Penalty for processing personal data
The Greek branch of Price Waterhouse Coopers Business Solutions S.A. (PWC) was ordered to pay a fine of €150,000.
Incident
In the press release, the Greek Data Protection Authority stated that the company had obtained consent from its own employees to process personnel data. However, according to the officials, no explicit consent was required, since a corresponding processing is covered by other legal grounds. Paragraph 6 Article 1 of the GDPR lists a variety of conditions that justify processing. Among others:
- (b) processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the data subject’s request
- c) processing is necessary for compliance with a legal obligation to which the controller is subject
Both points can be used to justify data processing. However, PWC decided to seek explicit consent from employees, a route many companies took before the introduction of the GDPR to “play it safe.”
However, due to this consent, the company was fined. According to the argumentation of the data protection authority, PWC defined an incorrect legal basis for the processing, therefore the processing as a whole was unlawful and thus the unlawful data processing was to be sanctioned.
Conclusion
Around May 25, 2018, you almost certainly saw a lot of notices, information sheets, etc. that referred to data processing under the GDPR. You probably also had to sign a consent with various companies so that your doctor, electrician, etc. could continue to accept orders from you. We already pointed out at the time that these consents were not necessary, but many supposed experts recommended appropriate measures to be on the safe side. However, this ruling by the Greek Data Protection Authority shows that the implementation of the GDPR is not possible without real expert knowledge.
The basis for making your company GDPR-ready is the mandatory processing directory. There you enter all processes that process personal data. There, you must specify for each individual step which legal basis the processing has. Without powerful software, you’ll need a lot of time and a data protection expert to comply with regulatory requirements. The easier way is easyGDPR. With this online tool, you can create your processing directory in just a few hours. From version Standard you can even create data processor contracts, which you need when personal data is passed on to other companies (e.g. parcel services, newsletter dispatch etc.). Secure your license of easyGDPR today.
Entscheidungsdatum:
30.07.2019
Land:
Greece
Art des Verstoßes:
Illegal data processing
Betroffene Datensätze:
unknown
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 150,000,-
Violation of GDPR Paragraph:
13. Information to be provided where personal data are collected from the data subject
5. Principles relating to personal data processing
6. Lawfulness of processing
Quelle:
Communication from the Greek Data Protection Authority