Poland’s data regulator has issued the country’s second highest GDPR fine to McDonald’s for exposing sensitive employee data through a breach with an external company.
.jpg?VersionId=UjUX.p3XdLVVpt6h8HBDALyU8zLaqLom)
Shutterstock/Grabowski Foto
The regulator ordered the Polish subsidiary of McDonald’s to pay 16.1 million PLN (€3.8 million) for exposing sensitive employee data on a publicly accessible directory when a breach occurred through a company it was using to manage shift schedules, 24/7 Communication.
The fast food chain entrusted sensitive data including names and surnames, national ID numbers, passport details, work hours, and job roles to 24/7 Communication.
“The fine imposed on McDonald’s Poland is among the highest GDPR-related administrative penalties ever issued in Poland,” Just Law partner Agnieszka Rapcewicz told Lexology PRO.
Rapcewicz said the disclosure of sensitive information including national ID and passport numbers by McDonald’s was “excessive and unjustified.”
“Employees could have been identified using pseudonymised data, such as unique identifiers – a solution which was eventually adopted, but only after the data breach had occurred,” she said.
Neither company had carried out a risk analysis or implemented the appropriate measures required for the scale of data being processed, and 24/7 Communication “did not feel obliged” to ensure the right security controls were in place, a statement published by the regulator on 21 July said. This negligence led to a misconfiguration of the server.
"Without such due diligence, an organisation risks exposing itself – and the data subjects it is responsible for – to significant harm” Rapcewicz said.
Additionally, 24/7 Communication used a subcontractor’s services to process the data and only signed the relevant agreement after the breach occurred. McDonald’s also failed to involve the group’s Polish DPO in its decision to use 24/7 Communication as a processor.
The regulator said both the controller and processor were responsible for protecting personal data, and issued a lower 183,000 PLN (€43,000) penalty to 24/7 Communication and a reprimand to McDonald’s for “violating a number of personal data protection regulations.”
“This case illustrates a serious breakdown in the controller-processor relationship,” Rapcewicz said. “Organisations must not wait for a breach to occur – proactivity is the only reliable strategy to ensure GDPR compliance and avoid serious legal and reputational consequences.”
The breach concerned individuals employed in selected restaurants from May 2014 to January 2019, McDonald’s confirmed in a statement. The company said it reported the breach “immediately” to the regulator upon discovering it.
McDonald’s Poland said in the statement it operates “responsibly and in accordance with the law.”
“We have discontinued the tool for displaying work schedules, conduct independent audits, strengthened internal procedures, and regularly carry out training on personal data protection,” the statement said.