Show all guides
Europe
GDPR

Poland fines McDonald’s over employee data breach

Last update:
Jul 23, 2025

Poland’s data protection authority issued significant penalties against McDonald’s, reaching around €3.93 million. The case stems from a data breach that exposed extensive personal information about employees through misconfigured servers.

The scheduling system, managed by an external supplier, 24/7 Communication, included employee names, ID and passport numbers, work hours, locations, job roles, and time-off details. Due to poor security controls and failure to conduct required risk assessments, database copies were left accessible in publicly searchable directories. The regulator found that McDonald’s relied entirely on the processor for security, violating basic GDPR accountability principles.

The authority also criticized the companies for lacking proper oversight and having weak contractual terms that failed to define responsibilities. The penalties reflect both the scale of the data exposed and the companies' failure to manage risk effectively. This case underlines the importance of strong data processor controls and shared responsibility under GDPR.

The full guidelines can be found
here

Related Guides

Linkedin Fined $335 Million for GDPR Violation

October 25, 2024

The social media giant allegedly was collecting data for targeted ads without user consent.
Europe
GDPR

EU Court fines the European Parliament

January 26, 2025

The EU’s General Court fined the European Parliament €400 for violating GDPR after a website allowed Facebook login, exposing user data. Even public institutions must follow privacy laws.
Europe
GDPR
The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only