The Greek arm of PriceWaterhouseCoopers have been hit with a €150,000 fine after the Hellenic Data Protection Authority (the Greek equivalent to our Information Commissioner’s Office) conducted an investigation following a complaint in respect of PWC’s processing of employee personal data.

When processing employee’s personal data, employers must identify the lawful basis on which they are undertaking the processing. In pre-GDPR days, employers would typically rely upon the employee’s consent, usually given in the employment contract, as a ‘catch all’.

However, in the new post-GDPR era, formal guidance has suggested that consent can no longer be relied upon in an employment context as its unlikely to have been obtained ‘freely’ given the imbalance of power in the employment relationship. In order to get round this, some employers would try and rely on consent, plus another ‘lawful basis’ as a back-up in case the consent failed. Seemed sensible enough. However, the recent PWC case has confirmed that this approach will not work.

The Hellenic Data Protection Authority (HDPA) found that PWC had been ostensibly processing its employees’ personal data under the legal basis of consent, when in reality it was actually processing the data on an entirely different legal basis that the employees had not been informed of. The actual legal basis for processing the data was to comply with PWC’s obligations under the employment contract. By allowing employees to believe that their data was being processed with their consent, PWC was effectively misleading employees into thinking that PWC would stop the processing if consent was withdrawn. However, this wasn’t in fact the case. PWC could (and would) continue to process the data whether consent had been provided or not.

An employee had made a complaint to the HDPA which lead to the investigation and fine. The HDPA held that processing data under the inappropriate legal basis is a breach of Article 5(1)(a) of the GDPR, meaning the data has been processed unlawfully, even if some other lawful basis could be relied upon. The HDPA also found that PWC had breached Article 5(2) of the GDPR, which sets out the principle of accountability, as they had transferred the burden of proof to the data subjects.

The HDPA advised data controllers to refrain from processing the data at all if they have any concerns or doubts about the lawfulness of the processing.

PWC were also criticised for their accountability to the HDPA in their failure to provide them with the evidence requested. This highlights for all data controllers the importance of:

  • identifying clearly and accurately the ‘lawful basis’ they are relying upon in relation to each data processing activity, and communicating this to employees;
  • ‘demonstrating compliance’ by keeping accurate an up to date records of their processing activities, and ensuring they have copies of all relevant documents such as data handling policies and privacy notices; and
  • working cooperatively with the relevant data authority as soon as they are notified of an investigation.