Biznes Fakty
A huge fine for McDonald's Poland
McDonald's Polska has been fined almost PLN 17 million by the Office for Personal Data Protection for breaching personal data protection laws, according to the Office’s announcement. It was noted that this led to the „exposure of personal data in a publicly accessible directory.”
„The President of the Personal Data Protection Office (UODO) has imposed a fine of PLN 16.93 million on McDonald's Polska and issued a warning concerning the violation of several personal data protection regulations,” stated the Office for Personal Data Protection (UODO) in a press release. Additionally, the President of the UODO also levied fines totaling PLN 183,900 on 24/7 Communication for the same case.
McDonald's Polska delegated the handling of its employees’ personal data to an external firm for the management of work schedules, as clarified by the Personal Data Protection Office.
„The absence of a risk assessment for this process, the failure to implement suitable security measures, and the non-fulfillment of the personal data processing agreement resulted in the exposure of personal information in a publicly accessible directory,” the statement indicated.
Procedure
„Neither the data controller nor the data processor carried out a risk assessment. Furthermore, appropriate technical and organizational safeguards corresponding to the scale of data processing were not established. The breach stemmed from an incorrect server configuration for which the processor was accountable,” the Office reported.
It was noted that throughout the investigation, the supervisory authority emphasized that the responsibility for implementing adequate technical and organizational safeguards lies with both the data controller and the processor.
„McDonald's entered into a contract with 24/7 Communication (…) for public relations services (…), concurrently establishing a personal data processing agreement, under which employee data collected in the ’employee schedule module’ was processed and made accessible to McDonald's restaurant employees, franchisees, and their staff via the administrator’s website,” it was explained.
Moreover, it was added that „the administrator lacked the authority to manage the resources and configuration of the IT system containing the employee schedule module. Only the processor held such authority. The entire operation, including its management, was outsourced by the administrator to the processor.”
Company Position
In a statement released on Monday, McDonald's Polska declared that it is currently reviewing the decision of the President of the Personal Data Protection Office. „We have received the ruling from the President of the Personal Data Protection Office concerning the incident from 2020, when unauthorized access to the personal data of certain McDonald's restaurant employees in Poland occurred. We are presently analyzing its details,” the company stated.
The company highlighted that it has taken measures to mitigate the impact of the 2020 incident. It specified that the breach involved individuals employed at certain restaurants between May 2014 and January 2019.
„Throughout the administrative proceedings, we cooperated fully with the Office. Additionally, we have implemented measures to safeguard the data of our employees, guests, and contractors. We have discontinued the work schedule display tool, initiated independent audits, enhanced internal procedures, and regularly provide training on personal data protection,” it added.
McDonald's Polska also noted that, to date, it has not observed any incidents of unauthorized usage of the data involved in the breach.
