Personal Data Protection Office imposes PLN 17 mln fine on McDonald’s Polska

The President of the Polish Data Protection Authority (UODO) imposed a fine of PLN 16.93 million on McDonald’s Polska and issued a reprimand for violations of several data protection regulations. In the same case, the UODO also fined 24/7 Communication a total of PLN 183,900.
It was reported that McDonald’s Polska had outsourced the processing of restaurant employees’ personal data to an external company for the purpose of managing work schedules.
“The lack of a risk analysis for this process, failure to implement appropriate safeguards, and failure to comply with the terms of the data processing agreement led to the personal data being disclosed in a publicly accessible directory,” the statement said.
The supervisory authority emphasized that the obligation to implement appropriate technical and organizational measures applies to both the data controller (McDonald’s) and the data processor (the external company).
(pb.pl)