KFC, the well-known fast food restaurant chain, has been fined €25,000 by the Spanish supervisory authority (AEPD) for failing to comply with data protection regulations. The AEPD’s decision is based on the finding that KFC failed to appoint a data protection officer (DPO) and the discovery of certain data protection-related breaches.
The DPO is the person who is responsible for monitoring compliance with data protection legislation. Provisions for the appointment of a DPO were introduced by the General Data Protection Regulation (GDPR) in 2018. GDPR requires organisations that process large amounts of personal data on a large scale to appoint an DPO within their organisation.
In the case of KFC, the AEPD found that the company had not complied with its obligation to appoint a DPO, in breach of Article 37 of the GDPR. In addition, it found a lack of adequate data protection measures, in breach of Article 32 of the GDPR.
The fine imposed on KFC is intended to highlight the importance of complying with data protection legislation and the need to implement appropriate security measures. The AEPD’s decision serves as a warning to other companies to strictly comply with the GDPR and invest in appropriate safeguards to avoid similar legal consequences.
In response to the AEPD’s decision, KFC said it has already taken steps to appoint an IOD and implement improved data security measures. The company has also pledged to continue to improve its data protection practices.