2 October 2025 Yet another reminder from a supervisory authority of the importance of vendor due diligence. The Polish Supervisory Authority has fined both the data controller McDonald's and its processor 24/7 Communication for multiple GDPR infringements arising from a data breach of employee data. Of particular note: Obligations from legislation cannot be excluded by the Data Processing Agreement (DPA) The controller did not exercise proper supervision over the personal dat