Background information
- Date of final decision: 23 June 2025
- National case
- Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 28 (Processor), Article 32 (Security of processing), Article 34 (Communication of a personal data breach to the data subject), Article 38 (Position of the data protection officer)
- Decision: Administrative fine
- Key words: Administrative fine, Data processing agreement, Data security, Lawfulness of processing, Data subject rights,
Data protection by design and by default
Summary of the Decision
Origin of the case
McDonald’s Polska sp. z o.o. (McDonald’s) notified a data breach to the President of the Personal Data Protection Office, Polish Supervisory Authority (SA). McDonald’s, as a controller found that the following data of McDonald’s employees and its franchisees were included in the shared file in the public catalogue: names, personal identification numbers (PESEL numbers), passport numbers (if PESEL number is not available), McDonald’s restaurant number, start date and time of the work, end date and time of the work, number of hours worked, posts, holidays, type of day and type of work.
McDonald’s concluded a contract with 24/7 Communication Sp. z o.o. (processor) of public relations services (main contract), in addition to which the parties concluded a data processing agreement. Within this agreement, employees data stored in the ‘employee graphics module’ were processed and made available to employees of the McDonald’s restaurant, franchisees and their employees, via the controller’s service. The controller did not have the powers to manage the resources and configuration of the IT system containing the employee graphics module. Only the processor had such powers. The entire process, including the handling, was subcontracted by the controller to the processor. The graphics module did not have a separate administrative panel and, although this was possible, the controller never requested such access from the processor. At the same time, the provisions of the data processing agreement, in particular as regards the implementation of audits and inspections, were not complied with. The controller did not exercise proper supervision over the entrusted personal data.
Key Findings
In the course of the proceedings, the Polish SA pointed out that the obligation to implement appropriate technical and organisational measures applies to both to the controller and the processor and it is not a one-off exercise, but a process whereby the controller and processor keep under constant review and, if necessary, update previously adopted safeguards.
The obligation to regularly test, measure and evaluate was not explicitly included in the data protection policy developed by the processor and was ultimately not implemented in any way. The processor also did not feel to ensure a level of security appropriate to the risks of the personal data entrusted to it processed by means of the employee graphics module, as it did not consider it to be a resource for which he was responsible. This obligation stems from the legislation and cannot be excluded on the basis of an interpretation of the provisions of the contract concluded between the controller and the processor. At the same time, the personal data breach occurred as a result of an incorrect configuration of the server enabling the content of that server to be viewed, including a copy of the database from the work graphics application containing personal data.
Neither the controller nor the processor carried out a risk analysis. Technical and organisational measures appropriate to the processing scale have not been implemented either. The personal data breach was due to a misconfiguration of the server under the responsibility of the processor.
While processing entrusted personal data, the processor has used the services of another entity with which it has not concluded an subprocessing agreement. It was only after the breach occurred and at the stage of the supervisory authority’s investigation that the relevant agreement was signed, despite the fact that in accordance with the GDPR (Art. 28 (4) and (9)) and the concluded obligation previously existed.
In addition, the controller and the processor did not involve the Data Protection Officer (DPO) in all matters concerning the protection of personal data (Article 38 (1) GDPR). In McDonald’s, the DPO was not involved in the analysis of the qualification and appropriateness of the processor’s choice and in the processing of data related to the graphics module. The omission of the DPO limited the possibility of preventing the breach.
Decision
The President of the Personal Data Protection Office has imposed on McDonald’s Polska sp. z o.o. an administrative fine of 387 738 € for infringement of Article 28 (1) of the GDPR, EUR 3 231 143 for infringement of Article 24 (1), 25 (1) and 32 (1) of the GDPR and EUR 403 892 for infringement of Article 38 (1) of the GDPR.
Total amount of imposed fine on McDonald’s Polska sp. z o.o. was EUR 4 022 773.
The President of the Personal Data Protection Office has imposed on 24/7 Communication sp. z o.o. an administrative fine of EUR 22 400 for infringement of Article 32 (1,2) and 28 (3)(c) of the GDPR, EUR 10 080 for infringement of Article 28 (4,9) of the GDPR and EUR 11 200 for infringement of Article 38 (1) of the GDPR.
Total amount of imposed fine on 24/7 Communication sp. z o.o. was EUR 43 680.
For further information:
• National press release: Both controller and processor are responsible for the protection of personal data (Polish)
• National Decision (Polish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.