On June 23, 2025, the President of the Polish Personal Data Protection Office issued a decision in the case DKN.5130.4179.2020 concerning a breach of protection of personal data processed in a franchise network. In addition to the substantive position taken by the Office on the assessment of this breach in particular, the decision also included a more general position on the principles of data processing and the franchisor’s responsibility for such processing. An appeal has been lodged against the decision.
In July 2020, a personal data breach occurred, as a result of which the personal data of McDonald’s Polska Sp. z o.o. (“McDonald’s”) employees and franchisees, processed, as part of a system for scheduling and recording working time, by a company named 24/7 Communication (as the system provider), ended up in a publicly accessible online directory. As a result of the breach, anyone with a browser could access a file containing the names, surnames, PESEL numbers (a personal identity number consists of 11 digits, that identifies exactly one person), passport numbers, work schedules, and job titles of the above-mentioned individuals.
In the decision, issued after investigating the circumstances of the above-mentioned breach, the President of the Personal Data Protection Office found a violation of the provisions of the GDPR both in relation to the owner of the McDonald’s chain (McDonald’s) as the data controller and in relation to the data processor. The data controller was accused, among other things, of failing to verify the processor before entrusting it with the processing of personal data, as well as of failing to comply with the principle of data minimization. Both entities were accused of failing to analyse risks and implement appropriate technical and organizational measures to ensure the security of personal data processing, failing to regularly test, measure, and evaluate the effectiveness of technical and organizational measures to ensure the security of data processing, as well as failing to involve the data protection officer in all matters relating to personal data protection. The President of the Personal Data Protection Office additionally accused the processor of failing to conclude an appropriate agreement when entrusting data processing with another entity.
As part of the findings, the President of the Personal Data Protection Office analysed whether McDonald’s (the franchisor) could be considered as the controller of the personal data of the franchisees’ employees. According to the GDPR, the controller is the entity that, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) of the GDPR). The President of the Personal Data Protection Office determined that the franchisor, McDonald’s, “was the owner of the scheduling module used to manage and record the working time of restaurant employees, including franchisees’ employees. As the creator and owner of the module, McDonald’s decided on the purposes and means of processing personal data, specifying the functionality of the software and the scope of personal data collected. McDonald’s selected a processor, i.e., 24/7 Communication, to whom it transferred the scheduling module for the purpose of managing and recording working time. Both the conclusion of agreements and the transfer of all information to franchisees took place through McDonald’s”.
According to the President of the Personal Data Protection Office, these circumstances determine the status of the controller, and it is impossible to claim that McDonald’s role in its mutual relations with 24/7 Communication and McDonald’s franchisees was irrelevant to determining the purposes and means of processing the personal data of franchisees’ employees. According to the President of the Personal Data Protection Office, the franchisor, McDonald’s, is responsible for the violation of the personal data protection of McDonald’s franchisees’ employees, under the provisions of the GDPR.
As a result, McDonald’s was also liable as a controller for violations concerning these employees, who were employees of franchisees. The President of the Personal Data Protection Office emphasized that it is not necessary for the controller (franchisor) to physically possess the data – what is crucial is the actual decision-making on the purposes and means of data processing, regardless of formal agreements and documentation produced for the purposes of a given process.
In the context of a franchise network, where the network owner implements a tool (in this case, for managing working time) and franchisees use it to process their employees’ data, the question arises as to whether this constitutes joint data control. Taking into account the literal interpretation of Article 26(1) of the GDPR concerning joint control, the joint decision of the controllers (at least two) should cover both the purposes of data processing and the means of processing. Nevertheless, European case law shows that these roles are not clearly defined, so in practice much depends on the actual division of responsibilities and decision-making. Depending on who actually decides on the purposes of processing employee data and who determines the means of processing — including the choice of tool, configuration, and scope of data collected — there may be a situation where the network owner (franchisor) and franchisees are joint controllers, or each of them acts as an independent controller. It is therefore crucial to analyse the specific circumstances of each case and the actual influence of the parties on decisions regarding the processing of personal data.
Magdalena Kowalczuk-Szymanska, IDI Country Expert for franchising in Poland.
