The Polish Data Protection Authority (UODO) recently issued a GDPR fine of over €3.8 million to McDonald’s Poland, along with additional penalties for its processor, 24/7 Communication Sp. The enforcement action offers a sharp reminder that outsourcing data processing does not outsource accountability.
At the heart of this breach was a fundamental failure of due diligence and oversight in the controller–processor relationship, a mistake with serious legal and financial consequences.
What happened?
McDonald’s Poland entrusted sensitive employee data, including names, PESEL numbers (Polish national ID), passport details, job roles and shift information, to 24/7 Communication, a third party responsible for managing an employee scheduling module.
Due to misconfigured servers and a lack of basic security controls, this data was exposed on a publicly accessible server. The breach affected employees of both McDonald’s corporate-owned and franchise restaurants.bWhile the organisations had signed a data processing agreement (DPA), the agreement alone wasn’t enough to satisfy the GDPR’s stringent requirements for accountability and security. The supervisory authority found multiple serious violations by both parties.
What were the GDPR violations?
The UODO investigation uncovered numerous failings that led to the fines, including:
Lack of due diligence on the processor
McDonald’s did not adequately verify 24/7 Communication’s capacity to safeguard personal data, instead relying on their previous relationship. GDPR requires that controllers only engage processors providing sufficient guarantees of GDPR compliance, particularly when it comes to technical and organisational measures.
Failure to implement adequate security measures
Neither the controller nor the processor conducted a risk assessment. Both failed to implement or maintain suitable technical and organisational measures to protect sensitive data. The scheduling module lacked a proper administration interface, and the system was misconfigured in ways that exposed entire databases online.
Unlawful subprocessing
24/7 Communication used an unapproved sub-processor without notifying or securing consent from McDonald’s. A subcontracting agreement was only signed after the breach, a clear violation of GDPR requirements for sub-processing arrangements.
Failure to involve the data protection officer (DPO)
McDonald’s failed to involve its DPO in the processor selection or risk analysis process, excluding a key internal safeguard that might have prevented the breach.
Violation of the data minimisation principle
The system collected and processed excessive personal data, such as PESEL and passport numbers, despite these not being necessary for shift scheduling. These high-risk identifiers were only replaced with internal IDs after the breach.
Improper breach notification
While McDonald’s notified affected individuals, former employees were only informed through press releases. The UODO said this was insufficient, as GDPR requires direct communication when a breach poses a high risk to individuals’ rights and freedoms.
Key takeaways
This case highlights a fundamental principle of GDPR: The controller is always accountable. Signing a DPA is not enough. Here’s what businesses must do to avoid similar enforcement actions:
1. Conduct thorough processor due diligence
Verify a processor’s GDPR compliance before engagement. This includes examining security certifications, reviewing data protection policies, testing systems, and involving IT/security teams in the selection process, not just procurement or marketing departments.
2. Maintain oversight throughout the relationship
GDPR compliance isn’t a one-time check. It’s a continuous obligation. Ensure audit rights in the DPA are exercised, and require regular updates on risk assessments, technical safeguards, and any sub-processing arrangements.
3. Minimise data collected and shared
Only collect and share the minimum data necessary for the processing purpose. Replace national ID numbers or passport details with anonymised or internal identifiers wherever possible.
4. Involve your DPO early and often
The DPO is a critical resource in risk-based decision-making. They should be consulted in vendor onboarding, DPIAs and whenever new processing activities are introduced.
5. Establish strong incident response and notification protocols
Ensure that breach notifications are timely, complete and directly communicated to all affected individuals, including former employees. Relying on public statements is not sufficient under GDPR.
This case is more than just a headline. It’s actually a wake-up call and a reminder that data protection is not just a legal obligation but also a trust-based imperative. As such, it requires diligence, transparency and continuous oversight. Controllers cannot delegate their GDPR responsibilities to processors and hope for the best. The cost of doing so is now measured in millions of euros, reputational damage and loss of public trust.
The global reach of GDPR means that any company and firm that offers goods or services in the EU is required to comply. Our training will ensure that you can do that. Our EU GDPR courses include an in-browser editing tool that lets you customise the courses to reflect your information security challenges and best practices. Try them here.
Our GDPR policy template can help ensure that everyone in your company is fully aware of what they have to do to preserve data protection. Get it here.
