Penalty for processing of personal data
The Greek subsidiary of Price Waterhouse Coopers Business Solutions S.A. (PWC) was sentenced to pay a fine of € 150,000.
In the press release, the Greek data protection authority stated that the company had obtained consent from its own employees to process personal data. However, according to the officials, no explicit consent was required as such processing is covered by other legal grounds. Article 6 (1) of the GDPR identifies a number of conditions that justify processing. Amongst other things:
b) processingis necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
(c) processingis necessary for compliance with a legal obligation to which the controlleris subject
Both points justify data processing. However, PWC decided to seek explicit approval from employees, a way many companies have chosen to “play it safe”.
However, due to this approval, the company was fined. According to the data protection authority PWC has defined a wrong legal basis for the processing, therefore the processing altogether was inadmissible and thus the illegal data processing had to be sanctioned.
By May 25, 2018 you have certainly seen a variety of posters, information sheets, etc., which have pointed to the data processing according to GDPR. Presumably, you also had to sign a permit from various companies so that your doctor, your electrician, etc. could continue to work with you. We pointed out back then that these consents were not necessary, but many supposed experts recommended that they be on the safe side. However, this judgment of the Greek Data Protection Authority shows that the implementation of the GDPR is not possible without genuine expert knowledge.
The basis for making your company GDPR-ready is the mandatory record of processing activities. There you enter all processes that process personal data. There you must indicate for each individual step which legal basis the processing has. Without powerful software, you will need a lot of time and a data protection expert to meet legal requirements. The easier way is easyGDPR. With this online tool you can create your processing directory within a few hours. From Version Standard, you can even create data processing contracts that you need when sharing personal information with other companies (such as parcel services, newsletter distributor, etc.). Get your license from easyGDPR today.
Art des Verstoßes:
Illegal data processing
Waren sensible Daten betroffen?:
Violation of GDPR Paragraph:
13. Information to be provided where personal data are collected from the data subject
5. Principles relating to personal data processing
6. Lawfulness of processing