McDonald’s Polska Sp. z o.o. – €3,955,000 Fine (Poland, 2025)

€3,955,000Urząd Ochrony Danych Osobowych21 July 2025Poland
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

McDonald’s Polska was fined for not ensuring that a third-party service provider kept customer data secure, leading to a data breach. This matters because it shows that companies are responsible for the security of data, even when they outsource tasks. Businesses should carefully vet their partners to ensure they comply with data protection standards.

What happened

McDonald’s Polska failed to ensure that its third-party processor implemented adequate security measures, resulting in a data breach.

Who was affected

Customers of McDonald’s Polska whose personal data was exposed due to the breach.

What the authority found

The Polish Data Protection Authority found that McDonald’s Polska violated GDPR rules by not ensuring proper data security with its service provider.

Why this matters

This case serves as a warning to companies about their responsibility for data security when working with third-party vendors. It highlights the need for thorough oversight and compliance checks.

GDPR Articles Cited

AI-verified

Art. 5(1)(c) GDPR
Art. 25(1) GDPR
Art. 28(1) GDPR
Art. 38(1) GDPR
View original scraped data
Art. 5(1)(c) GDPR
Art. 25(1) GDPR
Art. 28(1) GDPR
Art. 38(1) GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
articles corrected
amount discrepancy
entity split needed
Poland enforcementUrząd Ochrony Danych Osobowych actionsAll McDonald’s Polska Sp. z o.o. actions
Full Legal Summary
Detailed

The Polish DPA has imposed a fine of EUR 3,955,000 on McDonald’s Polska Sp. z o.o. The controller used a third party processor (see ETid: 2758) for the purpose of managing work scheduals. The controller failed to ensure, that the processor implemented sufficient technical and organisational measures to ensure data security, resulting in a data breach. Additionally the controller failed to ensure, that only necessary data had been processed and the controller also did not adequatly involve the DPO in all relevant activities.

Related Enforcement Actions (0)

No other enforcement actions found for McDonald’s Polska Sp. z o.o. in PL

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

21 July 2025

Authority

Urząd Ochrony Danych Osobowych

Fine Amount

€3,955,000

Enforcement Tracker ID

ETid-2757

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. McDonald’s Polska Sp. z o.o. - Poland (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: