Mars Supply logo
Mars Supply

Mars Supply Privacy Policy: 4 Critical Legal Risks & How to Fix Them

Our analysis of Mars Supply's Privacy Policy reveals 4 critical legal and compliance risks, including GDPR transfer issues and ambiguous data retention. Learn actionable solutions to avoid fines and litigation.

## When Privacy Policies Cost Millions: Mars Supply’s Legal Risks Uncovered

Imagine a single privacy policy oversight leading to a €20 million GDPR fine or a class-action lawsuit costing hundreds of thousands in legal fees. Our analysis of Mars Supply’s Privacy Policy reveals four critical legal and logical risks that could expose the company to severe financial and regulatory penalties. Here’s what every business should learn from these findings.

1. Ambiguous Data Retention Policy: A GDPR Time Bomb Mars Supply’s policy states that data is stored "no longer than necessary," but fails to define specific retention periods or criteria. This ambiguity can trigger regulatory scrutiny and fines under GDPR Article 5(1)(e), which mandates clear retention limits. Without precise timelines, Mars Supply faces potential penalties of up to 4% of annual global turnover or €20 million, whichever is higher.

Legal Analysis
high Risk
Removed
Added
The data we collect from you will be stored for no longer than necessary. The length of time we retain said information will be determined based upon the following criteria: the length of time your personal information remains relevant; the length of time it is reasonable to keep records to demonstrate that we have fulfilled our duties and obligations; any limitationspecific periods within which claims might be made; anyoutlined below, unless a longer retention periods prescribedperiod is required by law or recommended by regulators, professional bodies or associations: (a) Customer account information: 7 years after account closure; the type of contract we have(b) Transactional data: 7 years from transaction date; (c) Marketing data: 2 years from last interaction. These periods are reviewed annually and updated to ensure compliance with you, the existence of your consent,applicable laws and our legitimate interest in keeping such information as stated in this Policyregulations.

Legal Explanation

The original clause is ambiguous and does not provide concrete retention periods, violating GDPR Article 5(1)(e). The revision introduces specific timelines and review mechanisms, reducing regulatory risk and improving enforceability.

2. Inadequate Cross-Border Data Transfer Safeguards The policy references the now-defunct Privacy Shield for EU-US data transfers. Since the Privacy Shield’s invalidation by the Schrems II decision (CJEU, July 2020), reliance on it exposes Mars Supply to immediate GDPR non-compliance. This gap could result in data transfer bans and multi-million euro fines.

Legal Analysis
critical Risk
Removed
Added
If you provide information to us, the information willmay be transferred out of the European Union (EU) and sent to the United States. (The adequacy decision on theWe ensure all such transfers comply with current EU-US Privacy became operational on August 1 data protection laws, 2016. This framework protectsincluding the fundamental rightsuse of anyone in the EU whose personal data is transferred to the United States for commercial purposes. It allows the freeStandard Contractual Clauses (SCCs) or other lawful transfer of data to companies that are certified inmechanisms as required by the US under theGDPR. The Privacy Shield framework is no longer relied upon for data transfers.) By providing personal information to us, you are consenting to its storage and use as described in this Policy.

Legal Explanation

The original clause references the invalidated Privacy Shield, exposing the company to GDPR non-compliance. The revision aligns with current legal requirements, referencing SCCs and lawful transfer mechanisms, thus reducing regulatory risk.

3. Overbroad Consent for Data Collection The policy allows Mars Supply to collect and use personal information "as we deem necessary," lacking specificity and lawful basis. GDPR and CCPA require explicit, purpose-limited consent. Overbroad language increases litigation risk and undermines enforceability, potentially leading to regulatory action and costly settlements.

Legal Analysis
high Risk
Removed
Added
We may collect and use your personal information as we deem necessarysolely for businessthe specific purposes outlined in this Policy, in accordance with applicable privacy laws including GDPR and CCPA, and only with appropriate legal basis such as consent or legitimate business interest.

Legal Explanation

The original clause is overly broad and fails to meet privacy law requirements for specific, lawful purposes. The revision provides clear limitations, regulatory compliance, and establishes proper legal basis for data processing.

4. Vague User Notification of Policy Changes Mars Supply reserves the right to change its policy at any time, advising users merely to "frequently visit this page." This fails to meet legal standards for clear, proactive notification, especially under GDPR and US consumer protection laws. Insufficient notice can invalidate consent and expose the company to class-action lawsuits and regulatory penalties.

Legal Analysis
medium Risk
Removed
Added
We reserve the right to makewill notify users of any material changes to this Policy by email or other direct communication at any given time. If you want to make sure that you are up to date withleast 30 days before the latest changes take effect, we advise you to frequently visit this pagein accordance with applicable privacy laws. Continued use of our services after notification constitutes acceptance of the updated Policy.

Legal Explanation

The original clause places the burden of monitoring changes on users, which does not meet legal standards for proactive notification. The revision ensures users are directly informed, supporting enforceability and compliance.

---

Key Takeaways & Business Implications

Our examination shows that ambiguous language and outdated compliance references in privacy policies can expose companies to regulatory fines, litigation, and reputational damage. Proactive redlining and legal review can prevent multi-million dollar losses and ensure enforceability.

Are your privacy policies exposing you to hidden liabilities? How often do you review your compliance with evolving regulations? What would a single GDPR investigation mean for your business?

---

This analysis is for educational purposes only and does not constitute legal advice. For actual legal guidance, consult with a licensed attorney. This assessment is based on publicly available information and professional legal analysis. See erayaha.ai’s terms of service for liability limitations.