The Hellenic Data Protection Authority has fined PriceWaterhouseCoopers Business Solutions SA 150,000.00 € for unlawful processing of employee data, after the Authority had conducted an ex officio investigation in response to a complaint. The Authority also ordered a series of corrective measures and gave PWC three months’ time for their implementation. Reportedly, the company had required the employees to provide consent to the processing of their personal data, where actually a legal norm would have allowed the data processing.
In its decision no. 26/2019, the Authority held that not only must a controller determine and internally document the correct legal basis in order to comply with the principle of accountability, but also communicate this legal basis to the data subjects according to Art. 13 (1) (c), respectively Art. 14 (1) (c), since the choice of the legal basis had a legal effect on the application of the data subjects’ rights.
In the present case, PWC had based the processing of employee personal data on consent, while in reality, the processing was necessary for the performance of the employment contract and therefore a different legal basis applied, of which the employees had never been informed.
The DPA argued that by choosing the wrong legal basis and thus providing the data subjects with incorrect information regarding the circumstances of the data processing, the principles of fairness and lawfulness and of transparency outlined in Art. 5 (1) GDPR were violated. The DPA pointed out that consent may only be used as legal basis where other legal bases do not apply. The controller is required to determine the correct legal basis from the beginning, thus preventing a swapping from consent to another justification later on, for instance, when the data subject withdraws consent.
Consequently, where consent is determined as the only option, the refusal or withdrawal of consent amounts to an absolute prohibition of the envisaged processing. In this context, the DPA stated that consent within an employment relationship cannot be regarded as freely given due to the imbalance between the parties.
A question that might arise from this decision is, whether the controller’s duty to determine and document the correct legal basis and inform the data subjects accordingly, means that, in the event of more than one applicable legal basis, the failure to name all that apply, would, in the eyes of the Authority, also constitute a breach of the principles of accountability and transparency.
While it would be rather surprising to see a considerable fine for a situation that might simply be an error of judgement, in the present case, with its decision the Authority made it clear that diligence in determining the correct legal basis can be demanded of controllers, and that, asking for data subjects’ consent as “the easy way out”, particularly in the employment context, should be discouraged.