The Hellenic Data Protection Authority has issued its first ever fine under the GDPR to PwC in Greece after the firm illegally processed its employees’ personal data.
The fine of €150,000 on PwC was imposed on the basis that:
- PwC had unlawfully processed employee personal data, since consent was an inappropriate legal basis for processing.
- PwC had processed the personal data in an unfair and transparent manner, by giving the false impression that it was relying on consent, and;
- PwC was not able to demonstrate compliance, and had violated the principle of accountability by transferring the burden of proof of compliance to the data subjects i.e. the employees.
In addition to the hefty fine, PwC in Greece now also have three months to comply with a series of corrective measures issued by the Greek data protection authority so that they are GDPR compliant.
Although a decision of the Hellenic Data Protection Authority in Greece, it is still a reminder for all employers that relying on consent as the lawful condition or basis for processing employee personal information may lead to a fine from the relevant supervisory authority under the GDPR. In the UK, this is the Information Commissioner’s Office (ICO).
ICO and EDPB guidance on consent
The Article 29 Working Party (now the European Data Protection Board ‘EDPB’) have issued guidelines which stipulate that, in the context of employment, consent may only be used as a legal basis for processing employee data in limited situations only. The ICO consent guidance reflects these guidelines from the EDPB.
Essentially, the EDPB/ICO guidelines stipulate that in an employment context, consent cannot be given freely as there is most likely an imbalance of power between the employer and the employee. However, the guidance points out that employers are not forbidden from using consent as their lawful basis for processing employee data. Even if the employer is in a position of power, there may be situations when an employer can still show that the consent is freely given. An employer needs to look carefully at the particular circumstances in question and be very confident that it can demonstrate that the individual really does have a free choice to give or to refuse consent.
Key points to remember
An employer must carefully document any and all situations where they have sought to rely on employee consent during data processing together with the outcome in the event that the ICO comes knocking on the door. Employee consent must be, above all, unambiguous. If there is even the slightest doubt, it is likely that consent has not been given by the employee.
The guidelines also indicate that an employer will not have valid consent if:
- there is any doubt over whether someone has consented, or the individual does not realise they have consented
- it does not have clear records to demonstrate the individual consented
- the consent was bundled up with other terms and conditions
- the consent request was vague or unclear
- it uses pre-ticked opt-in boxes or other methods of default consent
- it was not specifically named
- it did not tell people about their right to withdraw consent
- the individual cannot easily withdraw consent, or
- its purposes or activities have evolved beyond the original consent.
Should you require further information or clarification of any of the points mentioned in the article please contact David Coupe.