your account>>, located at the top of the page
main page, the website redirects to a new page https://www.kfc.es/cuenta/registro where
The user can register on the web and where the name, surname,
phone, email and credit card number.
In order to send the form, the user must necessarily click the option:
_ I accept the <<Terms of use>>.
There is also the possibility of registering voluntarily, to receive offers
specials and promotions, clicking on the option
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/50
_ I want to sign up to receive special offers, raffles and promotions for
part of KFC and/or its franchisees. For more information, visit our
<<Privacy Policy>>. <<Create my Pollo Pollo account>>
2º.- Through the link: <<Start Order>>, located at the top of the
main page, the web redirects to a new page https://www.kfc.es/store-selection
where you can make the selection of the order and the option to receive it at home
or pick it up at the establishment.
Once the order has been selected, to process it, the website redirects the user to a new
page https://www.kfc.es/checkout, where personal data must be entered
of the user: name, surname, telephone, email and credit card number.
In order to send the form, the user must necessarily click the option:
_ I accept the <<Terms of use>>.
There is also the possibility of registering voluntarily, to receive offers
specials and promotions, clicking on the option
_ I want to sign up to receive special offers, raffles and promotions for
part of KFC and/or its franchisees. For more information, visit our
<<Privacy Policy>>.
<<Order Now>>
3º.- Through the link: <<Work with us>>, located in the menu on the
upper right, the web redirects to a new
https://www.kfc.es/nosotros/trabaja-en-kfc where the user can register or register
Register, to receive job offers, at the link: https://kfc.epreselect.com/General/
Alta.aspx
Once the personal data has been entered: name, surname, email, ID, the user
You must necessarily click on the boxes:
_ I am not a robot.
_ I have read, understand and accept the <<Privacy Policy>>
There is also a banner with the following information:
Basic Information on Data Protection: Responsible: KFC IBERIA;
Purposes: Include in the database of candidates of the Company the data
of the curriculum vitae that you provide us when you create your account with us to
use them in future selection processes in which your profile may fit;
Legitimation: Consent of the interested party; Recipients: We will not communicate
your data to third parties except legal obligation and to the companies indicated in
the additional information.
4º.- Finally, there is also the possibility of providing personal data to the
entity through the subscription page for special offers and promotions,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/50
https://www.kfc.es/subscripcion, where the user must provide the name,
last name and email.
Before being able to send the subscription newsletter, the user must click on the option
to accept it:
_ I want to sign up to receive special offers, raffles and promotions for
part of KFC and/or its franchisees. For more information, visit our
<<Privacy Policy>>.
b).- Regarding the “Privacy Policy”:
1º.- If the clauses of the "Terms of Use" of the web are accessed, through the
existing links in the different forms or through the link exists in the part
bottom of the main page, the web redirects to a new page
https://www.kfc.es/nota-legal , where information is provided, among others, on
the following aspects:
(…) Contact: the websites are owned and managed by kfc restaurant spain
s.l. a company registered in Spain, whose registered office is at
Serrano Galvache 56, Madroño building, 3rd floor, KFC, Madrid, 28033. CIF:
B86281599. To contact us, call +34 917
68 07 30.
Registration: Data protection: we will collect, store and process your
personal information in accordance with our privacy policy. please,
please read our <<privacy policy>> to make sure you are satisfied
and understand its content before creating an account.
Terms and conditions for orders placed via mobile:
data protection: we will collect, store and process your
personal information in accordance with our <<privacy policy>>. by
Please read our privacy policy to make sure you are satisfied.
and understand its content before creating an account.
If you are not satisfied with the service you have received, please contact
us through clientes@kfc.es or +34 91 904 18 81 (…)
2º.- If you access the "Privacy Policy" of the web, through the links
existing in the different forms or through the link exists at the bottom
from the main page, the web redirects to a new page
https://www.kfc.es/privacidad, where information is provided, among others, on
the following aspects:
“About the personal information they collect; How they use the information
staff; What information may be collected automatically; As
share the collected information; About the options and control over the
information collected, how they store and protect the information; On
European jurisdictional regulations expressly indicate the following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/50
"When we have an establishment in the European Economic Area
(“EEA”), the United Kingdom or Switzerland, or we are processing personal data
relating to persons located in the EEA, UK or Switzerland, please click
<<click here>> for additional information about our privacy practices
data privacy; About children's privacy; About links to others
websites and services; How to contact the site managers
Web; And about the changes in the privacy policy (…)”.
3º.- If you access the "Privacy Notice" of the web, through the link that exists in the
bottom of the main page, the web redirects to a new page
https://www.kfc.es/multimarcas, where specific information is provided on the
processing of personal data obtained in the EEA, United Kingdom or Switzerland and between
it, you will find the following information:
About the Treatment Manager: KFC Spain: KFC Restaurants
Spain, S.L. with NIF B86281599 and address at Calle Serrano Galvache (Pq.
Business Pq. Norte), 56 - Edif. Olmo Fifth Floor, Madrid, Madrid. Mail
Email: clientes@kfc.es. Telephone: 91 904 18 81. On the legal basis
for data processing. On the basis of the consent given and
on the right to withdraw your consent at any time, when
have granted. About the storage and transfer of data in the EEA and
the United Kingdom. On the individual rights of EEA residents and
how to exercise it, and the right to file a claim with your authority
local. How to contact the person in charge of the web.
In addition to the information provided in the "Privacy Policy" and in the "Notice
of Privacy” two annexes are attached with the following information:
- Annex 1 sets out in detail the categories of personal information re-
collected, as well as the legal basis on which they are based to treat the information
personal information and the recipients of such personal information.
- Annex 2 sets out the categories of personal information that they collect and
how they use that information. The table also lists the legal basis in
on which they are based to treat personal information and the recipients of such
personal information.
EIGHTH: On 05/31/22, by the Board of Directors of the Spanish Agency for
Data Protection, a sanctioning procedure is initiated against the claimed entity, at
appreciate reasonable indications of violation of the provisions of the articles:
a).- Violation of article 6.1 of the GDPR due to the non-existence of a mechanism
that allows users to give their consent to the processing of their data
personal data for each and every one of the purposes for which the
personal data, when applicable, with an initial penalty of 30,000
euros (thirty thousand euros).
b).- Violation of article 37 of the GDPR, due to the failure to appoint a
Data Protection Officer; with an initial sanction of 20,000 euros
(twenty thousand euros)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/50
c).- Violation of article 13 of the GDPR, due to the lack of information provided
in the "Privacy Policy" on the processing of personal data
obtained, with an initial penalty of 5,000 euros (five thousand euros).
As certified by the Single Authorized Electronic Address Service (DEHÚ), the letter
of initiation of the file sent to the claimed party, on 05/31/22 through the
electronic notification service "NOTIFIC@", was made available to the
claimed party 06/01/2022, appearing in the certificate as the date of rejection
automatic, on 06/12/22.
Although the notification was validly made by electronic means, assuming that
carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, under
informative, a copy of the document to initiate the file was sent by postal mail
which was delivered at destination on 07/26/22.
NINTH: Notified the initiation agreement to the claimed party, the latter in writing
dated 08/09/22 formulated, in summary, the following allegations:
FIRST.- REGARDING THE PROPOSED SANCTION FOR
VIOLATION OF ARTICLE 6.1. OF GDPR.
1.1. THE RESEARCH ACTIVITY OF THE AEPD IS INSUFFICIENT TO
ORDER THE START OF THE SANCTION PROCEDURE
Article 53 of Organic Law 3/2018, of December 5, of
Protection of Personal Data and guarantee of digital rights (in
forward, "LOPDGDD"):
"1. Those who carry out the research activity may collect the
precise information for the fulfillment of its functions, carry out
inspections, require the display or sending of documents and data
necessary, examine them in the place where they are deposited or in
where the treatments are carried out, obtain a copy of them, inspect
the physical and logical equipment and require the execution of treatments and
treatment management and support programs or procedures subject to
investigation".
For its part, article 67 of the LOPDGDD provides the following: 1. Before
the adoption of the agreement to start the procedure, and once admitted to
process the claim, if any, the Spanish Agency for the Protection of
Data may carry out preliminary investigation actions in order to achieve
a better determination of the facts that justify the procedure”.
In other words, the AEPD is responsible for carrying out the investigation tasks
sufficient to determine the scope of potential infringements committed
prior to issuing the agreement to initiate any procedure
sanctioning. And this in accordance with the provisions of article 68 of the
LOPDGDD; specifying said article that the initiation of the procedure for the
exercise of the sanctioning power will proceed once the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/50
investigative actions of the AEPD and, in any case, if as a result of
said investigations, it is appropriate to initiate such a procedure.
Based on the foregoing, it should be noted that the reasons why the AEPD
proposes a penalty of 30,000 euros in the framework of this procedure
sanctioning are exposed on pages 31 and 32 of the Agreement of
Beginning of Sanctioning Procedure. These reasons are summarized in that KFC
carries out personal data processing for purposes "written in accordance with
generic form, which allow unlimited post-processing, once
fulfilled the purpose for which they were obtained."
In this regard, the AEPD upholds its decision – without taking into account the
aggravating circumstances, which will be duly refuted later
in this writing– SOLELY AND EXCLUSIVELY in the wording of the privacy policy
privacy that is published on the KFC website at the time of carrying out
carried out by the AEPD its investigative work. And this without taking into account that:
The purposes indicated in the privacy policy on which it is proposed
sanction describe potential situations and do not imply that they are
actually carried out, or are carried out in a manner
totally lawful as will be exposed; and most importantly, such further
Treatments for which a sanction is proposed are not included in the Registry
of Treatment Activities already provided to the AEPD, which represents a clear
lack of contrast on the part of the AEPD when determining the eventual
existence and scope of the presumed infringement committed and the calculation of the
proposed sanction.
KFC is at all times in compliance with its obligations regarding
protection and data and specifically with those derived from the legality of the
processing of personal data that it does carry out in accordance with the
Article 6 of the GDPR. Without going any further, the AEPD says nothing about the forms
collection of personal data transcribed on pages 13 to 16 of the
Agreement to Initiate Sanctioning Procedure. They show the
good behavior of KFC and the correct management that it does when picking up
personal data of its interested parties and the adjusted information by layers that
provides about the treatments that it actually performs.
However, the AEPD proposes a sanction for the violation of article 6 of the
GDPR against KFC for the inclusion in its privacy policy of treatments
which include terms such as: “we may use”; or "we can share" that
they cannot at all conclude that KFC actually carries out treatment
some. The AEPD in its Agreement to Initiate Sanctioning Procedure is
talking about hypothetical treatments without any supporting evidence
that they are actually being carried out.
Furthermore, as explained in the prior information phase that precedes
this disciplinary procedure, the Registry of Data Treatment Activities
KFC requested and duly provided in due time and form before the AEPD,
incorporates customer treatments for advertising purposes. between sayings
There are none of the treatments that the AEPD now mentions.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/50
to propose sanction. As much as KFC's privacy policy left
open the possibility of processing data for the purposes of "profiling, programs
reward or customer loyalty; to share, sell or
disclose the information obtained to the parent company, to other companies in the
group or subsidiaries other than for administrative management or to sell,
share or disclose the personal data obtained", the truth is that said
treatments are not currently carried out by KFC, as stated
duly of the aforementioned Registry of Treatment Activities provided to the
file, which does not say anything about said treatments, nor
about the data communications to third parties that are mentioned (and cannot be
say so, because these treatments are not carried out by our company).
In addition, KFC does not conduct any activity related to a food program.
reward or customer loyalty. This has not been confirmed by the AEPD
in the transcription of the privacy texts contributed to this procedure
nor by the complainant in his claim.
The investigative activity of the AEPD in these proceedings was
exclusively to require KFC to provide:
«List of activities of the entity that involve data processing
personal, expressly detailing if client treatments are carried out
for advertising purposes For each activity you must provide:
O number of customer data they process, O variety of data elements
of each client who are the subject of treatment, OR time during which
treat the data of each client and details of the permanence of said data in
its information systems; Or the geographic or territorial scope of the
processing detailing whether their systems process data relating to clients of a
certain territorial area or the entire national territory.
Having observed the existing inconsistencies between what is described in the
Record of KFC Treatment Activities and what is reported in its privacy policy
privacy, the AEPD should have continued its investigative work and not
should have proposed a sanction given the clear and evident lack of elements of
conviction that would even allow us to intuit that KFC had committed
any breach of the GDPR of the nature described here.
By way of illustration, the RAT provided to the procedure of
Information request E/12752/2021 followed by this Agency: 1.2.
IN THE PRIVACY POLICY INVESTIGATED THERE ARE IDENTIFIED
TREATMENTS THAT CAN BE CARRIED OUT AND THERE IS A BASIS
ENOUGH LEGITIMATING FOR IT
Notwithstanding what is described in Claim 1.1. above, and that KFC never
has carried out the treatments described in the Initiation Agreement
Sanctioning Procedure of the AEPD, it is noteworthy that even in the case
that the processing of personal data indicated by the AEPD had
took place, they are identified in the KFC privacy policy
which is transcribed in the aforementioned Agreement to Initiate Proceedings
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/50
Sanctioning and without foundation to propose a sanction based on the article
6.1 of the GDPR.
The AEPD proposes a sanction to KFC for carrying out subsequent treatments to those
identified in the KFC privacy policy based on article 6.1 of the
GDPR, but really the only way you are aware of such
treatments is precisely for what is indicated in the privacy policy of
KFC.
That is, a sanction is being proposed for carrying out further processing
that they are identified in KFC's own privacy policy. Of
In fact, it is the AEPD itself that, to justify its sanction proposal, extracts
paragraphs of KFC's privacy policy stating that KFC
may carry out said treatments with respect to its interested parties.
What should not be confused is the execution of processing for purposes
further, on the one hand, with the duty of transparency ex article 13 of the GDPR
on the other, when describing said treatments and their legitimizing bases. AND
is that, for this, the AEPD is already proposing a sanction as can be seen in the
page 40 of the Agreement to Initiate Sanctioning Procedure. I already know KFC
is proposing a sanction for breach of the duty of transparency, and the
The reality is that the AEPD is making up a second sanction for lack of
transparency shielded by an implausible violation of article 6.1 of the GDPR
based on evidence that is precisely obtained from the policy of
KFC privacy. It is completely incongruous to propose a sanction to a
controller for carrying out further processing
identified in its own privacy policy precisely because the
The main reason for sanctioning for further processing resides in a
data processing for a purpose other than that initially informed –
Considering 50 GDPR–.
In any case, we can speak of an omission to identify the bases
legitimizing of each of the treatments that the AEPD identifies in its
Agreement to Start the Sanctioning Procedure, but as will be seen, the lack
of transparency on the identification of the legitimizing bases does not imply
unlawful processing of personal data:
When talking about "personalizing your experience with us" the
AEPD is confusing profiling with a mere activity
segmentation for the sole purpose of carrying out marketing activities
perfectly compatible with the rules of protection of
data and with the criteria of the European Committee for Data Protection, as well as
of the Article 29 Working Group. The fact that KFC adjusts the offer of
your products and services to the preferences expressed by your customers
during the purchase of products is inherent to the activity of any
company that is duly organized and that carries out an activity
diligent and oriented to the best service to its clients.
The Article 29 Working Group, in its Guidelines on Decisions
automated individual and profiling purposes for the purposes of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/50
Regulation 2016/679, of October 3, 2017, indicates that the activities of
user segmentation can be treated with different legitimizing bases,
among them, the execution of the contractual relationship between the client and the
controller, and the legitimate interest pursued by the controller
of the treatment, in this case KFC.
The truth is that, to date, the AEPD has not required KFC to indicate the
legitimizing basis of this processing of personal data insofar as it is
proposing a sanction for an unfortunate and non-existent infraction.
Likewise, the segmentation that emerges from the wording of the privacy policy
KFC's privacy matches the parameters set forth by the Group of
Work of Article 29 to base such treatment either on the execution of the
contractual relationship, or in the legitimate interest of KFC: from reading the
privacy policy does not follow the elaboration by KFC of a
exhaustive or detailed profile subject to the prior consent of the interested party,
especially if we take into account the main activity of KFC, which is none other than
the sale of fried chicken in physical establishments.
What can be the degree of completeness of the profiling for the sale of
products of this type? If the customer prefers a bucket of fried chicken or a
chicken burguer? Of course, it cannot be concluded that
profiling activities are taking place subject to consent to
based on the information available to the AEPD.
Regarding the geolocation treatment indicated by the Agency,
It should be emphasized that our privacy policy clearly states in
section "5. Your Choices and Control Over Your Information" which will only be discussed
under the consent of the interested party: consent that, in addition, comes
complemented by the privacy configuration options that are
offer to users and that are clearly explained in our privacy policy.
privacy.
The other treatment identified by the AEPD is "promoting our
affinity and rewards programs” – this can clearly be done by KFC,
both for those clients who have given their consent for
promotions, as for any other client in accordance with the provisions of the
Article 21 of Law 34/2002, of July 11, on Services of the Society of the
Information and Electronic Commerce. In addition to the fact that, as indicated,
it is not a further treatment, it is a treatment clearly identified in the
privacy policy and clearly linked to KFC's own activity
linked to the treatment of the data of the people who, voluntarily,
register on our website.
Regarding the communication of personal data both with third parties
as an intragroup, indicate that section 4 of the KFC privacy policy
identifies all categories of third parties that can access data
data subjects and under what circumstances. Not again
We are talking about a matter of subsequent processing ex article 6.1.
of the GDPR but whether the information provided is sufficiently
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/50
transparent, for which, a sanction is already being proposed (so the one that
is now proposed is not applicable, based on the principle of non bis in idem).
Lastly, in terms of considering the reference in the
our privacy policy to "service providers" as recipients
of the data of our registered web users, it could not be more outside
instead, for the following reasons:
We reiterate: in any case, the foregoing would imply an alleged violation
of article 13 GDPR, for the alleged violation of which by KFC already
proposes sanction for which, again, it is not appropriate to sanction again based on
to article 6.1 GDPR by application of the non bis in idem principle;
But it is also that sharing data from our registered users with
service providers, with whom KFC has duly signed the
corresponding custom treatment contracts, it is not at all
no data processing subsequent to the main processing of the data
said users, but something intrinsically linked to said treatment
major. Anyone with elementary knowledge of economics knows
of the existence of the value chain, and that all economic activity is
supported by the concurrence of external providers to whom it is entrusted
more efficient management of production processes of any
organization
If the above were not enough, the art itself. 13 GDPR allows for
expressly identify the recipients of data by "categories" of the same,
with which, with the reference to external providers, it is complied with
said precept when providing information to our users
registered.
SECOND.- REGARDING THE PROPOSED SANCTION FOR
VIOLATION OF ARTICLE 37 OF THE GDPR.
The AEPD identifies a possible offense committed by KFC for not having
appointed a data protection delegate being obliged to do so according to
the criteria of article 37 of the GDPR, mentioning the established criteria
by the Article 29 Working Group to determine the need for
designate a data protection officer.
Where this part does not coincide with the actions of the AEPD in the present
procedure is in the form of applying the Guidelines on Delegates of
Data Protection to the present factual assumption to conclude that KFC
You must designate a data protection officer.
Next, the conclusions reached by this part are exposed to
consider that the elements indicated in article 37.1 b) of the GDPR are not
comply and that, therefore, it is not necessary to designate a delegate of
Data Protection:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/50
(i) Regarding the "main activity": In accordance with what is specified by the
Working Group of Article 29, the main activities must be associated with
those activities and “key operations necessary to achieve the objectives”
of any company in its commercial activity.
The AEPD makes use of examples such as hospitals or companies of
private security whose operations and activities are closely linked
to the processing of personal data – health data, and systematic surveillance
respectively-. However, the main activity of KFC is the provision of
catering services at physical points of sale through its
franchisees without the need for any personal data processing
relating to consumers of such products.
It does not make sense that the AEPD on page 43 of the Agreement to Begin
Sanctioning Procedure, indicate that the corporate purpose is not related to
the main activity, and then use the KFC corporate object to say that you are
obliged to designate a data protection officer. But it is that, in addition,
our website is by no means the center of KFC's activity,
rather, it is only one of the channels that KFC uses to put into
contact consumers of our products with franchisees at
through which our products can be purchased (among other
channels that KFC uses to achieve this purpose is advertising
in the media, advertising on public roads, advertising campaigns
sponsorship and sponsorship, alliances with third-party organizations, etc…).
Consequently, it is clear that KFC does not use its website as a
main selling point of its products (such main selling points are
and they will always be the establishments of its franchisee network). As
As indicated above, KFC online sales during 2021 rose
to 2,530,000 euros. This is 1.1% of total KFC sales in
Spain through its franchisees; therefore, indicate that «nature
of the plaintiff's activity inextricably requires the treatment of
personal data, without which its development would be impossible" is a
conclusion that is not only erroneous and imprecise from the moment in which the
The bulk of KFC's income in Spain comes from sales other than those of
its web page, but also lacks any proof from
from the agency.
The RGPD pronounces precisely in this line in its Recital
97 when understanding that «the main activities of a person in charge are
related to their primary activities and are not related to the
processing of personal data as ancillary activities”. Having in
account the disproportion of KFC's online sales with respect to its volume
of total sales, it can hardly be understood that such activity is
considered as primary and, therefore, as principal.
In short, if the criteria set forth by the AEPD were followed, any company that
Have a website as a complementary channel for your activity
would be obliged to designate a data protection officer, and this
conclusion would void articles 37 of the GDPR and 34 of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/50
LOPDGDD, and it would be clearly contrary to the letter and the spirit of the norm
Regarding this specific obligation to designate a person responsible for
ensure compliance with privacy regulations.
Regarding "regular and systematic observation": The
KFC activity on its website with the definitions given by the
AEPD itself, since there is neither "a general data collection plan" nor is it
carried out "as part of a strategy", neither the AEPD provides proof nor
any evidence of such accusations. The only thing that happens to the data
personal information processed in the KFC web environment of its customers is that they carry out
orders to receive food at home or pick it up in establishments
KFC franchisees and promotional campaigns and actions are carried out to
retain customers. In no case carrying out a systematic follow-up of
the interested. Geolocation tasks only occur, as is
obvious and evident, when the interested party wishes to locate a store near him,
when you want to receive the order at your home, or when -existing base
appropriate legitimizing – wishes to receive promotional information from the place in which
which is found This is by no means constant over time and can only be
produced at the request of the user who makes use of the KFC website and after having
obtained your consent.
Regarding "large-scale" treatment: At this point, we
We fully refer to what is indicated in the Fourth Subsequent Allegation. He
volume of data from customers who placed orders in the online environment of
KFC in 2021 amounts to 110,000 registrations, which made 153,439
orders; another 100,000 records are those that received communications
commercial during 2021. All of them, limited to the geographical area of
Spain for specific purposes and identified in the policy of
privacy.
Added to this, the risk in the treatment is low, since they are not treated
data of the categories established in articles 9 and 35 of the GDPR, as well as
nor do the circumstances indicated for this purpose in the guidelines
and guidelines of the Article 29 Working Group, nor in the conditions
indicated in article 28 of the LOPDGDD. All of this, as can be seen
Record of Treatment Activities of constant reference.
Added to this, it should be made clear that the AEPD throughout the phase of
investigation has not been able to link the data processed by KFC on its page
web to any app, much less to a widely implemented app (which
is too ambiguous a term to be considered a sufficient criterion
enough to propose a sanction of 20,000 euros).
Lastly, with regard to geolocation, it should be noted that,
As specified before, said activity is not included in
no data protection regulations as high-risk data or
especially protectable. The only example can be found in the article
28.2 section d) of the LOPDGDD, and in this regard it must be qualified that said
geolocation, actually corresponds to a monitoring
system intended for profiling and based on the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/50
geolocation and movement tracking; which it does not do at all
KFC.
The previous elements, valued as a whole, can in no way
determine that KFC must designate a data protection officer and
confirm the legal analysis of the information request procedure
E/12752/2021, in which KFC confirmed having carried out the analyzes
pertinent and concluded that they did not need to designate such a figure. Which
makes this second sanction proposal inadmissible.
THIRD.- REGARDING THE PROPOSED SANCTION FOR
VIOLATION OF ARTICLE 13 OF THE GDPR.
The AEPD considers that after reading the privacy policy of
KFC and the description of the purposes of the treatment that is carried out in it,
KFC is committing a violation of article 13 of the GDPR in that it does not
is complying with the duty of transparency that is required of it when informing
its interested parties about the purposes of the treatments it carries out.
For this, it applies the criteria established in article 74 of the LOPDGDD and
qualifies the infraction as minor. In this regard, KFC has nothing to add
and refers to what is indicated in the First Allegation of this brief of
allegations, without prejudice to pointing out that, as the AEPD itself confirms in its
resolution to initiate disciplinary proceedings, throughout the process of
previous information that precedes this KFC procedure has been
improving its privacy policy in those aspects in which, according to
the information requirements received from the AEPD itself, it has been
understood they were susceptible to improvement. However, the AEPD imposes for such
non-compliance a sanction that exceeds the criteria for the imposition of
sanctions established in the GDPR itself. Without going any further, Recital
148 of the GDPR establishes the following:
"In order to strengthen the application of the rules of this Regulation,
any violation of this must be punished with sanctions, including fines
administrative, in addition to appropriate measures imposed by the
supervisory authority under this Regulation, or in substitution of
are. In the event of a minor infraction, or if the fine likely to be
imposed constitutes a disproportionate burden on a natural person,
Instead of a sanction by means of a fine, a warning may be imposed.
The truth is that there are no sanctioning precedents in terms of
protection of data that compromise KFC, and the entity is already in
procedures to update the information that it provides to its stakeholders in environments
digital. KFC considers that in the absence of aggravating circumstances for
the imposition of any sanction –as explained below– and
taking into account what was stated in the different allegations, as well as that the
offense has been classified as minor, a warning corresponds as
sanction instead of the fine of 5,000 euros proposed by the AEPD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/50
FOURTH.- THERE ARE NO AGGRAVATING CIRCUMSTANCES THAT
INCREASE THE AMOUNT OF THE PROPOSED SANCTIONS
To determine the amount of the sanctions proposed by the AEPD for
amount of 30,000 and 20,000 euros, the Agency itself resorts to two elements
which are nowhere near the reality of KFC's commercial activity in
Spain.
The first of them refers to the intention of the infringement
committed. For this, the AEPD bases its reasoning on the Judgment of the
National Court of October 17, 2007. Said sentence specifies that
to assess the degree of diligence required of the person responsible for the treatment must
attention to determine if "the appellant's activity is constant and
copious handling of personal data.
The truth is that, although activities are carried out in digital environments -the
sale of KFC products on the internet – and it can be deduced that he takes a
constant data processing, UNDER NO CIRCUMSTANCES such processing
of constant data should automatically be understood by abundant, by the
mere fact that KFC is a recognized brand in Spain. The Registry of
Treatment Activities contributed to the procedure for requesting
information E/12752/2021 clearly indicates that the total number of users
registered through the KFC website in Spain in 2021 does not exceed
110,000, who placed 153,439 orders in 2021, and the number of
records that receive commercial communications (opt-in) is 100,000;
these being the maximum data of interested parties linked to the treatments
for which the AEPD proposes sanction.
We must remember that the Working Group of Article 29, Guidelines on
data protection delegates (DPD), specifies what criteria must be
be taken into account to consider that there is a large-scale data processing
scale, or abundant, as indicated by the National Court:
"In any case, the Working Group recommends that consideration be given to
the following factors, in particular, when determining whether the treatment
is done on a large scale:
the number of stakeholders affected, either as a specific number or as a
proportion of the corresponding population; the volume of data or variety
of data elements that are subject to processing; the duration, or
permanence of the data processing activity; the geographic scope of
processing activity.
In the present case, it must be indicated that the data of on-line users by
of KFC (110,000 registered users), with respect to the total population
Spanish who buys online (28.5 million citizens) is negligible, so
it is only 0.00385% of the total. The variety of data from such users
registered KFC, as the AEPD itself acknowledges, is also reduced because
only contact data, location data and data are processed
identifiers to provide the services and provide the products offered. The
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/50
duration of the treatment as indicated in the Register of Activities of
Treatment is 5 years maximum. And the geographic scope is limited
to Spain.
For all these reasons, the application of this aggravating factor is entirely
unfair. In addition, and with regard particularly to the sanction
regarding not designating a data protection officer, it is absolutely
inappropriate to apply such an aggravation of guilt, since KFC has
carried out –and has demonstrated it– the pertinent evaluations for
consider that it is not necessary to designate a data protection officer.
If the sanction is confirmed, such an aggravating circumstance should not be taken into account by
how much KFC has taken all precautions fulfilling its duty to
proactive responsibility to analyze the need to appoint a delegate of
protection not considering it necessary.
Secondly, and regarding the second aggravating circumstance proposed by the AEPD,
It is hard to believe that an aggravating circumstance is imposed on KFC in the sanction proposed by
"the level of implementation of the KFC entity in the country's economy". To the
In this regard, the following data is highlighted:
According to the data of the National Institute of Statistics in its Survey
on the use of ICT and electronic commerce in companies of the Year 2020 –
First quarter of 2021 (https://www.ine.es/prensa/tic_e_2020_2021.pdf)-, the
volume of sales made by companies through electronic commerce
in 2020 it amounted to 275,011,398,000 euros. The 2.5 million euros of
sales made by KFC through its website does not amount to more than the
negligible 0.00009% of the national total of sales made by trade
electronic.
Likewise, according to the study published by the entity Adevinta and
called "online commerce is consolidated in Spain: 86% of the
population buys and sells through the internet»
(https://www.adevinta.es/stories/articles/comercio-onlineconsolida-pulso-
digital), «48% of the Spanish population carried out the entire purchase process
by Internet". That is, almost 23 million people in Spain. The 110,000
Registered users on the KFC website represent the tiny proportion
of 0.00478% of the aforementioned 23 million.
Of course, the aggravating criterion raised by the AEPD has no place
since it is highly questionable that KFC for its activity on-
line and in view of the exposed data, have a level of implementation
relevant in the Spanish economy, especially if one takes into account that the 2.5
million euros billed by KFC do not mean anything with respect to the
total sales identified by the National Institute of Statistics and that the
110,000 registered users on its website represent a very
small part of the total population that buys online in Spain.
TO THE AEPD I REQUEST: Consider this document, its copies,
admits them, and considers the previous allegations formulated in the Agreement of
Initiation of Sanctioning Procedure PS/00140/2022, so that by joining
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/50
to the same, issue a resolution annulling the sanction proposals
formulated and file without further formalities the aforementioned procedure
sanctioning.
SUBSIDIARILY, TO THE AEPD I REQUEST: In the case of considering that
KFC has committed any of the violations described in its proposition of
sanction, sanction KFC only with respect to the one relating to non-compliance with
the obligations of transparency indicated in article 13 of the GDPR, and with
warning, given that there is no record of sanctions against this
Agency, the lightness of the offense committed in the terms of the
AEPD, KFC's patent will to improve its level of compliance
normative demonstrated in the prior information procedures that precede the
present procedure, and the non-commission of the other offenses indicated in
its Agreement to Start the Sanctioning File”.
TENTH: On 11/16/22, the proposed resolution is sent to the claimant in the
which, it was proposed that, by the Director of the Spanish Agency for Data Protection
proceed to penalize the entity, in accordance with the provisions of articles 63 and 64
of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (LPACAP), for the following reasons:
- Due to the infringement of article 6.1 of the GDPR, due to the non-existence of a mechanism
form that allows users to give their consent to the processing of their data
personal expenses for each and every one of the purposes for which they
personal data, when applicable, with a penalty of 30,000 euros.
rivers (thirty thousand euros).
- For the infringement of article 37 of the GDPR, for the failure to appoint a
Data Protection Officer, with a penalty of 20,000 euros (twenty thousand
euro).
- Due to the infringement of article 13 of the GDPR, due to the lack of information provided
contained in the "Privacy Policy" on the processing of personal data
obtained, with a penalty of 5,000 (five thousand euros).
Along with this and in accordance with article 58.2 of the GDPR, it was proposed as
corrective measures to be imposed on the defendant:
- To implement, within a month, the necessary corrective measures to
adapt their actions to the regulations for the protection of personal data, named
establishing a Data Protection Officer, as stipulated in article 37 of the
GDPR, as well as to inform this Agency within the same term about the measures
measures taken.
- To implement, within a month, the necessary corrective measures to
adapt their actions to the personal data protection regulations, with the
inclusion in the "Privacy Policy" of the necessary information on the e-
creation of loyalty profiles and their legal basis, as well as the identification
of the third parties to whom the personal data obtained are transferred, as well as
to inform this Agency within the same period of the measures adopted.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/50
As certified by the Single Authorized Electronic Address Service (DEHÚ), the letter
of the file proposal made available to the claimed party, the day
11/19/22 through the electronic notification service "NOTIFIC@", stated in the
certified as automatic rejection date, 11/30/22.
There is no record, in this agency, of any written response to the proposal of
resolution by the claimed entity.
PROVEN FACTS.
Of the actions carried out in this procedure and of the information and
documentation presented by the parties, the following have been accredited
facts:
First: On the legality of the processing of personal data obtained on the web
www.kfc.es:
On the website www.kfc.es you can enter personal data of users, to
through several procedures:
a) for the creation of a user account;
b) to register as a job seeker in the chain;
c) to place an online order for its products and
d) to receive promotional offers.
Before you can submit the form for any of these procedures with the
personal data, it is necessary to have previously provided consent
for data processing, with the possibility of accessing the "Policy of
Privacy” of the web, through the link: “The conditions of Use” “Policy of
Privacy (Generic)” “Privacy notice”, (Exclusive for EEA and United Kingdom).
There is also, in the four indicated forms, the possibility of registering
voluntarily to periodically receive promotional offers from the brand.
The "Data Privacy Policy" of the web page in question is divided into three
documents:
a) Terms of use of the website;
b) A generic privacy policy for all countries and
c) A specific privacy policy for the countries of the Economic Area
European (EEA), United Kingdom and Switzerland.
In the first document, "Terms of use" (https://www.kfc.es/nota-legal), you can
read, regarding the policy of protection of personal data obtained, the following:
"(...) Data protection: We will collect, store and process your
personal information in accordance with our Privacy Policy. Please,
Please read our Privacy Policy to ensure you are satisfied and
understand its content before creating an account (…)”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/50
If you access the "Privacy Policy" of the website www.kfc.es, in the link,
https://www.kfc.es/privacidad, “generic policy for all countries”, you can
read, as an introduction:
“KFC® (“KFC”, “we”, “our” or “us”) is committed to protecting your
privacy. This KFC Privacy Policy (this “Policy”) applies to
our websites, online experiences and mobile applications to
mobile devices running Apple iOS, Windows, or Android that are linked to the
Policy (collectively, our “Sites”), and describes how we collect,
we use and disclose your personal information when you visit our Sites or
our restaurants and in-store kiosks, or otherwise interact with
us (collectively, our “Service”).
By accessing or using our Service, you indicate that you have read, understood and
You agree to our collection, storage, use and disclosure of your
personal information as described in this Policy and in our
Terms of use, available on our site.
For more information about the privacy practices of other
companies of Yum Brands, Inc. (“Yum Brands”) (the “Marks”), please visit: Policy
YUM Brands privacy policy. PIZZA HUT® Privacy Policy. Policy
TACO BELL® Privacy Policy. THE HABIT® Privacy Policy
Regarding the purposes to which the personal data obtained will be dedicated, among
others, the following is indicated:
“(…) 2. HOW WE USE PERSONAL INFORMATION:
(…) We may also use your information to personalize your experience
with us and promote our rewards or loyalty programs.
We also use this information to provide you with the Service in all
our operations, including supporting your in-store experience when
interacts with our franchisee-owned locations (…).
4. HOW WE SHARE YOUR INFORMATION
We may share, sell or disclose your information in cases where
describe below. For more information about your options in
regarding your information, see “Your Choices and Control Over Your
information".
Other Brands: We may share personal information with our company
parent Yum Brands and other Yum Brands companies and our affiliates, which
may use your information in ways similar to those described in this
Policy. (…)
Promotional Partners: We may share limited information with third parties
with whom we partner to provide contests and sweepstakes, or other
joint promotional activities. Typically, these partners
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/50
will be clearly identified in the contest rules or in the contest materials.
promotion.
Selected Marketing and Strategic Business Partners: We can
share limited data with our strategic business partners and
preferred marketing partners so they can provide you with information and messages
marketing about products or services that may be of interest to you. This parts
may use your information in accordance with their own privacy policies
privacy.
Online Advertising Partners: We may share information with online advertising partners.
third-party online advertising or allowing these partners to collect information
from you directly on our Sites to facilitate online advertising.
For more information, see our Cookie Policy and
advertisements, available on our Site. (…)
Other cases in which we may share your personal information:
Service Providers and Consultants: Personal information may
shared with third-party vendors and other service providers who
provide services to us or on our behalf. This may include vendors and
distributors who engage in marketing or advertising activities or who
provide postal or electronic mail services, fiscal services and
Accounting, Product Fulfillment, Delivery Services, Processing
payments, data improvement services, fraud prevention, web hosting or
analytical services.
In connection with any of the above, we may share
information with other parties in an aggregated or anonymized form that does not
reasonably identify”.
If you access the complementary Privacy Policy for countries, EEA and
United Kingdom of the web www.kcf.es, in the link,
https://www.kfc.es/multimarcas, you can read about the purposes for which
the personal data obtained and the legal basis for that
treatment, the following:
“This EEA and UK Privacy Notice supplements the
information contained in our Privacy Policy and applies only
to natural persons residing in the European Economic Area ("you" and to
the Sites and Services available in the EEA, as well as in the United Kingdom that
link to this Privacy Notice).
Unless expressly stated otherwise, all terms have the
same meaning as that defined in our Privacy Policy or that
is otherwise defined in the General Data Protection Regulation of the
EU 2016/679 of the European Parliament and of the Council (“GDPR”).
Annex 1 sets out in detail the categories of information
information we collect about you and how we use that information
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/50
when you use the Service, as well as the legal basis on which you
we use to process personal information and the recipients of such
information.
In addition, the table in Annex 2 sets out in detail the categories of
personal information we collect about you automatically and how
we use such information. The table also lists the legal basis in the
on which we rely to process personal information and the recipients of
such personal information.
APPENDIX 1
a).- Profile information such as your name, telephone number, date of
birth and profile picture.
a.1. We may use this information to set up and authenticate your account.
in the Service: Processing is necessary to perform a contract with you and
to take steps before entering into a contract with you.
a.2. We may use this information to contact you, including
the sending of communications related to the service: The treatment is
necessary to perform a contract with you.
a.3. We may use this information to send you marketing communications.
marketing in accordance with your preferences: We will only use your
personal information in this way to the extent that you have given us
your consent to do so.
a.4. We may use this information to deal with inquiries and complaints
made by or about you in connection with the Service: The treatment
it is necessary for our legitimate interests, in particular to administer the
Service and communicate with you effectively to respond to your
inquiries or complaints.
b).- Information on payments and transactions, including information on
payments (such as credit or debit card details or account details
banking), and the time, date and value of the transactions.
b.1.- We use this information to facilitate transactions and
provide you with the Service: Processing is necessary to fulfill a contract
with you.
b.2.- We use this information for customer service: The treatment is
necessary to perform a contract with you.
b.3.- We use this information to detect and prevent fraud: The
Processing is necessary for our legitimate interests, in particular the
detection and prevention of fraud.
c).- Location data
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/50
c.1. We use GPS technology to determine your current location in order to
to provide you with relevant content and show where you have made that
content: Processing is necessary for our legitimate interests, in
specifically to administer the Service. We will only use your personal information
in this way to the extent that you have given us your consent
to do it.
d).- Comments, chat and opinions
d.1. When you contact us directly (eg by email
email, phone, postal mail or through an online form or chat
online), we can record your comments and opinions: The treatment is
necessary for our legitimate interests, in particular to respond to your
question or comment, to evaluate and improve our products and services and
to inform about our marketing and advertising.
e).- Information received from third parties, such as social networks. If you interact with the
Service through a social network we can receive information from the network
such as your name, profile information, and any other information that
you allow the social network to share with third parties. The data we receive
they depend on your privacy settings on the social network.
e.1.- We can use this information to authenticate you and allow you to access
to the Service: Processing is necessary to fulfill a contract with you.
e.2.- We can use this information to adapt how it is shown to you (such as
the language in which it is presented to you): The processing is necessary for our
legitimate interests, in particular to adapt the Service to make it more
relevant to our users.
f).- Usage information, such as the time during which you use our
products, your results when you use our products, any
problem experienced when you use our products and any other
Product-generated information about how you use our products.
f.1.- We can use this information to analyze how the Service works,
fix problems with the Service, improve the Service and develop new
products and services: Processing is necessary for our interests
legitimate, in particular to improve our products and services, treat
any errors in our products and services and develop new
products and services.
f.2.- We can use this information to develop new products and
features available through the Service or to improve it in any way
way the Service: Processing is necessary for our interests
legitimate, in particular to develop and improve the Service.
g).- All the personal information indicated above.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/50
g.1.- We can use all the personal information we collect to
operate, maintain and provide you with the features and functionality of the
Service, communicate with you, monitor and improve the Service and the
business, and develop new products and services: Treatment is
necessary for our legitimate interests, in particular to administer and
improve the Service.
APPENDIX 2
a).- Information on how you access the Service and use it. For example, the
frequency with which you access the Service, the time at which you access the Service and
how long you use it for, the approximate location from which you access it
to the Service, if you access the Service from various devices and other actions
yours on the Service.
a.1.- We can use information about how you use and connect to the Service
to present the Service to you on your device: Processing is necessary to
our legitimate interests, in particular to tailor the Service to the user.
a.2.- We can use this information to determine products and Services
that may be of interest for marketing purposes: The treatment is
necessary for our legitimate interests, in particular to report on
our direct marketing
a.3.- We can use this information to monitor and improve the Service and
the business, solve problems and inform the development of new products
and services: Processing is necessary for our legitimate interests, in
specifically to monitor and fix problems with the Service and to improve the
Service in general.
b).- Log files and information about your device. Also
we collect information about the tablet, smartphone or other device
email you use to connect to the Service. This information can
include details about the type of device, unique identification numbers
of the device, operating systems, browsers and applications connected to the
Service through the device, its mobile network, IP address and number of
your device's phone number (if you have one).
b.1.- We can use information about how you use and connect to the Service
to present the Service to you on your device: Processing is necessary to
our legitimate interests, in particular to tailor the Service to the user.
b.2.- We can use this information to determine products and Services
that may be of interest for marketing purposes: The treatment is
necessary for our legitimate interests, in particular to report on
our direct marketing
b.3.- We can use this information to monitor and improve the Service and
the business, prevent and detect fraud, solve problems and report the
development of new products and services: Processing is necessary to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/50
our legitimate interests, in particular to monitor and resolve
problems with the Service and to improve the Service in general.
Second: Regarding the "Privacy Policy" on the website www.kfc.es:
On the web page in question, the information offered to its users,
regarding the processing of your personal data, is offered through the
following documents posted on the web: a) document: "Terms of Use" or "Note
Legal”, https://www.kfc.es/nota-legal; ; b) document: "Privacy Policy",
https://www.kfc.es/privacidad, and c) document: "Privacy Notice",
https://www.kfc.es/multimarcas.
All of them, accessible from the different forms (indicated in the section
above) and through the existing links at the bottom of the main page.
The information offered in the different documents indicated above is
The next:
A).- In the document "Terms of Use" or "Legal Notice" (https://www.kfc.es/nota-legal)
We can find the following information, regarding the treatment of data
personal obtained:
REGISTRATION: "(...) Data protection: We will collect, store and
We will treat your personal information in accordance with our Privacy Policy.
Privacy. Please read our Privacy Policy to make sure
that you are satisfied and understand its content before creating an account.
B).- In the document "Privacy Policy" (https://www.kfc.es/privacidad)
We can find the following information, regarding the treatment of data
information obtained: 1. what type of information they collect 2. how they use the information
personal information they collect 3. what information they collect automatically 4.
how they share the information collected. 5. About the options and control of the
information collected.6. how they store and protect information 7.
jurisdictional disclosures 8. children's privacy 9. links to other websites and
services 10. how to contact the data controller.
C).- In the document "Privacy Notice" (https://www.kfc.es/multimarcas),
We can find, among others, the following information, regarding the treatment
of the personal data obtained:
Regarding the person responsible for the treatment, it is indicated: KFC Restaurants Spain, S.L.
with NIF B86281599 and address at Calle Serrano Galvache (Pq. Empresarial
Pq. Norte), 56 - Edif. Olmo Fifth Floor, Madrid, Madrid. Email:
clientes@kfc.es. Telephone: 91 904 18 81
On the legal basis for the treatment in the EEA and the United Kingdom it is indicated:
The table in Annex 1 sets forth the categories of personal information that
collect, as well as the legal basis and recipients of such information
staff.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/50
The table in Annex 2 sets forth the categories of personal information that
collected automatically. The table also lists the legal basis in the
that are based to treat personal information and the recipients of said
personal information.
It informs about the storage and transfer of data.
Information is provided on the individual rights of residents in the EEA: Right to
object. Right of access. Right of rectification. Right of erasure. Also
You have the right to file a claim with your data protection authority.
On the conservation of personal data it is reported: In the case of people
who reside in the EEA we retain personal data for the maximum time
necessary to fulfill the purposes for which we collected the data, such as the
delivery of your order, maintenance of our service, compliance with
our legal obligations and dispute resolution. We will keep your data
personal in accordance with the prescription periods, legal and applicable, of
accordance with the tax and accounting regulations of each EEA country. At the completion of
said terms, or prior to your request, the data will be deleted or
anonymized so that they can already identify you, unless we are legally
authorized or obliged to keep personal data for a longer time.
FUNDAMENTALS OF LAW
YO-
Competence.
In accordance with the powers that article 58.2 of the RGPD grants to each authority of
control and according to what is established in articles 47 and 48.1 of the LOPDGDD, it is
competent to resolve this procedure, the Director of the Spanish Agency for
Data Protection.
Likewise, article 63.2 of the LOPDGDD determines that: "Procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures”.
II.-
a).- On the legality of the processing of personal data obtained on the web
www.kfc.es:
It has been verified that data can be entered on the website www.kfc.es
personal data of its users, through various procedures: a) for the
creation of a user account; b) to register as a job seeker
In the chain; c) to place an online order for your products and d) to receive
offer promotional
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/50
Before you can submit the form for any of these procedures with the
personal data it is necessary to have previously provided consent
for data processing, with the possibility of accessing the "Policy of
Privacy” of the web, through the link: “The conditions of Use” “Policy of
Privacy (Generic)” “Privacy notice”, (Exclusive for EEA and United Kingdom).
There is also, in the four indicated forms, the possibility of registering
voluntarily to periodically receive promotional offers from the brand.
As indicated by the entity, the "Data Privacy Policy" is divided
in three documents: a) Terms of use of the website; b) A privacy policy
generic for all countries and c) A specific privacy policy for
countries of the European Economic Area (EEA), United Kingdom and Switzerland.
In the first document, "Terms of use" (https://www.kfc.es/nota-legal), you can
read, regarding the policy of protection of personal data obtained, the following:
"(...) Data protection: We will collect, store and process your
personal information in accordance with our Privacy Policy. Please,
Please read our Privacy Policy to ensure you are satisfied and
understand its content before creating an account (…)”.
If you access the "Privacy Policy" of the website www.kfc.es,
(https://www.kfc.es/privacidad), generic policy for all countries, can be read,
as an introduction:
“KFC® (“KFC”, “we”, “our” or “us”) is committed to protecting your
privacy. This KFC Privacy Policy (this “Policy”) applies to
our websites, online experiences and mobile applications to
mobile devices running Apple iOS, Windows, or Android that are linked to the
Policy (collectively, our “Sites”), and describes how we collect,
we use and disclose your personal information when you visit our Sites or
our restaurants and in-store kiosks, or otherwise interact with
us (collectively, our “Service”).
By accessing or using our Service, you indicate that you have read, understood and
You agree to our collection, storage, use and disclosure of your
personal information as described in this Policy and in our
Terms of use, available on our site.
For more information about the privacy practices of other
companies of Yum Brands, Inc. (“Yum! Brands”) (the “Brands”), please visit: Policy
YUM Brands privacy policy. PIZZA HUT® Privacy Policy. Policy
TACO BELL® Privacy Policy. THE HABIT® Privacy Policy
Well, regarding the purposes to which they will dedicate the personal data
obtained, among others, the following is indicated: "(...)
2. HOW WE USE PERSONAL INFORMATION:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/50
(…) We may also use your information to personalize your experience
with us and promote our rewards or loyalty programs.
We also use this information to provide you with the Service in all
our operations, including supporting your in-store experience when
interacts with our franchisee-owned locations (…).
4. HOW WE SHARE YOUR INFORMATION
We may share, sell or disclose your information in cases where
describe below. For more information about your options in
regarding your information, see “Your Choices and Control Over Your
information".
Other Brands: We may share personal information with our company
parent Yum Brands and other Yum Brands companies and our affiliates, which
may use your information in ways similar to those described in this
Policy. (…)
Promotional Partners: We may share limited information with third parties
with whom we partner to provide contests and sweepstakes, or other
joint promotional activities. Typically, these partners
will be clearly identified in the contest rules or in the contest materials.
promotion.
Selected Marketing and Strategic Business Partners: We can
share limited data with our strategic business partners and
preferred marketing partners so they can provide you with information and messages
marketing about products or services that may be of interest to you. This parts
may use your information in accordance with their own privacy policies
privacy.
Online Advertising Partners: We may share information with online advertising partners.
third-party online advertising or allowing these partners to collect information
from you directly on our Sites to facilitate online advertising.
For more information, see our Cookie Policy and
advertisements, available on our Site. (…)
Other cases in which we may share your personal information:
Service Providers and Consultants: Personal information may
shared with third-party vendors and other service providers who
provide services to us or on our behalf. This may include vendors and
distributors who engage in marketing or advertising activities or who
provide postal or electronic mail services, fiscal services and
Accounting, Product Fulfillment, Delivery Services, Processing
payments, data improvement services, fraud prevention, web hosting or
analytical services.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/50
In connection with any of the above, we may share
information with other parties in an aggregated or anonymized form that does not
reasonably identify.
If you access the complementary Privacy Policy for countries, EEA and
United Kingdom of the web www.kcf.es, ( https://www.kfc.es/multimarcas ),
You can read about the purposes for which the personal data will be used
obtained and the legal basis for that treatment, the following:
“This EEA and UK Privacy Notice supplements the
information contained in our Privacy Policy and applies only
to natural persons residing in the European Economic Area ("you" and to
the Sites and Services available in the EEA, as well as in the United Kingdom that
link to this Privacy Notice).
Unless expressly stated otherwise, all terms have the
same meaning as that defined in our Privacy Policy or that
is otherwise defined in the General Data Protection Regulation of the
EU 2016/679 of the European Parliament and of the Council (“GDPR”).
The table in Annex 1 sets out in detail the categories of
personal information we collect about you and how we use that information
information when you use the Service, as well as the legal basis on which
we rely on to process personal information and the recipients of such
information.
In addition, the table in Annex 2 sets out in detail the categories of
personal information we collect about you automatically and how
we use such information. The table also lists the legal basis in the
on which we rely to process personal information and the recipients of
such personal information.
APPENDIX 1
a).- Profile information such as your name, telephone number, date of
birth and profile picture.
a.1. We may use this information to set up and authenticate your account.
in the Service: Processing is necessary to perform a contract with you and
to take steps before entering into a contract with you.
a.2. We may use this information to contact you, including
the sending of communications related to the service: The treatment is
necessary to perform a contract with you.
a.3. We may use this information to send you marketing communications.
marketing in accordance with your preferences: We will only use your
personal information in this way to the extent that you have given us
your consent to do so.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/50
a.4. We may use this information to deal with inquiries and complaints
made by or about you in connection with the Service: The treatment
it is necessary for our legitimate interests, in particular to administer the
Service and communicate with you effectively to respond to your
inquiries or complaints.
b).- Information on payments and transactions, including information on
payments (such as credit or debit card details or account details
banking), and the time, date and value of the transactions.
b.1.- We use this information to facilitate transactions and
provide you with the Service: Processing is necessary to fulfill a contract
with you.
b.2.- We use this information for customer service: The treatment is
necessary to perform a contract with you.
b.3.- We use this information to detect and prevent fraud: The
Processing is necessary for our legitimate interests, in particular the
detection and prevention of fraud.
c).- Location data
c.1. We use GPS technology to determine your current location in order to
to provide you with relevant content and show where you have made that
content: Processing is necessary for our legitimate interests, in
specifically to administer the Service. We will only use your personal information
in this way to the extent that you have given us your consent
to do it.
d).- Comments, chat and opinions
d.1. When you contact us directly (eg by email
email, phone, postal mail or through an online form or chat
online), we can record your comments and opinions: The treatment is
necessary for our legitimate interests, in particular to respond to your
question or comment, to evaluate and improve our products and services and
to inform about our marketing and advertising.
e).- Information received from third parties, such as social networks. If you interact with the
Service through a social network we can receive information from the network
such as your name, profile information, and any other information that
you allow the social network to share with third parties. The data we receive
they depend on your privacy settings on the social network.
e.1.- We can use this information to authenticate you and allow you to access
to the Service: Processing is necessary to fulfill a contract with you.
e.2.- We can use this information to adapt how it is shown to you (such as
the language in which it is presented to you): The processing is necessary for our
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/50
legitimate interests, in particular to adapt the Service to make it more
relevant to our users.
f).- Usage information, such as the time during which you use our
products, your results when you use our products, any
problem experienced when you use our products and any other
Product-generated information about how you use our products.
f.1.- We can use this information to analyze how the Service works,
fix problems with the Service, improve the Service and develop new
products and services: Processing is necessary for our interests
legitimate, in particular to improve our products and services, treat
any errors in our products and services and develop new
products and services.
f.2.- We can use this information to develop new products and
features available through the Service or to improve it in any way
way the Service: Processing is necessary for our interests
legitimate, in particular to develop and improve the Service.
g).- All the personal information indicated above.
g.1.- We can use all the personal information we collect to
operate, maintain and provide you with the features and functionality of the
Service, communicate with you, monitor and improve the Service and the
business, and develop new products and services: Treatment is
necessary for our legitimate interests, in particular to administer and
improve the Service.
APPENDIX 2
a).- Information on how you access the Service and use it. For example, the
frequency with which you access the Service, the time at which you access the Service and
how long you use it for, the approximate location from which you access it
to the Service, if you access the Service from various devices and other actions
yours on the Service.
a.1.- We can use information about how you use and connect to the Service
to present the Service to you on your device: Processing is necessary to
our legitimate interests, in particular to tailor the Service to the user.
a.2.- We can use this information to determine products and Services
that may be of interest for marketing purposes: The treatment is
necessary for our legitimate interests, in particular to report on
our direct marketing
a.3.- We can use this information to monitor and improve the Service and
the business, solve problems and inform the development of new products
and services: Processing is necessary for our legitimate interests, in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/50
specifically to monitor and fix problems with the Service and to improve the
Service in general.
b).- Log files and information about your device. Also
we collect information about the tablet, smartphone or other device
email you use to connect to the Service. This information can
include details about the type of device, unique identification numbers
of the device, operating systems, browsers and applications connected to the
Service through the device, its mobile network, IP address and number of
your device's phone number (if you have one).
b.1.- We can use information about how you use and connect to the Service
to present the Service to you on your device: Processing is necessary to
our legitimate interests, in particular to tailor the Service to the user.
b.2.- We can use this information to determine products and Services
that may be of interest for marketing purposes: The treatment is
necessary for our legitimate interests, in particular to report on
our direct marketing
b.3.- We can use this information to monitor and improve the Service and
the business, prevent and detect fraud, solve problems and report the
development of new products and services: Processing is necessary to
our legitimate interests, in particular to monitor and resolve
problems with the Service and improve the Service in general
In the present case, given that in the "Privacy Policy" of the website www.k-
fc.es describes some purposes for the processing of personal data and mentions
the basis of legitimacy of each one of them, the treatment of the data for these fi-
purposes would not be further treatment.
On the other hand, it must be taken into account that the defendant entity, in its allegations
states the following: "The purposes indicated in the privacy policy on which
that the sanction is proposed describe potential situations and do not imply that they are
effectively carried out, or are carried out in a completely lawful manner
how it will be exhibited; and most importantly, such subsequent treatments by which
proposes a sanction are not included in the Record of Treatment Activities
already contributed to the AEPD…”
Therefore, in the present case, according to the evidence set forth in this
moment, it is considered that the description of the purposes of data processing
personal data together with the basis of legitimacy of each one of them, does not correspond
with a subsequent treatment so that it does not contradict what is stipulated in the article
6.1 of the GDPR, without implying an assessment of the adequacy of the legitimate basis.
tion that includes the privacy policy for each of the different treatments to the
not constitute the object of this procedure.
III.-
a.- Regarding the "Privacy Policy" on the website www.kfc.es:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/50
As it has been possible to verify, on the web page in question, the information that is
offers to the users of the same, with respect to the treatment of their data
personal, is offered through the following documents posted on the web: a)
document: “Terms of Use” or “Legal Notice”, https://www.kfc.es/nota-legal; ; b)
document: "Privacy Policy", https://www.kfc.es/privacidad, and c) document:
"Privacy Notice", https://www.kfc.es/multimarcas. All of them, accessible from
the different forms (indicated in the previous section) and through the links
existing at the bottom of the main page.
The information offered in the different documents indicated above is
The next:
A).- In the document "Terms of Use" or "Legal Notice" (https://www.kfc.es/nota-legal)
We can find the following information, regarding the treatment of data
personal obtained:
REGISTRATION: "(...) Data protection: We will collect, store and
We will treat your personal information in accordance with our Privacy Policy.
Privacy. Please read our Privacy Policy to make sure
that you are satisfied and understand its content before creating an account.
B).- In the document "Privacy Policy" (https://www.kfc.es/privacidad)
We can find the following information, regarding the treatment of data
information obtained: 1. what type of information they collect 2. how they use the information
personal information they collect 3. what information they collect automatically 4.
how they share the information collected. 5. About the options and control of the
information collected.6. how they store and protect information 7.
jurisdictional disclosures 8. children's privacy 9. links to other websites and
services 10. how to contact the data controller.
C).- In the document "Privacy Notice" (https://www.kfc.es/multimarcas),
We can find, among others, the following information, regarding the treatment
of the personal data obtained:
Regarding the person responsible for the treatment, it is indicated:
KFC Restaurants Spain, S.L. with NIF B86281599 and address at Calle Serrano
Galvache (Business Pq. North Pq.), 56 - Edif. Olmo Fifth Floor, Madrid,
Madrid. Email: clientes@kfc.es. Telephone: 91 904 18 81
On the legal basis for the treatment in the EEA and the United Kingdom it is indicated:
The table in Annex 1 sets forth the categories of personal information that
collect, as well as the legal basis and recipients of such information
staff. The table in Annex 2 shows the categories of information
staff that collect automatically. The table also lists the base
legal basis on which they rely to process personal information and
recipients of such personal information.
It informs about the storage and transfer of data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/50
Information is provided on the individual rights of residents in the EEA: Right to
object. Right of access. Right of rectification. Right of erasure. Also
You have the right to file a claim with your data protection authority.
On the conservation of personal data it is reported: In the case of people
who reside in the EEA we retain personal data for the maximum time
necessary to fulfill the purposes for which we collected the data, such as the
delivery of your order, maintenance of our service, compliance with
our legal obligations and dispute resolution. We will keep your data
personal in accordance with the prescription periods, legal and applicable, of
accordance with the tax and accounting regulations of each EEA country. At the completion of
said terms, or prior to your request, the data will be deleted or
anonymized so that they can already identify you, unless we are legally
authorized or obliged to keep personal data for a longer time.
In the present case, we must also take into account that, in the policy of
privacy of the website www.kfc.es does not offer precise information on the
purposes of data processing, when using indefinite expressions such as "we can
use...", without the claimant having proven the reason for which it was made.
necessary to use them, as required by the Guidelines on the
transparency under Regulation (EU) 2016/679 of GT29, last revised
time and adopted on April 11, 2018, and where the following is established:
“13. The use of qualifiers such as "may", "could",
“some”, “often” and “possible”. When those responsible for
treatment choose to use undefined language, they must be able to demonstrate,
according to the principle of proactive responsibility, why it could not be avoided
use this language and why it does not undermine treatment loyalty. (…)”
III.-
b).- Classification and classification of the offense
Regarding the information that the data controller must provide to the
interested when they are obtained from it,
Recital 60) of the GDPR indicates:
"The principles of fair and transparent treatment require that the
concerned of the existence of the processing operation and its purposes. He
responsible for the treatment must provide the interested party with all the information
supplementary information is necessary to guarantee fair treatment and
transparent, taking into account the specific circumstances and context in
personal data is processed. The interested party must also be informed of
the existence of profiling and the consequences of such profiling
elaboration. If the personal data is obtained from the data subjects, also
they must be informed of whether they are obliged to provide them and of the consequences
in case they didn't. Such information may be transmitted in
combination with some standardized icons that offer, easily
visible, intelligible and clearly legible, an adequate overview of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/50
planned treatment. Icons presented in electronic format
They must be machine readable.
Recital 61) of the GDPR indicates the following:
"Stakeholders must be provided with information on the treatment of their
personal data at the time it is obtained from them or, if obtained
from another source, within a reasonable time, depending on the circumstances of the
case. If the personal data can be legitimately communicated to another
addressee, the interested party must be informed at the time the
communicated to the recipient for the first time. The data controller who
plans to process the data for a purpose other than that for which they were collected
must provide the data subject, prior to such further processing,
information about that other purpose and other necessary information. when the origin
of personal data cannot be provided to the interested party because it has been used
various sources, general information should be provided.
For its part, article 13 of the GDPR details the information that must be provided to the
interested when his personal data is obtained directly from him,
establishing the following:
"1. When personal data relating to him or her is obtained from an interested party, the
responsible for the treatment, at the time they are obtained,
will provide: a) the identity and contact details of the person in charge and, where appropriate,
of his representative; b) the contact details of the data protection officer
data, if applicable; c) the purposes of the processing for which the data is intended
personal data and the legal basis of the treatment; d) when the treatment is based
in article 6, paragraph 1, letter f), the legitimate interests of the controller or
a third; e) the recipients or categories of recipients of the data
personal, if applicable; f) where appropriate, the intention of the person responsible for transferring
personal data to a third country or international organization and the existence or
absence of an adequacy decision from the Commission, or, in the case of
transfers indicated in Articles 46 or 47 or Article 49(1),
second paragraph, reference to the adequate or appropriate guarantees and the
means to obtain a copy of these or the fact that they have been provided.
2. In addition to the information mentioned in section 1, the person responsible for the
processing will provide the interested party, at the time the data is obtained
personal data, the following information necessary to guarantee a
fair and transparent data processing:
a) the period during which the personal data will be kept or, when not
where possible, the criteria used to determine this term; b) the existence
of the right to request access to the data from the data controller
personal information relating to the interested party, and its rectification or deletion, or the limitation
of their treatment, or to oppose the treatment, as well as the right to
data portability; c) when the treatment is based on article 6,
paragraph 1(a) or Article 9(2)(a), the existence of the
right to withdraw consent at any time, without affecting
the legality of the treatment based on the consent prior to its withdrawal; of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/50
right to file a claim with a control authority; e) if the
communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to
provide personal data and is informed of the possible consequences
not to provide such data; f) the existence of automated decisions,
including profiling, referred to in article 22, paragraphs 1 and
4, and, at least in such cases, meaningful information about the applied logic,
as well as the importance and expected consequences of said treatment
for the interested party”.
Well, according to section c) of article 13.1 GDPR, users must be informed
users of the purposes of the treatment to which their personal data will be used and the
applicable legal basis for this (art. 6 GDPR), avoiding practices such as including
purposes that are too generic or unspecific, which may lead to treatments
that exceed the reasonable expectations of the interested party.
If we access the "Privacy Policy" of the website, www.kfc.es
(https://www.kfc.es/privacidad) we can read, regarding the purposes for which
The personal data obtained will be used, among others, for the following:
“(…) personalize your experience with us and promote our programs
of rewards or loyalty (…)”,
“(…) share, sell or disclose your information with: Other Brands: We can
share personal information with our parent company: Yum Brands and
other Yum Brands companies and our affiliates, who may use your
information in a manner similar to that described in this Policy.
Or, for example, when the entity states that it may share personal data
obtained with its external suppliers. Stated this, in a generic way and
abstract, without identifying the providers or the legal basis on which it is based:
“(…) to share with external providers (…).
Based on the legal grounds set forth above, the facts indicated
in the previous section are constitutive of an infringement of article 13 GDPR.
III.-
c.- Penalty imposed
This infraction can be sanctioned with a fine of a maximum of €20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the
of greater amount, in accordance with article 83.5.b) of the GDPR.
In this sense, article 74.a) of the LOPDGDD, considers light, for the purposes of
prescription, "Breach of the principle of transparency of information or the
right to information of the affected party for not providing all the information required by the
articles 13 and 14 of Regulation (EU) 2016/679”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/50
The balance of the circumstances contemplated, with respect to the infraction committed,
by violating the provisions of article 13 of the GDPR, it allows an initial sanction to be set
of 5,000 euros (five thousand euros).
III.-
d.- Measurements
In accordance with article 58.2 of the GDPR, the corrective measure to be imposed on the owner
of the web page consists of taking the necessary measures to adapt the page
website of its ownership (www.kfc.es) to current regulations, adapting it to what is stipulated
in article 13 of the GDPR.
It is noted that not meeting the requirements of this body may be
considered as an administrative offense in accordance with the provisions of the GDPR,
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the
opening of a subsequent administrative sanctioning procedure.
IV.-
a.- On the non-existence of a Data Protection Officer.
When this Agency requested information from the KFC entity about the analyzes
carried out to assess the need to appoint or not, a DPO, the entity answered the
following:
"(...) In this regard, from KFC it has been understood that there is no obligation
of appointment of the DPO, because the activities of the treatment
carried out are not limited to those of article 37 GDPR nor is the entity located
among those required in article 34 LOPDGDD.
In the same way, compliance management in terms of data protection
It has been exercised by internal personnel specialized in data protection,
in particular, from the UK, through B.B.B., Global Privacy Lead CounselHead
and the consultancy of external experts in each of the countries from which
it is operated.
However, and as previously indicated to this Agency, internally
the need for its designation will be periodically evaluated,
depending on possible operational changes as well as the start of new
branches of business that may involve the incorporation of new activities
of the treatment, in order to offer greater guarantees of compliance
to our clients and users regarding the activities and procedures in
the processing of personal data, in particular, if the activities of the
processing that included profiling (...)”.
IV.-
b).- Classification and classification of the offense
Regarding the need or not to appoint a Data Protection Officer, the
article 37 GDPR, determines the following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/50
"1. The person in charge and the person in charge of the treatment will designate a delegate of
data protection provided that: a) the treatment is carried out by a
public authority or body, except courts acting in exercise
of its judicial function; b) the main activities of the controller or the
processor consist of processing operations which, due to their
nature, scope and/or purposes, require regular and systematic observation
of large-scale stakeholders, c) the main activities of the controller or
of the processor consist of the large-scale treatment of categories
of personal data pursuant to Article 9 and of data relating to
convictions and criminal offenses referred to in article 10”.
In this case at hand, the case of application would be 37.1.b) of the GDPR,
where three elements must be examined: "main activity", the "observation
habitual and systematic” and “large scale”.
It is true that these are indeterminate legal concepts, but this has gone
profiling through the different opinions and opinions of the Working Group of the
Article 29:
Regarding what is a main activity, WP-243 (Guidelines for delegates of
data protection -DPD) establishes that:
"Article 37, paragraph 1, letters b) and c) of the GDPR refers to the" activities
principals of the person in charge or of the person in charge" and thus we have how, the
recital 97 GDPR, specifies that the main activities of a
responsible are related to "its primary activities and are not
related to the processing of personal data as activities
auxiliaries».
The “principal activities” can be considered the key operations required
to achieve the objectives of the controller or processor. Nevertheless,
the “main activities” should not be interpreted as exclusive when the
data processing is an inseparable part of the activity of the controller or
treatment manager.
For example, the main activity of a hospital is to provide health care. Without
However, a hospital would not be able to provide health care safely and effectively.
without treating data related to health, such as medical records of patients. By
Therefore, the processing of such data should be considered one of the activities
principals of any hospital and hospitals must accordingly designate a
dpd.
Another example would be that of a private security company that carries out the
surveillance of a series of private shopping centers and public spaces. The
Surveillance is the main activity, which in turn is inextricably linked to the
processing of personal data. Therefore, this company must also designate a
dpd.
On the other hand, all organizations carry out certain activities, for
For example, pay your employees or perform ordinary IT support activities.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/50
Such activities are examples of support functions required for the activity or
the main business of the organization. Although these activities are necessary or
essential, they are normally considered auxiliary functions and not the activity
major".
The second issue is habitual and systematic observance, which WP 243
determines that it is “not limited to the online environment and online monitoring must be
considered only an example of observing the behavior of data subjects.
The Article 29 Working Group interprets “usual” with one or more of the
following meanings: a). continuous or occurs at specific intervals during
a specific period; b). recurring or repeated at predetermined moments or that has
place constantly or periodically.
The Working Group interprets “systematic” as one or more of the following
meanings: a). that it is produced according to a system; b). preset,
organized or methodical; c). that takes place as part of an overall collection plan
of data; d). carried out as part of a strategy.
As an example, he cites data-driven marketing activities, carrying out
location tracking, for example, through mobile applications,
loyalty programs or behavioral advertising.
Thus, in the case examined, it complies with the criterion of habitual and in accordance with a plan
data collection to obtain customer data and increase your area of
business. You just have to take a look at their privacy policy, in which they show
that collect data of all kinds, including the IP address (a key point of
location), browsing history and user preferences, data derived
of cookies, among which there are some tracking cookies, geolocation data
or billing information, among others.
And they collect them on a regular basis, since they need them to provide their services and to
improve the performance of your business.
Among other things, they indicate in the privacy policy that the data is used for
statistics and services.
Thirdly, it will be necessary to determine if it is on a large scale, on what WP 243 establishes
certain criteria “recommends that the following factors be taken into account, in
In particular, when determining whether the treatment is carried out on a large scale: a). he
number of affected stakeholders, either as a specific number or as a proportion of the
corresponding population; b). the volume of data or the variety of data elements
data that is subject to treatment; c) the duration, or permanence, of the activity of
data treatment; d). the geographic scope of the processing activity.
And he indicates as some large-scale example "the treatment of geolocation data
in real time of customers of an international fast food chain for
statistics by a data controller specialized in providing
of these services; The treatment of customer data in the normal development of the
activity of an insurance company or a bank”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/50
The CEPD does not determine in any case what a large scale is, but sticks to the
referenced criteria. This is stated in other documents: “The GDPR
does not precisely define what constitutes large-scale. In the WP29 guidelines on Data
Protection Officer (WP243) and on DPIA (WP248), both endorsed by Board, it has
recommended to take into account several specific factors when determining whether a
processing is carried out on a large scale. The Board is of the opinion that those
factors are sufficient to assess whether the processing of personal data is undertaken
on a large scale. Therefore, the Board requests the Supervisory Authority of the Czech
Republic to amend its list accordingly, by deleting the explicit figures in its list, and
making reference to the previously mentioned definitions of large scale”, Opinion
4/2018 on the draft list of the competent supervisory authority of Czech Republic
regarding the processing operations subject to the requirement of a data protection
impact assessment (Article 35.4 GDPR)”.
We must complete it with recital 91 of the GDPR that establishes, in terms of the
data protection impact assessments, which:
"The foregoing must be applied, in particular, to processing operations to
large scale that seek to process a considerable amount of data
regional, national or supranational level and that could affect
a large number of stakeholders and are likely to carry a high risk, e.g.
example, due to its sensitivity, when, depending on the level of
technical knowledge achieved, a new technology has been used to
large-scale and other high-risk processing operations
for the rights and freedoms of the interested parties, in particular when these
operations makes it more difficult for the interested parties to exercise their rights.
…”.
Large-scale processing means processing a considerable amount of data
personal information (all those mentioned in its privacy policy) in a certain area
territorial (in this case at the national level); affecting multiple stakeholders (it is about
an app widely implemented and with a large number of stakeholders); also if
They can involve high risk (one of the data they use is geolocation).
Examining the explicit parameters to the concrete assumption, obviously makes a
large-scale data processing.
The Confederation of European Data Protection Organizations (CEDPO) determines
also a series of common interpretative criteria (they are not binding or a
normative provision) and indicate, in what could serve us that:
“Core activities” must be built in accordance with the description of the
corporate purpose of the organization and the P&L revenues; “Large scale”
should be understood according to a risk-based approach (rather than using
criteria such as number of employees or the “volume” of personal data
processed in a certain period of time alone); “Monitoring of behaviour” shall
exclude the IT monitoring activities that any organization nowadays must carry
out for the purposes of (i) (cyber) security; (ii) protecting the organization's
systems and assets (including IP and confidential information as well as the
personal data stored or otherwise processed by the organization); and (iii)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/50
complying with laws and regulatory guidance (e.g., data protection duties, anti-
fraud and anti-money laundering related activities)”.
In view of the allegations made in the lawsuit regarding the criteria
quantitative data that can be used by other supervisory authorities to determine when
we face a large-scale treatment, we have to mean that the AEPD is
an independent supervisory authority which, in the performance of its duties,
determines in each specific case whether or not the treatment is on a large scale, taking into account
the concurrent circumstances.
In another order of things, we will indicate that the mandatory appointment of the DPO in the
case provided for in art. 37.1.b) of the GDPR is only linked to the
compliance with the budgets established therein and not to others reported by the
applicant what are the types of data or processing. The fact of
that the main activities of the controller or processor consist of
processing operations that, due to their nature, scope and/or purposes, require
a regular and systematic observation of stakeholders on a large scale already imposes the
need to appoint a DPD, due to the risks involved, especially if it is
develops through the internet or an app as in the case examined.
The figure of the DPD as a qualified adviser to the person in charge or in charge of the
treatment is an essential reinforcement in the cases provided for in the GDPR and in
the LOPDGDD to guarantee the Fundamental Right to citizens and avoid the
materialization of the risks that a certain activity may entail.
Let's just think about identity theft (art. 28.2 of the LOPDGDD).
The trifle of risk is therefore ruled out.
In any case, not having a DPD when it is mandatory is a risk for the protection of
Personal data.
In this sense, the LOPDGDD determines in its article 34.1 and 3, on the designation
of a data protection delegate, the following:
1. "Those responsible and in charge of the treatment must designate a delegate of
data protection in the cases provided for in article 37.1 of the Regulation
(EU) 2016/679
3. Those responsible and in charge of the treatment will communicate within ten
days to the Spanish Data Protection Agency or, where appropriate, to the authorities
data protection, the designations, appointments and cessations of
the data protection delegates both in the cases in which they are
bound to their designation as in the case in which it is voluntary.”
Based on the legal grounds set forth above, the facts indicated
in the previous section are constitutive of an infringement of article 37 of the GDPR.
IV.-
c.- Penalty
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/50
This infraction can be sanctioned with a fine of a maximum of €10,000,000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for the
of greater amount, in accordance with article 83.4.a) RGPD.
In this sense, article 73 LOPDGDD, considers serious, for prescription purposes,
"v) Failure to comply with the obligation to designate a data protection officer
when their appointment is required in accordance with article 37 of the Regulations
(UE) 2016/679 and article 34 of this organic law."
In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to
imposed in the present case, it is considered appropriate to graduate the sanction to be imposed
in accordance with the following aggravating criteria established in article 83.2 of the
GDPR:
- The intention of the infringement, by KFC, (section b), based on
that it is an entity whose activity involves a continuous
treatment of personal data of clients, it is considered of special
It is important to remember at this point, the SAN of October 17, 2007 (rec.
63/2006), where it is indicated that: “…the Supreme Court has understood that
recklessness exists whenever a legal duty of care is neglected, that is
that is, when the offender does not behave with the required diligence. And in the
assessment of the degree of diligence, special consideration must be given to the
professionalism or not of the subject, and there is no doubt that, in the case now
examined, when the appellant's activity is constant and abundant
handling of personal data must insist on rigor and exquisite
be careful to comply with the legal provisions in this regard".
It is also considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following aggravating criteria, established in article 76.2 of the LOPDGDD:
- The linking of the activity of the offender with the performance of treatment of
personal data, (section b), considering the level of implementation of the
entity KFC in the economy of the country, in which data are involved
personal data of thousands of customers who access their services daily.
The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2
LOPDGDD, with respect to the offense committed by violating the provisions of the
Article 37.1 GDPR, allows a penalty of 20,000 euros (twenty thousand euros) to be set.
IV.-
Measures.
This Agency agrees to impose on the controller the adoption of appropriate measures
to adjust its performance to the regulations mentioned in this act, in accordance with the
established in the aforementioned article 58.2 d) of the GDPR, the corrective measure to be imposed on the
The owner of the website consists in the name of the Data Protection Officer,
as stipulated in article 37 of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/50
It is noted that not meeting the requirements of this body may be
considered as an administrative offense in accordance with the provisions of the GDPR,
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the
opening of a subsequent administrative sanctioning procedure.
Therefore, in accordance with the applicable legislation, the Director of the Agency
Spanish Data Protection
RESOLVES
FIRST: PROCEED TO THE ARCHIVE of the present actions to the entity, KFC
RESTAURANTS SPAIN, S.L., (KFC) with CIF.: B86281599, owner of the website,
https://www.kfc.es regarding article 6.1 of the GDPR.
SECOND: IMPOSE the entity, KFC RESTAURANTS SPAIN, S.L., (KFC) with
CIF.: B86281599, owner of the website, https://www.kfc.es in accordance with the
provided in articles 63 and 64 of the LPACAP, for the violation of article 37 of the
GDPR, due to the lack of appointment of a Data Protection Officer, a
penalty of 20,000 euros (twenty thousand euros).
THIRD: IMPOSE the entity, KFC RESTAURANTS SPAIN, S.L., (KFC) with
CIF.: B86281599, owner of the website, https://www.kfc.es in accordance with the
provided in articles 63 and 64 of the LPACAP, for the violation of article 13 of the
GDPR, due to the lack of information provided in the "Privacy Policy" on the
treatment of personal data obtained, with a penalty of 5,000 (five thousand
euro).
FOURTH: ORDER the entity KFC RESTAURANTS SPAIN, S.L., to implement,
within a month, the necessary corrective measures to adapt its performance
to the personal data protection regulations, as well as to inform this
Agency in the same term on the measures adopted, appointing a Delegate of
Data Protection, as stipulated in article 37 of the GDPR.
FIFTH: TO ORDER the entity KFC RESTAURANTS SPAIN, S.L., to implement, in
within a month, the necessary corrective measures to adapt its action to the
personal data protection regulations, as well as to inform this Agency in
the same term on the measures adopted, adapting the "Privacy Policy" of
its website www.kfc.es to the provisions of article 13 of the GDPR.
SIXTH: NOTIFY this resolution to the entity KFC RESTAURANTS SPAIN,
S.L., (KFC) with CIF.: B86281599,
Warn the penalized party that the sanction imposed must make it effective once it is
enforce this resolution, in accordance with the provisions of article 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations, within the voluntary payment term indicated in article 68 of the
General Collection Regulations, approved by Royal Decree 939/2005, of 29
July, in relation to art. 62 of Law 58/2003, of December 17, through its
Income in the restricted account No. ES00 0000 0000 0000 0000, opened in the name of
the Spanish Data Protection Agency in the bank CAIXABANK, S.A.
or otherwise, it will be collected in the executive period.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/50
Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative procedure (article 48.6 of the
LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations, interested parties may optionally file
appeal for reversal by the Director of the Spanish Agency for Data Protection in
within one month from the day following the notification of this resolution
or directly contentious-administrative appeal before the Contentious-
of the National Court, in accordance with the provisions of article 25 and
in section 5 of the fourth additional provision of Law 29/1998, of July 13,
of the Contentious-Administrative Jurisdiction, within a period of two months from
count from the day following the notification of this act, as provided in the
Article 46.1 of the aforementioned legal text.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015,
of October 1, of the Common Administrative Procedure of the Administrations
Public, the firm resolution may be temporarily suspended in administrative proceedings if
The interested party declares his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.
Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
