The Hellenic Data Protection Authority (DPA), which is the Greek equivalent of Information Commissioner's Office (ICO), has fined PricewaterhouseCooper €150k for alleged violations of the EU's General Data Protection Regulation.
Following a complaint, the DPA conducted an ex officio investigation surrounding the consent required to process personal data. The employees had given their data. However, the complainant claimed this was not freely given by staff, as it was to be used in a way that was directly linked to staff performance. Consent should be a binary choice: yes or no.
Asking an employee to content to data processing around legal requirements or to meet contractual agreements like payroll, is not appropriate. It may be considered outside of the employees best interest to say no to any process, and even if the employee said no the processing, it would still need to take place: therefore the consent would not have been freely given.
The DPA found that PricewaterhouseCooper (PwC) was non-compliant when processing the data of its employees. It concluded that PwC had "unlawfully processed the personal data of its employees contrary to the provisions of Article 5(1)(a) indent (a) of the GDPR since it used an inappropriate legal basis" and "has processed the personal data of its employees in an unfair and non-transparent manner contrary to the provisions of Article 5(1)"
After the DPA ascertained the infringements of GDPR, it has imposed corrective measures. The DPA has given PwC three months to ensure that the employee data processing is compliant. The DPA also said "as the above corrective measure is not sufficient in itself to restore compliance with the GDPR provisions infringed... based on the circumstances identified in this case ... an additional effective, proportionate and dissuasive administrative fine should be imposed..., which amounts to one hundred and fifty thousand Euros (EUR 150,000.00)"
We have a full understanding of data protection, but the key is our Atom review process:
An audit trail is critical in proving that a company has taken every effort to ensure procedures are followed and that the procedures themselves were correct.
So many companies stick their head in the sand or don't know where to start when it comes to data protection — large companies, often complicated processes when the path can be quite straightforward.
To find out more get in touch.Back