DPA fines McDonald’s Poland €4M due to data breach

The Polish data protection authority UODO has imposed a fine of almost €4 million on McDonald’s Poland because of a data breach.

McDonald’s Poland shared employee data with an external company that managed the scheduling system. According to the UODO, the agreement between McDonald’s and the supplier lacked provisions on supervision, such as audits or inspections, and no appropriate technical and organizational measures had been taken to protect employees’ personal data.

A misconfiguration of a server ensured that employees’ data was accessible to anyone on the internet through a publicly accessible directory. Data that was stored on the server included names, Social Security numbers, passport numbers, and all kinds of work and job-related data, such as hours worked, start and end dates of work, and days off.

According to the Polish DPA, neither McDonald’s Poland nor the supplier of the scheduling system had carried out a risk analysis. In addition, neither party had involved their Data Protection Officer in privacy-related matters.

Furthermore, UODO states that the system should not have used passport numbers or Social Security numbers as identifiers of employees, because this is contrary to the principle of data minimization. It was only after the data breach that it was decided to provide employees with a separate identification number.

Lastly, the Polish regulator argues that McDonald’s Poland violated the General Data Protection Regulation (GDPR) in the way it informed affected (former) employees. Instead of informing them directly, as is required by the GDPR, the company sent two press releases, which can’t be considered a direct notification of a personal data protection breach. UODO issued a warning for this transgression.

The Polish privacy watchdog concludes that McDonald’s Poland is solely responsible for the safety of its employee data, even though the fast food chain outsourced this process to the supplier.

Because of all these infringements, the Polish DPA decided to impose a fine of nearly €4 million on McDonald’s Poland. The supplier of the scheduling system has to pay a little over €43,000.