McDonald's Poland faces record €3.89 million GDPR fine for processor oversight failures

Poland's data protection authority imposed unprecedented fines totaling 16,932,657 Polish złoty (approximately €3.89 million) on McDonald's Polska Sp. z o.o. on July 21, 2025, according to President Mirosław Wróblewski's decision. The processor 24/7 Communication Sp. z o.o. received additional penalties of 183,858 złoty (approximately €42,000) for its role in exposing employee personal data through inadequate security measures.

The comprehensive enforcement action addresses critical failures in data processor oversight that enabled sensitive employee information to appear in publicly accessible directories. These violations demonstrate how inadequate due diligence and security protocols can result in significant regulatory exposure under European data protection frameworks.

McDonald's Poland contracted 24/7 Communication to manage employee scheduling systems containing highly sensitive personal information. According to the investigation findings, the exposed data included employee names, PESEL numbers (Polish national identification), passport numbers for employees without PESEL, restaurant location codes, work start and end times, hours worked, job positions, days off, shift types, and work categories.

The breach occurred through server misconfiguration that enabled public directory access to database copies containing comprehensive employee records. Neither McDonald's nor 24/7 Communication conducted required risk assessments before implementing the scheduling module, violating fundamental data protection requirements.

According to the authority's findings, McDonald's lacked administrative privileges for the scheduling system infrastructure. The processor maintained exclusive control over system configuration and management, creating an accountability gap that contributed to the security failure. Despite contractual obligations, the data processing agreement failed to establish effective oversight mechanisms.

Processor relationship failures expose compliance gaps

The investigation revealed that McDonald's selected 24/7 Communication based solely on prior public relations work rather than evaluating data protection capabilities. This approach violated Article 28(1) GDPR requirements mandating controllers verify processors provide sufficient technical and organizational safeguards.

According to the decision, 24/7 Communication utilized unauthorized sub-processors without proper contractual arrangements or McDonald's notification. The processor only executed required sub-processing agreements after the breach occurred, despite GDPR Article 28(4) and (9) obligations existing previously.

Both organizations failed to involve their data protection officers in processor selection and risk analysis procedures. According to the findings, this exclusion limited opportunities to prevent the breach through proper oversight mechanisms. The authority noted that data protection officer consultation represents a critical internal safeguard under Article 38(1) GDPR.

Data minimization violations compound security risks

The scheduling system processed excessive personal data beyond operational requirements. According to the investigation, PESEL numbers and passport details served as employee identifiers despite alternative approaches being available. These high-risk data categories were only replaced with internal identification numbers following the breach incident.

The authority emphasized that controllers must evaluate data processing scope under Article 25(1) technical and organizational measures requirements and Article 5(1)(c) minimization principles. The decision notes that replacing sensitive identifiers with internal numbers demonstrates practical minimization implementation.

According to the findings, McDonald's possessed authority over scheduling module functionality and data processing purposes despite lacking direct system access. The controller determined software features and data collection scope, establishing processing parameters that extended to franchisee employee information.

Franchisee data processing creates complex liability

The investigation examined McDonald's status regarding franchisee employee data affected by the same security incident. According to the authority's analysis, McDonald's controlled scheduling module design and implementation, determining processing purposes and methods for both corporate and franchise restaurant employees.

McDonald's created the scheduling infrastructure and selected the processor, establishing contractual relationships that extended across the franchise network. According to the decision, these circumstances demonstrate controller status under GDPR principles, regardless of franchisee independence for other business operations.

The authority concluded that McDonald's bore responsibility for franchisee employee data protection based on technical system control and processing decision authority. This interpretation expands controller liability beyond direct employment relationships when centralized systems process personal data across business networks.

Breach notification requirements highlight ongoing obligations

McDonald's appropriately recognized high risk to individual rights and freedoms, triggering direct notification requirements under Article 34 GDPR. Current employees received proper individual notifications through established communication channels.

However, former employees received notifications only through purchased press releases. According to the authority, this approach failed to meet direct notification standards required when processing creates high risk to individual rights. The authority issued a formal reprimand for inadequate former employee notification procedures.

The GDPR enforcement landscape shows increasing regulatory focus on processor oversight failures. Data protection authorities across Europe have imposed €4.2 billion in fines since 2018, with processor liability cases becoming more prominent in enforcement actions.

Risk assessment failures enable security incidents

Neither organization conducted mandatory risk assessments before implementing the scheduling system. According to the investigation, this failure prevented identification of security vulnerabilities that ultimately enabled the data exposure. The authority emphasized that risk assessment represents an ongoing obligation rather than one-time compliance activity.

The processor's data protection policy failed to address regular testing, measuring, and evaluation requirements. According to the findings, 24/7 Communication did not consider the scheduling module a system requiring security oversight. This perspective violated fundamental processing obligations that cannot be modified through contractual interpretations.

Server configuration errors directly caused the security incident. According to the investigation, the processor bore responsibility for technical infrastructure management but failed to implement appropriate security controls. The authority noted that both controllers and processors must maintain security measures proportionate to processing risks.

Marketing industry implications emerge from enforcement action

The McDonald's decision reinforces critical principles affecting digital marketing compliance. Marketing organizations frequently engage processors for customer data management, advertising technology, and analytics services, creating similar oversight obligations.

Recent enforcement actions demonstrate regulatory focus on processor due diligence requirements. Marketing teams must evaluate vendor data protection capabilities beyond traditional service quality assessments, particularly when processing involves personal identifiers or behavioral data.

The decision emphasizes that data minimization principles apply regardless of processing convenience. Marketing databases often accumulate customer information over time, but controllers must regularly assess whether collected data remains necessary for specific processing purposes.

Cross-border marketing operations face additional complexity when international data transfers involve processor relationships. The McDonald's franchise network structure demonstrates how centralized systems can create controller liability across multiple jurisdictions and business relationships.

Industry standards evolve following major penalties

The €3.89 million fine represents significant regulatory exposure for organizations with extensive processor relationships. Marketing technology platforms, customer data platforms, and advertising networks operate through complex vendor ecosystems that require systematic oversight mechanisms.

According to the decision, processor agreements must establish effective audit rights and compliance monitoring procedures. Marketing organizations cannot rely solely on contractual terms without implementing practical oversight measures that verify ongoing data protection capabilities.

The authority's analysis demonstrates that processor selection requires technical evaluation beyond commercial considerations. Marketing teams must involve information security and legal professionals in vendor assessment procedures, particularly when processing involves sensitive customer segments or personal identifiers.

Data protection officer involvement represents a critical compliance element that many organizations overlook during vendor onboarding. According to the findings, proper DPO consultation could have prevented the McDonald's breach through enhanced risk assessment and security requirement identification.

Timeline

• July 21, 2025: Polish Data Protection Authority announces €3.89M fine against McDonald's Poland and €42K penalty for processor 24/7 Communication
• 2023-2024: Investigation period examining processor oversight failures and security incident
• Previous: McDonald's contracts 24/7 Communication for employee scheduling system without proper data protection assessment
• Related: German court awards €5,000 compensation for Meta Business Tools GDPR violations
• Context: European authorities impose €4.2B in GDPR fines across 6,680 enforcement actions
• Background: GDPR enforcement statistics show only 1.3% of cases result in monetary penalties

Key Terms Explained

Data Processor: A natural or legal person that processes personal data on behalf of a data controller under specific contractual arrangements. In the McDonald's case, 24/7 Communication served as the processor responsible for managing employee scheduling systems. Processors must implement appropriate technical and organizational measures to ensure data security and can only process data according to documented controller instructions. The McDonald's incident demonstrates that processors face direct GDPR liability and cannot escape responsibility through contractual arrangements with controllers.

GDPR Article 28: The regulatory provision establishing requirements for data processing relationships between controllers and processors. Article 28 mandates that controllers only engage processors providing sufficient guarantees of GDPR compliance, particularly regarding technical and organizational security measures. The McDonald's case violated these requirements when the company selected 24/7 Communication based solely on prior public relations work rather than evaluating data protection capabilities, highlighting the importance of thorough processor due diligence.

Risk Assessment: The systematic evaluation of potential privacy and security threats associated with personal data processing activities. Both McDonald's and 24/7 Communication failed to conduct required risk assessments before implementing the employee scheduling system, preventing identification of vulnerabilities that ultimately caused the data breach. Risk assessment represents an ongoing obligation that must address technical infrastructure, organizational procedures, and external threat landscapes throughout the processing lifecycle.

PESEL Numbers: Polish national identification numbers containing sensitive personal information that require enhanced protection under GDPR frameworks. The McDonald's scheduling system unnecessarily processed PESEL numbers and passport details as employee identifiers, violating data minimization principles when alternative internal identification methods were available. These high-risk identifiers were only replaced following the security incident, demonstrating reactive rather than proactive privacy protection.

Data Protection Officer (DPO): A designated individual responsible for monitoring GDPR compliance, conducting privacy impact assessments, and serving as the primary contact for data protection authorities. McDonald's failed to involve its DPO in processor selection and risk analysis procedures, limiting opportunities to prevent the breach through proper oversight mechanisms. DPO consultation represents a critical internal safeguard that organizations often overlook during vendor onboarding and system implementation processes.

Data Minimization: The GDPR principle requiring organizations to limit personal data collection and processing to what is strictly necessary for specified legitimate purposes. Article 5(1)(c) mandates that data must be adequate, relevant, and limited to processing requirements. The McDonald's system violated this principle by collecting PESEL numbers and passport details when internal employee identifiers would have satisfied scheduling functionality, demonstrating how operational convenience cannot override fundamental privacy protections.

Controller Liability: The primary responsibility borne by entities determining the purposes and means of personal data processing activities. McDonald's maintained controller status for both corporate and franchisee employee data based on its ownership of the scheduling module and authority over processing parameters. The decision demonstrates that controller liability extends beyond direct business relationships when centralized systems process personal data across complex organizational networks.

Sub-processor: A third-party entity engaged by a data processor to perform specific processing activities on behalf of the original controller. 24/7 Communication utilized unauthorized sub-processors without proper contractual arrangements or McDonald's notification, violating GDPR requirements for sub-processing transparency and accountability. Sub-processor agreements must be executed before processing begins, not retroactively following security incidents.

Security Measures: Technical and organizational safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. The McDonald's breach resulted from server misconfiguration that enabled public directory access to employee database copies. Both controllers and processors must implement security measures appropriate to processing risks, including access controls, encryption protocols, and regular security assessments.

Breach Notification: The mandatory requirement to inform data protection authorities and affected individuals when security incidents pose risks to personal data or individual rights. McDonald's appropriately notified current employees directly but failed to meet notification standards for former employees by relying solely on press releases. Proper breach notification requires direct communication to all affected individuals when high risk to rights and freedoms exists, regardless of current relationship status.

Summary

Who: Polish Data Protection Authority President Mirosław Wróblewski imposed fines on McDonald's Polska Sp. z o.o. (16,932,657 złoty/€3.89 million) and processor 24/7 Communication Sp. z o.o. (183,858 złoty/€42,000) for data protection violations affecting McDonald's corporate and franchise restaurant employees.

What: Comprehensive GDPR enforcement action addressing processor oversight failures, inadequate security measures, unauthorized sub-processing, data minimization violations, and improper breach notification procedures that exposed sensitive employee personal data including PESEL numbers and passport details.

When: The decision was announced on July 21, 2025, following investigation of security incidents and processing failures that occurred during McDonald's scheduling system operation.

Where: The violations occurred in Poland involving McDonald's restaurant network and affected both corporate employees and franchisee staff across the McDonald's operational infrastructure.

Why: The enforcement action addresses systematic failures in processor due diligence, risk assessment, security implementation, and data protection oversight that enabled sensitive employee information to become publicly accessible through server misconfiguration.