Greece

PWC Business Solutions

150,000 €

GDPR enforcement action by Hellenic Data Protection Authority (HDPA) on 2019-07-30.

Rank · Sector

#19

of 213 in Employment

Rank · Greece

#11

of 93

Rank · All fines

#397

of 3,042

Case details

Authority: Hellenic Data Protection Authority (HDPA)
Date: 2019-07-30
Controller / Processor: PWC Business Solutions
Sector: Employment
Quoted Articles: Art. 5 (1) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 13 (1) c) GDPR, Art. 14 (1) c) GDPR
Type of violation: Insufficient legal basis for data processing

Summary

The processing of employee personal data was based on consent. The HDPA found that consent as legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest. In addition, the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis. This was in violation of the principle of transparency and thus in breach of the obligation to provide information under Articles 13(1)(c) and 14(1)(c) of the GDPR. Lastly, in violation of the accountability principle, the company failed to provide the HDPA with evidence that it had carried out a prior assessment of the appropriate legal bases for processing employee personal data

Open original source Links to the regulator's original publication or another source.