McDonald’s Poland Fined €3.8M: A GDPR Lesson in Controller–Processor Accountability

Data protection
Written By Nathalie Pouderoux

The Polish Data Protection Authority (UODO) recently imposed significant fines on McDonald’s Polska Sp. z o.o. and its service provider, 24/7 Communication Sp. z o.o., for serious violations of data protection law. The total penalties exceed PLN 17 million, marking one of the largest data protection cases in Poland to date.

McDonald’s Poland hired an external company, 24/7 Communication, to manage work schedules for employees across its restaurant chain. This meant sharing employee data, including names, PESEL numbers (similar to national ID numbers), passport numbers, work hours, and other details through an online scheduling system.

However, due to the poor configuration of the system’s server, this data became publicly accessible online. In other words, anyone could view the personal information of McDonald’s employees and franchise staff.

What Went Wrong for McDonald’s?

1. No Proper Risk Analysis or Security Measures

Neither McDonald’s nor its service provider carried out a proper risk assessment before launching the system. They also failed to implement adequate technical and organisational safeguards, as required under the GDPR. The data breach occurred because the server was incorrectly configured, a preventable technical issue.

2. Lack of Oversight by McDonald’s

McDonald’s, as the data controller, had a duty to ensure that any company processing personal data on its behalf could guarantee adequate data protection. However, McDonald’s did not verify 24/7 Communication’s technical capabilities and failed to monitor compliance with the data processing agreement.

3. No Sub-Processing Agreement

The processor (24/7 Communication) also engaged another company to help manage the data, but without signing the legally required sub-processing agreement. This only happened after the data breach, in clear violation of GDPR requirements.

4. Data Protection Officer (DPO) Left Out

Both organisations failed to involve their Data Protection Officers in the process. The DPO at McDonald’s was not consulted about the choice of processor or the data processing methods, a missed opportunity to identify and prevent risks early on.

5. Too Much Data Collected

The system stored more personal information than necessary. For example, employees’ PESEL and passport numbers were used as identifiers, something UODO criticised as a breach of the GDPR’s data minimisation principle. After the incident, these identifiers were replaced with unique employee numbers.

6. Inadequate Notification to Employees

McDonald’s recognised that the breach posed a high risk to affected individuals and issued two press releases. However, UODO ruled that this did not qualify as direct notification, as required by law. Former employees were therefore not properly informed of the breach.

Following its investigation, the Polish Data Protection Authority (UODO) imposed a total fine of PLN 16,932,657 on McDonald’s Polska Sp. z o.o. for multiple breaches of data protection law, including failure to ensure adequate security measures, lack of proper oversight of the processor, and insufficient employee notification following the breach. The processor, 24/7 Communication Sp. z o.o., was also fined PLN 183,858 for its part in the incident, as it failed to secure the data properly, did not conduct a risk analysis, and used another company to process data without the required sub-processing agreement. 

These penalties reflect the seriousness of the failures on both sides and highlight that both controllers and processors can face significant financial consequences when they neglect their GDPR obligations.

Franchisees Also Affected

The breach also impacted employees of McDonald’s franchise restaurants. UODO determined that McDonald’s was still the controller for this data because it owned and managed the scheduling system, defined how the data would be processed, and selected the processor.

This means McDonald’s was ultimately responsible for protecting not only its direct employees’ data, but also the personal data of staff working at franchise locations.

Data Controllers and Processors Explained: Who’s Responsible for What Under the UK GDPR

When it comes to handling personal data, two key roles exist under the UK GDPR: the data controller and the data processor. 

Understanding the difference and the responsibilities that come with each is essential for any organisation that processes personal data, whether that’s for customers, clients, or employees.

What Is a Data Controller?

A data controller is the organisation (or individual) that decides why and how personal data will be processed. In other words, the controller determines the purpose and means of the processing.

Controllers carry the main legal responsibility for ensuring that all data handling complies with the UK GDPR. Even when they use an external company to help with data processing for example, a cloud service provider, payroll company, or marketing agency, the controller remains accountable for how personal data is managed.

What Is a Data Processor?

A data processor acts on behalf of the controller. It only processes data according to the controller’s instructions. Processors might store, organise, or analyse data, but they don’t decide what data is used for or how it’s collected.

Although processors have their own legal duties under the GDPR (for example, keeping data secure and reporting breaches), the overall responsibility for compliance still sits with the controller.

What Controllers Must Do When Using a Processor

When a controller chooses a processor, it must make sure that the processor can guarantee data protection in line with the GDPR. 

Controllers should assess the following:

  • whether the processor has the technical expertise to protect data properly;

  • if the processor complies with relevant industry standards or security frameworks;

  • whether it has policies and documentation in place (for example, information security or data retention policies); and

  • if it adheres to any approved certification schemes or codes of conduct.

Once a suitable processor is selected, the controller must also sign a data processing agreement. This contract sets out how the data will be handled, what security measures must be applied, and what the processor can and cannot do with the data.

Importantly, controllers can’t simply hand over data and walk away. They must monitor compliance on an ongoing basis, conducting audits or reviews to make sure the processor continues to meet its obligations.

Liability and Accountability

Even if a controller uses a processor, it doesn’t escape responsibility. If something goes wrong for example, a data breach, the controller can still be held liable.

Individuals whose data has been mishandled can make claims directly against the controller, the processor, or both. If the controller pays compensation, it may later recover some of the costs from the processor, but only if the processor was at fault.

The key point is that the controller must be able to prove that it took all reasonable steps to ensure GDPR compliance, including choosing competent processors, setting clear terms, and monitoring their actions.

Key Takeaways for Businesses

  1. You cannot outsource responsibility
    Even if data processing is handled by an external company, the controller (you) remains accountable under the GDPR.

  2. Risk assessments are essential
    Every new system or data process should be preceded by a risk analysis and regularly reviewed.

  3. Data minimisation matters
    Collect only the information that is strictly necessary. Sensitive data like ID or passport numbers should be avoided unless there is a clear legal basis.

  4. Involve your DPO
    Data Protection Officers must be included in all matters related to personal data, from vendor selection to system design.

  5. Be prepared for incidents
    Have a clear plan for handling data breaches, including how to directly notify affected individuals.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.


Nathalie Pouderoux
Next

California’s new AI laws – and how they compare to other states