McDonald’s Poland has been hit with a record-breaking fine of €3.89 million (around 16.9 million Polish złoty) after a serious employee data leak. The fine was issued by Poland’s data protection authority on July 21, 2025.
This action was taken after sensitive information about employees was accidentally exposed online through a mistake made by a company working for McDonald’s.
Mistakes in Data Protection and Poor Oversight Revealed
McDonald’s hired 24/7 Communication to handle staff scheduling systems. These systems held highly private information. However, McDonald’s didn’t check if the company had proper security skills. They chose the processor because of its past work in public relations, not its ability to protect private data.
Also, 24/7 Communication used other companies (called sub-processors) without permission from McDonald’s. These other companies didn’t have the right contracts in place until after the breach had already happened. That step should have happened long before.
Shocking GDPR Complaint Exposes TikTok, WeChat, and AliExpress Over User Data Control
The investigation found that neither McDonald’s nor 24/7 Communication asked their data protection officers for help. These officers are trained to check for privacy risks. Their input could have prevented the entire breach. Ignoring them showed weak privacy planning.
Another major problem was the amount of private data collected. The system used national ID numbers and passport numbers to identify workers. But easier and safer options, like internal staff numbers, were available. McDonald’s only switched to these safer methods after the breach. Collecting too much sensitive data broke the GDPR’s rule on data minimization.
Franchise Data and Notification Failures Add to Trouble
McDonald’s used the same scheduling system in its own restaurants and in franchise locations. Franchise restaurants are run by other owners. But McDonald’s controlled the system. It decided what data to collect and how to use it. This made McDonald’s legally responsible for the data, even from restaurants it did not own.
Because of this control, McDonald’s was found to be the main party (or “controller”) responsible for protecting all the employee data in the system — including data from franchise locations. This greatly expanded the company’s responsibility under the GDPR.
After the breach, McDonald’s told its current workers about the issue. But for former workers, it only used press releases in the news. That was not enough. The law says people must be told directly if their private data is at risk. The Polish authority gave McDonald’s an official warning for this mistake.