Greek Data Protection Authority fines PWC 150,000 Euro for GDPR breaches in connection with its processing of employee data
The management of employee, job applicant and staff data, under the GDPR, is a complex subject. Back in July 2018 we wrote about the subject with employment law specialists mpmlegal, to provide guidance on the ways ‘consent isn’t consent’. In this article we explained that, due to the imbalance in the employer/employee relationship, conditions around what constitutes ‘consent’ were more complicated. Specifically, that it would be unlikely for an employer to rely on consent to process personal data, except in very limited circumstances.
Before GDPR it was considered possible for an employer to rely on ‘consent’ to process both personal data and sensitive personal data (for example ‘special categories of data’ such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying someone, data concerning health, or a person’s sex life, or sexual orientation), the GDPR makes this harder. Not only are there stricter rules and limitations on consent but the employee must be able to withdraw it easily. This means that consent is very unlikely to be suitable under the new rules. Employers, therefore, must look to other lawful means of processing personal data under Article 6.
The ICO has also published comprehensive guidance on consent.
This matter is illustrated in a recent fine issued by the Greek Data Protection Authority - the equivalent of the UK’s ICO). PWC has been fined €150,000 for GDPR breaches in connection with its processing of employee data. In particular, the DPA found that PWC was incorrectly processing personal data on the basis of consent where this was not appropriate.
This case identified three lawful means of processing personal data under Article 6:
for the performance of employment contracts;
for compliance with a legal obligation to which the controller is subject;
for the smooth and effective operation of the company, as its legitimate interest.
It also reminded employers of the need for further safeguards where the personal data consists of special categories of data, which must not be processed unless different conditions are fulfilled.
The Greek DPA decision (No 26/2019) confirmed that consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties. It noted that:
‘In this case, the choice of consent as the legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest.
In addition, the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis about which the employees had never been informed. This was in violation of the principle of transparency and thus in breach of the obligation to provide information under Articles 13(1)(c) and 14(1)(c) of the GDPR.’
The significant fine, coupled with this clear and detailed decision, is an obvious call for employers to take notice of this area and we anticipate further claims over the coming months.