I do not consent!
Jackie Denham reports on a significant GDPR fine issued for relying on employee consent to processing.
A recent decision of the Hellenic Data Protection Authority (HDPA) in Greece (equivalent to the UK Information Commissioner’s Office (ICO)) has decided that PWC breached the requirements of the General Data Protection Regulation (GDPR) by inappropriately requiring employees to consent to the company processing their personal data.
As per previous guidance, the HDPA confirmed that employers cannot rely on consent to process data in an employment relationship because their consent cannot be regarded as freely given due to the imbalance of power between the two parties. In addition, if an individual gives their consent the processor must be able to immediately stop any processing if that consent is withdrawn, which again doesn’t work in an employment context. As for most employers, the company actually needed to process its employees’ personal data in order to perform their employment contracts, comply with legal obligations and for the smooth and effective operation of the company (which is a legitimate interest). These are all legal and valid reasons for processing which could and, in fact, should have been relied on by PWC.
You may think that, as the company clearly had lawful reasons for the processing that could have applied, the HDPA would have taken a fairly pragmatic approach to the complaint received. However the decision was in fact very onerous – it required the company to rectify their internal documentation and procedures within just 3 months and imposed a fine of €150,000.00. The HDPA saw this not just as a mistake in the identification of the basis for the processing but also as the following breaches of the GDPR:
- They had unlawfully processed the employees’ personal data.
- Their approach was in violation of the principle of transparency. PWC had given employees the false impression that it was processing their personal data under the legal basis of consent when it was processing their data under another basis of which the employees had never been informed.
- It was also in violation of the principle of accountability. This was because its internal data protection documentation was incorrect and it was not able to demonstrate compliance. Also it had tried to transfer its GDPR compliance obligations on to the employees by requiring them to sign a statement confirming they thought the company’s approach was appropriate.
This decision serves to highlight the importance of organisations ensuring they think carefully about their lawful basis for processing employee personal data and that they have accurate and detailed documentation in place in compliance with the GDPR. This includes as a minimum a comprehensive data protection policy and privacy notices for employees, candidates and contractors. We can assist you in preparing or updating all your GDPR-related documentation – please get in contact if you would like to discuss how we can help.