Poland's Personal Data Protection Office (UODO) has imposed a substantial fine of 16,932,657 PLN on McDonald's Poland, along with an additional 183,858 PLN on its data processor, 24/7 Communication Sp. z o.o., for serious GDPR violations. The breach resulted in the unauthorized public disclosure of sensitive employee data, including names, PESEL numbers, and work schedules, via an online directory. Key shortcomings identified include: absence of risk assessments, inadequate vendor due diligence, non-enforcement of data processing agreements, unauthorized sub-processing, exclusion of the Data Protection Officer from key decisions, and failure to adhere to data minimization principles. The UODO also issued a reprimand for incomplete notifications to affected individuals.
McDonald's Poland Faces Over 17 Million PLN in Penalties
Published on July 20, 2025
Disclaimer:Oterion provides compliance platform tools and informational resources. However, we are not a law firm or legal service provider. The content in our website, ebooks, posts, and other materials is for informational purposes only and should not be considered legal advice. For specific legal questions or concerns related to any of our content, please consult with a qualified attorney or law firm.
Stay ahead of compliance
Subscribe to our newsletter for the latest regulatory updates, compliance tips, and industry insights delivered straight to your inbox. Keep your business prepared and informed.
You can unsubscribe anytime. For more details, review our Privacy policy.