2 October 2025 Yet another reminder from a supervisory authority of the importance of vendor due diligence. The Polish Supervisory Authority has fined both the data controller McDonald's and its processor 24/7 Communication for multiple GDPR infringements arising from a data breach of employee data. Of particular note: Obligations from legislation cannot be excluded by the Data Processing Agreement (DPA) The controller did not exercise proper supervision over the personal dat

11 September 2025 Noteworthy decision from the Greek Supervisory authority who fined both the data controller and data processor arising from the same incident. The controller was found to have infringed its obligations to select a suitable data processor and supervise them effectively. This case highlights the need for a robust vendor managements programme from onboarding assessments to contracts and DPAs and ongoing due diligence. See EDPB for further details: https://www.e