A reminder of the importance of vendor due diligence

2 October 2025

Yet another reminder from a supervisory authority of the importance of vendor due diligence.

The Polish Supervisory Authority has fined both the data controller McDonald's and its processor 24/7 Communication for multiple GDPR infringements arising from a data breach of employee data.

Of particular note:

• Obligations from legislation cannot be excluded by the Data Processing Agreement (DPA)

• The controller did not exercise proper supervision over the personal data entrusted to the processor

• Both the controller and processor need to have in place appropriate technical and organisational measures

• The processor failed to enter into a DPA with its sub-processor

• Failure to appropriately engage the Data Protection Officer (DPO). Such failure impacted the possibility of preventing the data breach

Vendor due diligence is not a 'one and done', it is a continuous requirement and don't forget the ever important DPO.

See EDPB for further details: Polish SA: administrative fine of EUR 4 022 773 for McDonald’s Polska sp. z o.o. and EUR 43 680 for 24/7 Communication Sp. z o.o. for negligence in risk analysis and safeguards | European Data Protection Board

For any queries on this article or how Rock Consultancy can support your organisation, please contact us at info@rockconsultancy.ie