For the first time since the entry into force of the GDPR, the Hellenic Data Protection Authority (HDPA) has imposed a fine of EUR 150,000 for unauthorised processing of personal data. According to its decision (26/2019), the controller PriceWaterhouseCoopers (‘PwC’), a large company with 490 employees in total in Greece claimed an unlawful legal basis for the processing of employees’ personal data, whereas the data processing was actually based on a different condition, of which the data subjects were unaware.
In this case, PwC opted for consent (Article 6a GDPR), the easiest justification to satisfy, without considering that the lawfulness of processing is always linked to the fundamental principles of inter alia, fairness, necessity and transparency enshrined in Article 5 GDPR.
Based on the facts available, it appears that the data subjects were not able to exercise free will or given a withdrawal option in relation to the processing, since consent was integrated in their employment agreements. The HDPA assessed the imbalance between the controller and the data subjects and ascertained there had been a breach of the relevant GDPR provisions.
Moreover, based on the facts in the decision, the controller rushed to change the legal basis by distributing new consent forms, this time stating that processing was necessary for the performance of a contract according to Article 6b GDPR. However, this reaction violated the principle of purpose limitation. Under no circumstances should a controller change the lawful basis for processing when data processing has already been completed. As a result, the HDPA rejected the arguments invoked by PwC.
Comment
Employers must take into consideration that the GDPR demands data to be processed in a lawful manner, that is, based on a legal ground provided under the GDPR. If consent is used, it must comply with the conditions of article 7 of the GDPR: consent must be freely given, specific, informed and unambiguous. Consent must also be withdrawable at all times.
Based on the principles of transparency and accountability described in the GDPR, employers must make sure that employees know the legal ground. However, in this case, this obligation was transferred to the data subjects, as they were requested to acknowledge lawfulness of data processing.
Moreover, all stages of data processing should be completely transparent to the data subject. This is accomplished when the controller provides specific information regarding the type of data to be collected, the duration (not just for future use), whether the data subject can choose to refuse and if there is a possibility of withdrawal, deletion of data (right to be forgotten) as well as the impact of the different choices on the data subject. This information must be easily accessible and understandable by all data subjects. This means that when describing the purposes of data processing, the controller must use plain language. As the decision already highlights, data subjects may lack specific knowledge to fully comprehend the processing taking place. In this case it was therefore disputed whether the employees understood what they were agreeing to.
Finally, employers must indicate the risks and safeguards in relation to the processing of employees’ personal data, making specific reference if it is forwarded to third parties. In this regard, it is prudent to conduct a Data Protection Impact Assessment (DPIA) to ensure proper risk awareness, to minimise or mitigate the risk of data breach and confirm that best practices for data privacy and security are being followed in the organisation.