News

03|09|2019

Greek Data Protection Authority imposes 150,000 EUR fine to "Pricewaterhousecoopers Business Solutions SA" for the alleged GDPR breach

Hellenic Data Protection Authority, as a response to a complaint, conducted an investigation in the “Pricewatercoopers Business Solutions SA” regarding the processing of employee personal data. According to the complaint, the employees were required to provide the consent for the processing of their personal data. 

In the decision the data protection authority notes that the appropriate legal basis for the data processing must be chosen, as well as the data subject must be informed about the legal basis and the purpose of the data processing. If the consent to allow the processing of the personal data has been withdrawn, the data controller cannot impose a different legal basis and continue to process the same information, as the withdrawing of the consent is equal to the absolute prohibition of the use of this information.

In the specific case, as the Hellenic Data Protection Authority claims, the choice of the consent as the basis for the data harvesting was inappropriate for the specific case as the data was needed for the employment relations and the normal functioning of the company and not as an optional choice. As the wrong basis had been chosen and the employees thus were not informed about the actual purposes for the use of the information, a serious breach of the General Data Protection Regulation (GDPR) had been committed. If the doubts had been present when choosing the correct basis for the data use, they should have been diminished before starting to process the data.

Additionally, the data protection authority notes that the information must be processed in a transparent way, without the need for the data processing authority to interfere in the process as the data processing controller is accountable for his actions and the effectiveness for the implemented GDPR measures should be seen, unlike in the specific case, where the employees were forced to sign a document agreeing that the basis for the data processing is correct.

Thus, the data protection authority concludes that the company has unlawfully processed the employee data, giving them a false impression regarding the intended use of the information, and that the data processing has not been done in a transparent way.

Hellenic Data Protection Authority notes that the subjects, whose personal data is used, must be informed about the specific use of the information, and the information must be used only for the intended purpose, while the burden of proof lays on the data controller and not the data subjects. As a result of these breaches, the Hellenic Data Protection authority has fined “Pricewaterhousecoopers Business Solutions SA” for a sum of 150,000 EUR for the breach of GDPR.

Therefore, as the decision proves the companies have to take the requirements of the GDPR very seriously and have to make sure that the personal data of the employees is processed correctly and used for the intended purpose.

Summary decision available:
https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/DECISIONS/SUMMARY%20OF%20DECISION%2026_2019%20(EN).PDF.


In order to obtain more information about this decision, you can contact the Attorneys at Law Azanda & Associates by writing to the e-mail info@azanda.lv



 
Back
 
© 2024 AZANDA & ASSOCIATES
Privacy policy
Created:
»