The Polish Data Protection Authority (UODO) has fined McDonald’s Poland nearly €4 million (16.9 million PLN). The reason: a chain of security failures that led to a major data breach involving employee information. This case is a textbook example of how data protection responsibility can’t simply be outsourced to third-party vendors and why fundamental GDPR principles like data minimization are not just minor details.
The Case: Unsecured Employee Data in a Public Directory
McDonald’s Poland had outsourced the management of its employee work schedules to an external service provider (a data processor). Due to a faulty server configuration at the vendor’s end, a database file containing highly sensitive employee data was left in a publicly accessible directory.
The leaked data included not only names and work hours but also high-risk information like PESEL numbers (Polish national ID numbers) and passport numbers. An unauthorized party was able to access this file.
The Authority’s Decision: A “Perfect Storm” of GDPR Violations
The UODO identified a series of serious violations involving both the data controller (McDonald’s) and the processor:
- No Risk Analysis and Insufficient Security Vetting: Neither McDonald’s nor the vendor had conducted an adequate risk analysis for the process. Crucially, McDonald’s failed to properly vet the vendor, relying only on a previous collaboration in an unrelated field (PR). The duty to regularly review and assess security measures was ignored by both parties.
- Violation of Data Minimization (Art. 5(1)(c) GDPR): The authority sharply criticized the use of highly sensitive PESEL and passport numbers to identify employees. This data was completely unnecessary for managing work schedules. A simple, internal identifier (like an employee number) would have been sufficient. McDonald’s only changed the system after the incident—a clear admission of the previous violation.
- Responsibility Cannot Be Outsourced: The UODO stressed that outsourcing data processing does not absolve the controller of its responsibilities. McDonald’s should have actively verified and monitored the vendor’s security measures, which it failed to do. The ultimate responsibility for data security always rests with the company that hired the vendor.
- Responsibility Extends to Franchisees: A key point in the decision was clarifying that McDonald’s Poland is also the controller for the data of its franchisees’ employees. Because McDonald’s provided the scheduling tool, defined the purpose and means of processing, and selected the vendor, it bears full responsibility for everyone using the system.
What This Ruling Means for Your Business
- Outsourcing Increases Due Diligence, It Doesn’t Reduce It: Choosing a vendor to process personal data is a critical decision. A Data Processing Agreement (DPA) is not enough on its own. You must actively confirm that your vendor is actually implementing the required technical and organizational measures (TOMS).
- Actively Vet Your Vendors! Don’t just take their word for it. Request proof, ask for certifications, or conduct audits. The blame—and the fine—for your vendor’s mistake will fall on you.
- Data Minimization Is a Mandate, Not a Suggestion: Critically question every piece of data you collect: Is this information truly necessary to achieve the goal? Using high-risk data (like social security or national ID numbers) for internal processes is almost always a violation if less sensitive alternatives exist.
- Franchise and Corporate Systems Are on the Hook: If your headquarters provides IT systems for your partners or subsidiaries, you are typically considered the data controller (or joint controller) for all data processed within them and bear the full legal risk.
FAQ: Vendors & GDPR – What You Need to Know
Who is liable if my external vendor makes a mistake?
Primarily, you, as the data controller, are liable to the individuals affected and the authorities. While you can try to recover damages from your vendor through civil action, that does not excuse you from your direct responsibility under GDPR.
What does “vetting a data processor” mean in practice?
It can range from requesting self-assessments and certifications (like ISO 27001) to conducting on-site audits. The depth of the review depends on the risk level of the data being processed.
Why was using the PESEL number such a big deal?
National identification numbers are highly sensitive. If leaked, they create an extremely high risk of identity theft and fraud. Their use was not at all necessary for the stated purpose (shift planning) and was therefore a clear violation of the data minimization principle.
As a franchisor, am I responsible for my partners’ employee data?
If you provide and mandate the use of central IT systems (like point-of-sale, scheduling, or CRM systems) and thus determine the “why” and “how” of the data processing, you are very likely the data controller under GDPR.
Conclusion: Outsourcing Requires More, Not Less, Diligence
The McDonald’s case is a prime example of how a chain of failures—from a lack of risk analysis and ignoring data minimization to inadequate vendor oversight—can lead to a disastrous and expensive outcome. The message from the Polish DPA is clear: if you outsource data processing, you must take your responsibility as the “master of the data” more seriously than ever. Trust is good, but in data protection, active and documented control is essential.
