Poland’s Personal Data Protection Office (UODO) has imposed administrative fines totaling over 16.9 million PLN on McDonald’s Poland and over 183,000 PLN on its subcontractor, 24/7 Communication. The penalties follow a significant breach involving employee data and major lapses in data protection oversight—highlighting serious failures to comply with GDPR standards. McDonald’s has since issued a formal response.
In an age where HR systems are increasingly digital, securing personal data is a legal requirement for every organization, regardless of size. The UODO’s ruling demonstrates the complex responsibility chains involved when external companies handle sensitive information.
Massive Data Exposure, System Failures, and Poor Oversight
McDonald’s Poland reported a data breach to the UODO after a file containing personal information on employees—both from company-owned and franchised restaurants—was exposed in a publicly accessible folder. The leaked data included names, PESEL or passport numbers, restaurant IDs, work hours, job roles, types of shifts, and hours worked. The incident was caused by a misconfigured server used for a scheduling module.
That scheduling system was operated by 24/7 Communication under a PR services contract and a separate data processing agreement with McDonald’s. However, the module lacked an independent admin panel. McDonald’s, the data controller, did not request access to the system and effectively outsourced all operations, neglecting its oversight responsibilities. Moreover, the audit rights outlined in their agreement were not enforced.
Investigators found that neither McDonald’s nor 24/7 Communication performed the required risk assessment, implemented adequate technical or organizational safeguards, or conducted regular security testing. 24/7 Communication failed to even classify the scheduling module as a sensitive asset requiring protection. UODO stressed that these duties are legally binding and cannot be bypassed through contract interpretations.
Contract Gaps and a Side-Lined Data Protection Officer
The UODO also discovered that 24/7 Communication used a third-party provider without signing a legally required subcontracting agreement for data processing—only formalizing the arrangement after the breach was reported. Neither McDonald’s nor 24/7 Communication involved their Data Protection Officer (DPO) in choosing service providers or in managing the data system, which hindered risk evaluation and GDPR compliance.
McDonald’s also failed to vet 24/7 Communication for its ability to safeguard data. The company based its decision purely on their prior PR work—clearly violating Article 28(1) of the GDPR, which requires data processing to be entrusted only to entities with proven data protection practices.
Additionally, McDonald’s breached the principle of data minimization. The scheduling system used PESEL and passport numbers even though they were unnecessary for the intended purpose. These were only replaced with internal IDs after the incident, something GDPR articles 5 and 25 require to be implemented from the outset.
Financial Consequences and Legal Accountability
As a result of the violations, the UODO fined McDonald’s Poland over 16.9 million PLN, broken into three separate penalties: 1,632,063 PLN, 13,600,528 PLN, and 1,700,066 PLN. 24/7 Communication was fined a total of 183,858 PLN. McDonald’s was also reprimanded for failing to notify former employees directly about the breach—instead relying solely on press statements.
The regulator confirmed McDonald’s was responsible not just for its direct employees, but also for franchise staff, since the company owned the work scheduling system and controlled how data was collected, stored, and shared. Information was routed to franchisees through McDonald’s, which also signed contracts with the data processors.
Under GDPR, a data controller’s responsibility does not end with outsourcing. Regardless of internal structure, the controller remains accountable for data security, content scope, and choosing and monitoring processors. The UODO’s decision is a stark reminder that shortcuts in data management can lead to serious legal and financial repercussions.
McDonald’s Responds to the GDPR Fine
McDonald’s Poland issued a statement acknowledging the decision: “As a company, we operate in full compliance with the law and take our responsibilities seriously. We regret the incident, which occurred five years ago, and have taken steps to minimize its impact. Importantly, the breach did not involve customer, app user, or business partner data.”
The fast-food chain clarified that the breach affected former employees from select restaurants between May 2014 and January 2019. “Once the issue was identified, we promptly reported it to the UODO and cooperated transparently throughout the investigation. We’ve since retired the scheduling tool, launched independent audits, strengthened internal procedures, and regularly train staff on data protection.”
McDonald’s also emphasized that “to date, there have been no reports of unauthorized use of the data involved in the incident.”