The Greek Data Protection Authority issues a GDPR fine against PWC
PWC was challenged for the unlawful processing of their employees' data
The Greek Data Protection Authority issued a fine of € 150,000 against PWC under the GDPR for unlawful processing of the personal data of its employees.
As part of LawBytes, Tommaso Ricci provides the summary of a case involving PWC and the Greek data protection authority. The HDPA challenged PWC’s privacy information notice provided under the GDPR to its employees since it relied on the legal basis on consent, rather than the performance of the contract.
The decision of the Greek data protection authority against PWC under the GDPR
Following an investigation, the Green DPA concluded that PWC:
-
had unlawfully processed the personal data of its employees contrary to the provisions of the GDPR since it used an inappropriate legal basis of the processing;
-
had processed the personal data of its employees in an unfair and non-transparent manner contrary to the provisions of Article 5(1), letters (a), (b) and (c) of the GDPR, giving them the false impression that it was processing their data under the legal basis of consent pursuant to Article 6(1)(a) of the GDPR, while in reality, it was processing their data under a different legal basis about which the employees had never been informed; and
-
although it was responsible in its capacity as the controller, was not able to demonstrate compliance with Article 5(1) of the GDPR, and that it violated the principle of accountability set out in Article 5(2) of the GDPR by transferring the burden of proof of compliance to the data subjects.
The sanction issued against PWC under the GDPR
The Greek data protection authority issued a fine of € 150,000 against PwC and gave to the company three months to:
-
bring the processing operations of its employees’ personal data into compliance with the provisions of the GDPR;
-
restore the correct application of the provisions of Article 5(1)(a) and (2) in conjunction with Article 6(1) of the GDPR in line with the grounds of the decision; and subsequently,
-
restore the correct application of the rest of the provisions of Article 5(1)(b) to (f) of the GDPR insofar as the infringement established affects the internal organization and compliance with the provisions of the GDPR taking all necessary measures under the accountability principle.
Considering the net turnover of PWC indicated in the decision, the fine of € 150,000 amounted to approximately 0.35% of the same. This circumstance is peculiar, since – under the GDPR -the violation of the accountability principle could have led to a fine of € 20 million or 4% of the global turnover, whichever is higher (Read on the topic “Are privacy fines really massive under the GDPR?“).
The decision comes during a period of exceptionally high fines that might change the approach to privacy compliance. I refer for instance to the fine of $ 5 billion issued against Facebook on which you can read “How Facebook $ 5 billion fine is a milestone in the history of privacy“.
Also, it shows that the identification of the appropriate legal basis of the data processing is crucial to avoid potential challenges. Indeed, we often notice privacy information notices where there is a reference to multiple legal bases of the data processing, without clarifying which one is applicable to the specific activity.