Don’t use consent for the processing of employee data! Greek DPA issues first fine under GDPR

The Hellenic DPA in Decision no 26/2019 decided that for personal data to be processed in compliance with the GDPR, all the principles outlined in Article 5(1) GDPR should be met.

The Decision came to light after the DPA received complaints concerning the processing of PriceWaterhouseCoopers employee data where employees were required to provide their consent for the processing of their data.

The DPA stetted that identification fo the appropriate legal basis under Article 6(1) GDPR is closely related to:

” the principle of fair and transparent processing and the principle of purpose limitation, and the controller must not only choose the appropriate legal basis before initiating the processing -documenting this choice internally in accordance with the principle of accountability-, but also inform the data subject about its use under Articles 13(1)(c) and 14(1)(c) of the GDPR, as the choice of each legal basis has a legal effect on the application of the rights of data subjects.”

Furthermore,

“The principle of accountability constitutes the core of the compliance model adopted by the GDPR. Under this principle, the controller should implement the necessary measures to comply with the principles set out in Article 5(1) of the GDPR and demonstrate their effectiveness, without the DPA having to submit individual — specific questions and requests to assess compliance while exercising its investigative powers.”

In short, consent was not the appropriate legal basis for the data processing of employee data and should only be used when other legal bases don’t apply. First, it should be noted that once consent is withdrawn, other legal bases cannot be used, which would be problematic in an employment situation. Second, consent of employees to an employer cannot genuinely be considered as being “freely given” as required by the law due to the inherent imbalance of power between the employee and the employee.

The correct legal basis in this case would have been the legitimate interest of the company, and where the processing of personal data is linked to the performance of the contact and compliance with legal obligations.

Furthermore, it was determined that PwC had violated the principle of accountability where they failed to provide the DPA with infomation on the legal basis they relied upon and moved the compliance burden onto the employees.

You can read the whole decision here.

Comments are closed.