Menu
A smartphone lying on a wooden surface displays the McDonald’s yellow “M” logo inside a red circle on its screen. The phone is tilted slightly to the left, and the logo is centered on a white background.

McDonald’s in Poland Fined €3.6 million for Employee Data Exposure and Security Failures

, , , , , , , , , ,

The President of the Polish Data Protection Authority (UODO), Mirosław Wróblewski, imposed fines totaling approximately €3.6 million on McDonald’s Polska Sp. z o.o. and €39,000 on 24/7 Communication Sp. z o.o. for multiple violations of data protection regulations. Additionally, McDonald’s received a formal reprimand. The case involved the outsourcing of employee data processing to an external company for managing work schedules, which resulted in personal data being exposed in a publicly accessible directory due to inadequate security measures.

McDonald’s Polska entrusted 24/7 Communication with processing employee data collected in a work schedule module. However, McDonald’s lacked control over the IT system configuration, which was solely managed by the external processor. The agreement between the two parties did not include proper supervision mechanisms, such as audits or inspections, and the processor failed to implement necessary technical and organizational safeguards. Neither party conducted a risk analysis, and the server was misconfigured, allowing unauthorized public access to sensitive employee data, including names, PESEL numbers, passport numbers, work hours, and job positions.

Further issues arose as 24/7 Communication subcontracted data processing to another entity without a formal contract, violating GDPR requirements. Both McDonald’s and the processor failed to involve the Data Protection Officer (DPO) in critical decisions, limiting the ability to prevent the breach. McDonald’s also did not verify the processor’s capacity to secure the data, relying solely on previous cooperation in public relations. The lack of risk assessment and insufficient data minimization contributed to the breach, as unnecessary personal identifiers like PESEL and passport numbers were used instead of less sensitive identification numbers.

The UODO clarified that McDonald’s, as the owner and controller of the scheduling module, was responsible for the employees’ data, including those of franchisees, since it determined the purposes and means of processing. The authority emphasized that entrusting data processing to a third party does not absolve the controller from ensuring compliance with GDPR security requirements. McDonald’s failed to notify affected former employees directly, which led to an official reprimand. This case highlights the importance of thorough risk assessments, proper contracts, ongoing oversight, and minimizing personal data in compliance with GDPR.

  • Save

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Facebook
Twitter
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap