Ikonka home dla okruszków News and events
photo
21.07.2025

Both controller and processor are responsible for the protection of personal data

The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed total fines of PLN 16 932 657 (PLN 1 632 063, PLN 13 600 528, PLN 1 700 066) on McDonald’s Polska Sp. z o.o. and issued a reprimand for infringing a number of provisions on the protection of personal data. In the same case, the President of the Personal Data Protection Office also imposed total fines on 24/7 Communication Sp. z o.o. (processor) of PLN 183 858 (PLN 94 286, PLN 42 429, PLN 47 143).

McDonald’s Polska Sp. z o.o. entrusted the processing of personal data of employees of the restaurant network to an external company for the purpose of managing work schedules. The lack of risk analysis of this operation, the lack of the implementation of appropriate safeguards and the implementation of the provisions of the data processing agreement led to the disclosure of personal data in a publicly available catalogue.

Circumstances of the event

McDonald’s Polska Sp. z o.o. (hereinafter also McDonald’s or controller) notified a data breach to the President of the Personal Data Protection Office. The controller found that the following data of McDonald’s employees and its franchisees were included in the shared file in the public catalogue: names, personal identification numbers (PESEL numbers), passport numbers (if PESEL number is not available), McDonald’s restaurant number, start date and time of the work, end date and time of the work, number of hours worked, posts, holidays, type of day and type of work.

Data processing agreement

McDonald’s concluded a contract with 24/7 Communication Sp. z o.o. (hereinafter: 24/7 Communication or processor) of public relations services (main contract), in addition to which the parties concluded a contract of processing of personal data (data processing agreement). Within data processing agreement, employees data stored in the ‘employee graphics module’ were processed and made available to employees of the McDonald’s restaurant, franchisees and their employees, via the controller’s service. The controller did not have the powers to manage the resources and configuration of the IT system containing the employee graphics module. Only the processor had such powers. The entire process, including the handling, was subcontracted by the controller to the processor. The graphics module did not have a separate administrative panel and, although this was possible, the controller never requested such access from the processor.

At the same time, the provisions of the data processing agreement, in particular as regards the implementation of audits and inspections, were not complied with. The controller did not exercise proper supervision over the entrusted personal data.

Negligence in risk analysis and safeguards

In the course of the proceedings, the supervisory authority pointed out that the obligation to implement appropriate technical and organisational measures applies to both to the controller and the processor. 

The implementation of appropriate technical and organisational measures is not a one-off exercise, but a process whereby the controller and processor keep under constant review and, if necessary, update previously adopted safeguards.

The obligation to regularly test, measure and evaluate was not explicitly included in the data protection policy developed by the processor and was ultimately not implemented in any way. The processor also did not feel to ensure a level of security appropriate to the risks of the personal data entrusted to it processed by means of the employee graphics module, as it did not consider it to be a resource for which he was responsible. This obligation stems from the legislation and cannot be excluded on the basis of an interpretation of the provisions of the contract concluded between the controller and the processor. At the same time, the personal data breach occurred as a result of an incorrect configuration of the server enabling the content of that server to be viewed, including a copy of the database from the work graphics application containing personal data.

Neither the controller nor the processor carried out a risk analysis. Technical and organisational measures appropriate to the processing scale have not been implemented either. The personal data breach was due to a misconfiguration of the server under the responsibility of the processor.

Failure to conclude a subprocessing agreement

While processing entrusted personal data, the processor has used the services of another entity with which it has not concluded an subprocessing agreement. It was only after the breach occurred and at the stage of the supervisory authority’s investigation that the relevant agreement was signed, despite the fact that in accordance with the GDPR (Art. 28 (4) and (9)) and the concluded obligation previously existed.

In addition, the controller and the processor did not involve the Data Protection Officer (DPO) in all matters concerning the protection of personal data (Article 38 (1) GDPR). In McDonald’s, the DPO was not involved in the analysis of the qualification and appropriateness of the processor’s choice and in the processing of data related to the graphics module. The omission of the DPO limited the possibility of preventing the breach.

Verification of the processor

The proceedings showed that McDonald’s did not verify the processor’s ability to secure the data – it was based only on previous PR cooperation. Thus, Article 28 (1) GDPR which requires processing on behalf of the controller to be carried out by processors providing sufficient guarantees to implement appropriate technical and organisational measures to ensure that the processing protects the rights of data subjects, has been infringed.

The data processing agreement does not exempt the controller from data protection.

Entrusting the processing of personal data to a processor does not relieve the controller of the obligation to ensure security as required by the GDPR (Articles 24, 25 and 32 (1) and (2)). 

The controller did not carry out the required risk analysis and did not take into account the risks arising from the services of the processor.

If the scope of processing can be minimised, this should be done

The controller should assess the extent of the personal data processed from the point of view of limiting that scope only to data which are necessary to achieve the purpose of the processing, as is apparent from the wording of Article 25 (1) (implementation of appropriate technical and organisational measures) and Article 5 (1)(c) GDPR (principle of minimisation).

Instead of the data needed to record and manage employees’ working time, PESEL and passport numbers were also included in the system. These data served as an identifier to uniquely identify the employee. It was only after the incident that these data were replaced by identification numbers. The act of replacing one data that generates a high risk with another data element, such as an identification number, is in line with the principle of data minimisation.

Obligation to communicate the data breach directly to data subjects whose data have been infringed

The controller rightly considered that the personal data breach resulted in a high risk to the rights and freedoms of natural persons and informed the affected persons. The form of the notification was different and the former staff has only been notified by purchasing two press releases. In the opinion of the President of the Personal Data Protection Office, this form of communication cannot be regarded as a direct communication of a personal data breach. For the failure to notify former employees directly, the supervisory authority gave a reprimand to the controller.

Should franchisees be considered controllers?

In the course of the proceedings, the President of the Personal Data Protection Office also examined whether McDonald’s could also be regarded as the controller of the personal data of employees of McDonald’s franchisees who had also notified a personal data breach related to the same security incident. The President of the Personal Data Protection Office stated that the controller is the entity which decides on the purpose of the processing and determines the measures to be taken in order to achieve the purpose. McDonald’s was the owner of the graphics module for managing and recording the working time of restaurant workers, including franchisees, and as creator and owner of the module decided on the purposes and means of processing personal data. It specified the functionalities of the software and the means of processing them in the form of, for example, the scope of the personal data collected.

McDonald’s selected the processor, i.e. 24/7 Communication, to which it provided a graphics module to manage working time and time records. Both the conclusion of contracts and the communication of all information to franchisees were carried out via McDonald’s.

Those circumstances determine the status of controller and it cannot be considered that the role of McDonald’s in relation to each other with the 24/7 Communication and the franchisees of McDonald’s was indifferent to determining the purposes and means of the processing of the personal data of franchisees’ employees and, therefore, to be indifferent to the liability of McDonald’s as the controller under the provisions of the GDPR for the personal data breach also of employees of McDonald’s franchisees.

Decision in Polish: DKN.5130.4179.2020

 

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.