(022) 820 801 centru@datepersonale.md
DP header logo
img mobile menu img close mobile menu
ROENРу
ico search toggle
datepersonale.md
/
Uncategorized
/
Administrative fine of 4 022 773 euros imposed by the Polish Data Protection Authority on McDonald’s Polska and 43 680 euros on 24/7 Communication LLC for violating the legal provisions stipulated in the GDPR

Administrative fine of 4 022 773 euros imposed by the Polish Data Protection Authority on McDonald’s Polska and 43 680 euros on 24/7 Communication LLC for violating the legal provisions stipulated in the GDPR

img 14 Views

       The National Center for Personal Data Protection (NCPDP), for informational and practical purposes, reports on the administrative fine of 4 022 773 euros for McDonald’s Polska Limited Liability Company (LLC) and 43,680 euros for 24/7 Communication LLC applied by the Polish Data Protection Authority (SA) for violating Article 5 (Principles related to the processing of personal data), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 28 (Processor), Article 32 (Security of processing), Article 34 (Communication of a personal data breach to the data subject) and Article 38 (Position of the data protection officer) of the GDPR.

       McDonald’s Polska LLC notified a data security breach, as a controller, finding that the following data of its employees and franchisees were included in the shared file in the public catalogue: names, personal identification numbers (PESEL numbers), passport numbers (if the PESEL number is not available), McDonald’s restaurant number, date and time of starting work, date and time of ending work, number of hours worked, holidays, type of work, etc.

       The investigation found that neither the controller (McDonald’s Polska) nor the processor (24/7 Communication) had conducted a risk analysis and had not implemented sufficient technical and organizational measures to protect personal data. Furthermore, the data protection officer was not properly involved, and the audit and monitoring obligations of the partners were not respected.

       The Polish SA emphasized that the responsibility for data protection lies with both companies that collect and manage personal data and their contractual partners. Security measures must be constantly checked and updated, not just at the beginning of data processing.

       In this context, the Polish SA imposed an administrative fine of 4 022 773 euros on McDonald’s Polska LLC and 43 680 euros on 24/7 Communication LLC.

       NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

img
Reprezentanții Centrului Național pentru Energie Durabilă instruiți în domeniul protecției datelor cu caracter personal

       La data de 17 octombrie 2025, Centrul Național pentru Protecția Datelor cu Caracter Personal (CNPDCP) a organizat un curs de instruire în domeniul protecției datelor cu caracter personal pentru reprezentanții Centrului Național pentru Energie Durabilă (CNED), la solicitarea acestora.        Cursul de instruire a avut drept scop familiarizarea funcționarilor din […]

img 20 Views
img
Representatives of the Border Police Sector “Chisinau International Airport” of the Border Control General Directorate trained in the field of personal data protection

       On October 15, 2025, the National Center for Personal Data Protection (NCPDP) organized a training session in the field of personal data protection for representatives of the Border Police sector “Chisinau International Airport” of the General Inspectorate of Border Police (GIBP), according to the training plan within the GIBP subdivisions for 2025, […]

img 19 Views
img Video gallery
img Information