Poland: Record GDPR fine highlights risks of processor oversight failures
In July 2025, the Polish Data Protection Authority ("PDPO") imposed a significant GDPR fine of PLN 16.9 million (approximately EUR 4 million) on McDonald's Polska. This marks the second highest penalty to date in the Polish private sector and stemmed from a major data breach involving employee and franchisee staff information. The incident was traced to a publicly accessible file on a server used for managing staff schedules, exposing personal data including names, national identity numbers, passport details, and work schedules.
While McDonald's had executed a data processing agreement with its external PR services provider, the scheduling module was fully managed by the processor without any oversight from the controller. Critically, McDonald's failed to exercise its audit rights, conduct proper risk assessments, or ensure the involvement of its Data Protection Officer. The PDPO also flagged excessive data collection and incomplete breach notifications to affected individuals as aggravating factors.
This decision sends a clear reminder that controllers cannot outsource accountability under the GDPR. Outsourcing may streamline operations, but it heightens risks if processors are not subject to rigorous vetting, supervision, and integration into a broader data protection framework. For organizations operating in Poland or across the EU, the case highlights the importance of governance fundamentals: robust processor audits, meaningful DPO involvement, risk-based security measures, and adherence to data minimisation principles.
Colt Technology Services Hit by Major Cyberattack
On August 12, UK-based telecom giant Colt Technology Services,
which connects over 900 data centers worldwide, suffered a
cyberattack
that initially appeared as a "technical issue." The
company swiftly shut down internal support systems—including
its online portal and Voice API platform—to contain the
incident and protect its core customer infrastructure. While Colt
first assured that no customer or employee data was compromised, it
later confirmed that attackers accessed certain files potentially
containing customer information.
The WarLock ransomware group has claimed responsibility, alleging theft of hundreds of gigabytes of sensitive data, including financial records, internal communications, and system blueprints. The group has reportedly listed one million documents for sale and issued a $200,000 ransom demand, with sample files published on dark web forums as proof. Security researchers suggest the breach may be linked to CVE-2025- 53770, a recently patched Microsoft SharePoint vulnerability, exploited through an attack chain known as ToolShell.
The incident highlights growing risks facing telecoms, where even support-system outages can ripple across customer operations and trust. Experts stress that for critical infrastructure providers, patch management of externally accessible systems must move from weeks to hours. Colt's experience is a stark reminder that incomplete or delayed patching can open the door to large-scale ransomware operations, with serious implications for both service continuity and data security.
Austrian courts stated that Der Standard's 'pay or OK' consent model violates the EU's consent rules
DerStandard, one of Austria's leading newspapers, was among the first to implement a "pay or okay" approach after the GDPR came into force. Under this model, users were asked to either consent to extensive third-party tracking or pay a subscription fee of €9.90 per month. While openly asked surveys suggest that only 1–7% of users are willing to accept online tracking, the "pay or okay" system resulted in consent rates as high as 99.9%, raising concerns about whether such consent can be considered genuinely "freely given."
In 2023, the Austrian Data Protection Authority ("DSB") reviewed DerStandard's implementation. The authority found the system unlawful because it required users to either grant global consent or reject tracking altogether, without offering the granular choices required under the GDPR. DerStandard appealed, arguing that more detailed consent options could not be reconciled with the "pay or okay" model.
The Austrian Federal Administrative Court ("BVwG") has
now upheld the DSB's findings and rejected DerStandard's
appeal, confirming
that valid consent was not obtained. However, given the novelty of
the issue, the Court allowed an appeal to the Supreme
Administrative Court ("VwGH"). It is widely expected that
the case could eventually be referred to the Court of Justice of
the European Union ("CJEU") for clarification.
The court also addressed an additional argument raised by DerStandard, which sought to rely on a Belgian ruling suggesting that NGOled "model cases" could be an abuse of law. The BVwG rejected this position, confirming that such cases are admissible and in line with Austrian and German jurisprudence.
Orange Belgium Breach: 850K customer records exposed
At the end of July, Orange Belgium disclosed that a hacker gained unauthorized access to one of its IT systems, compromising the data of approximately 850,000 customer accounts. While the operator emphasized that no sensitive information such as passwords, email addresses, or banking details was exposed, it confirmed that personal identifiers—including names, phone numbers, SIM card numbers, PUK codes, and tariff plans—were accessed.
Upon discovery of the incident, Orange immediately blocked access to the compromised system, reinforced security measures, and notified the relevant authorities. Impacted customers are being contacted directly by email or SMS, and the company has urged them to remain vigilant and to never share their passwords.
Security experts warn that the exposed SIM card and PUK data could be misused in "SIM swapping" attacks, a form of identity theft where criminals take over a victim's phone number to access online accounts and financial services. Ethical hacker Inti De Ceukelaire has called for greater transparency regarding Orange's mitigation measures.
In response, Orange stated it has introduced additional layers of security to reduce the risk of fraudulent SIM swaps, though it has not disclosed technical details. The incident highlights the importance of proactive security controls in the telecom sector, particularly where customer identifiers can enable downstream fraud.
EU Data Act Comes Into Force on 12 September
The EU Data Act takes effect on 12 September, introducing new rules to ensure fair access to data generated by connected devices. Manufacturers must design products that allow users to easily access and share their data, with exceptions for trade secrets and emergency data-sharing obligations with public authorities.
Industry groups have raised concerns that the European
Commission's upcoming digital simplification package may create
legal uncertainty, as companies could face obligations that are
later revised. They also warn of challenges around protecting trade
secrets,
contract termination rights, and interoperability requirements for
cloud providers.
Although the Act applies directly across all member states, national authorities must still implement enforcement and penalty measures. Breaches can result in fines of up to €20 million or 4% of global turnover. The Commission has pledged close coordination with member states to ensure consistent application.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
