Welcome to your weekly update from the Allen & Overy Pensions team, bringing you up to speed on all the latest legal and regulatory developments in the world of occupational pensions.
Greek GDPR ruling on consent as basis for processing | DWP updates overview of no-deal Brexit implications for members
Greek GDPR ruling on consent as basis for processing
The Greek Data Protection Authority (GDPA) has fined an employer EUR150,000 for purporting to use consent as its lawful basis for processing the personal data of employees, when in fact the processing was required for compliance with its legal obligations, and on the basis of its legitimate interest as an employer. A summary of the case in English is available here.
The GDPA ruled that consent should only be used as the legal basis for processing where other legal bases do not apply – it is not a ‘first line of defence’ with other potential bases as a back-up. If the data subject withdraws his or her consent, it should not be possible to swap to a different basis and therefore processing would have to stop. The GDPA also commented that ‘Where the controller has doubts concerning the lawfulness of the processing, the controller must remove those doubts before processing or refrain from processing until the doubts have been removed’.
The GDPA restated that the consent cannot be regarded as freely given in the context of employment relations due to the clear imbalance between the parties. Similarly, guidance from the UK Information Commissioner’s Office (ICO) states that ‘Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given’.
The employer had therefore processed the personal data of its employees unlawfully (using an inappropriate legal basis); and had also breached the requirements of fairness and transparency. The purported use of consent in this case gave employees a false impression about the employer’s basis for processing, and they had not been informed of the actual basis on which their personal data was processed, which constituted a breach of the privacy notice requirements in Articles 13 and 14 of the GDPR. In addition, the employer’s attempt to demonstrate compliance by asking employees to sign a statement about the employer’s use of their personal data was a breach of the principle of accountability. The employer was fined EUR150,000 and ordered to take specific compliance actions within three months.
The decision is significant for any employers or pension schemes that have retained consent as part of their post-GDPR data processing practices. The GDPA’s ruling makes clear that this can create additional risk – consent should not be relied on unless no other basis is available, so that if a member withdraws consent the processing would have to cease. The GDPA’s reasoning in this case is in line with the existing UK ICO guidance on consent and reflects a consistent approach to interpreting the GDPR. Employers and schemes should review any remaining use of consent to confirm whether specific circumstances mean that it is the appropriate (and only) basis for processing, or whether this should be reconsidered.
DWP updates overview of no-deal Brexit implications for members
The government has updated its guidance about the impact of Brexit on benefits and pensions, both for UK nationals in the EU, EEA or Switzerland and for EU, EEA and Swiss citizens in the UK, in the event of a no-deal Brexit.
The updates provide general indications of the principles applying to state benefits as well as occupational and personal pensions, and suggest that members ask providers/schemes for further information.