24/7 Communication Sp. z o.o.: Insufficient technical and organisational measures to ensure information security

The Polish DPA has imposed a fine of EUR 43,000 on 24/7 Communication Sp. z o.o. The fined entity acted as the data processor for McDonald’s Polska Sp. z o.o. (see ETid: 2757). The processor failed to implement sufficient technical and organisational measures to ensure data security, resulting in a data breach. The controller additionally infringed the principle of data minimisation and failed to adequately involve the DPO in relevant activities.

GDPR Articles: Art. 5 (1) c) GDPR, Art. 25 (1) GDPR, Art. 38 (1) GDPR
Industry: Employment