The Greek Data Protection Authority has imposed a 150,000 EUR fine on PriceWaterhouseCoopers Business Solutions SA for – get this – asking their employees’ consent to process their personal data. It may strike you as counterintuitive (and going against everything your mother ever told you) that asking consent could get you into trouble, but where personal data are concerned, so it would appear to be.
As you know, each data processing activity has to have a legal basis. The principles of lawful, fair and transparent processing of personal data under the GDPR require that consent only be used as a legal basis only where the other legal bases do not apply.
The case at hand involved the processing of employees’ personal data. In most cases, this type of processing by an employer does not require consent, as there are other bases available:
- the performance of the (employment) contract: in order to employ an employee, you will inevitably be required to process some of his personal data;
- compliance with a legal obligation: e.g. as an employer, you will be required to register your employees with the local social security service or supply their earnings data to the tax authorities, etc.;
- the employer’s legitimate interest, where the smooth and effective operation of the company requires processing of employee data regardless of whether consent is given.
Consent will only be the appropriate basis is a very limited number of cases, such as when you wish to process your employee’s biometric data (using fingerprint identification to have access to the premises, for example). In this respect, the Greek DPA reminds us of the fact that consent of employees usually cannot be regarded as genuinely freely given – a requirement for valid consent – due to the imbalance between the parties. In our view however, the GDPR has introduced some leniency to accept valid employee consent in certain circumstances, provided that Member State law or collective agreements allow it.
Why is this decision interesting for employers in Europe?
An immediate takeaway from this decision is to check your own privacy policy to make sure that you are not relying on consent as a legal basis where you shouldn’t be. At first glance the fine seems very substantial for what is in practice a purely technical breach (in the sense that PwC was fully entitled to process the same data about the same people in the same way for the same purpose, but merely on a different ground, and that there was no complaint that anyone had been disadvantaged in any practical sense by what it had done. However, commentary around the ruling seems to suggest that it could have been very much higher and that it still could be if PwC does not take the necessary corrective action in the 3 months given to it by the Greek PDA for that purpose. So if it is possible to be relaxed about the prospect of a fine of €150,000, don’t be – it could be very much more.
But while you are checking your policy, you may want to take this opportunity to also verify whether this policy meets the requirements of the GDPR in terms of your transparency obligation. For example, we discussed the legal basis for processing. Your privacy policy needs to inform the employees on which grounds you are processing their data. Does it? If you do find gaps, the “necessary corrective action will be to amend the relevant, privacy statements and processing the particular data in question and to ensure that they are informed of this.
Other obligatory mentions which are often forgotten are the retention period for the data (or the criteria used to determine such period) and the fact that your employee has the right to lodge a complaint with the supervisory authority.
In practice we see that employers are sometimes reassured by the fact that “somewhere in the employment contract / employee handbook” there is a data protection clause, but quite often, this clause is not up to date and does not meet the requirements of the GDPR. You might think also that the chances of any of your staff taking up the point, are negligible. You might be right, but it only takes one disgruntled member of staff to seek advice, or, as here, for the DPA to start the inquiry off its own back. Is it really worth that risk for the sake of an hour going back over your GDPR documentation?
This story may be a gentle reminder to check your policy, before the DPA does it for you ….