Fifteen months on from the introduction of the General Data Protection Regulation (GDPR) the focus of regulatory bodies is advancing and revealing further issues with the information and advice that came out at the time of its introduction.
This month the Hellenic Data Protection Authority fined PWC’s Greek branch €150,000 for failures in GDPR compliance. While it may seem that this is just the latest large company to be fined, the basis of the fine shows a changing focus for Data Protection Regulators enforcing the GDPR.
Previously fines have focused on data breaches where information has been poorly secured or used inappropriately by organisations resulting in misuse or unauthorised disclosure of an individual's data. This decision instead looks at the internal arrangements of the company.
I would argue that the defining change brought in by the GDPR is the requirement of transparency. This requires companies to inform those whose personal data they collect or hold, of the purpose for which they use that data and the lawful basis for this use (among other things). They must also be able to demonstrate their compliance with these requirements.
The GDPR provides for six justifications for holding data which must apply for there to be a legal basis for holding standard (non-sensitive) personal data. In order to comply therefore, each organisation must determine the basis on which they hold their personal data, in this case, that of employees. PWC had informed its employees that their personal data was processed lawfully on the basis of consent. There are serious issues with consent as a lawful basis on which to hold employee data, particularly as any consent in this situation would not meet the stringent requirements introduced by the GDPR. These requirements insist that consent must be:
- Freely given
- Specific
- Informed
- Unambiguous
- Given by statement or clear affirmative action.
To be freely given, consent to process data that is not strictly necessary for the performance of a contract should not be a precondition of entering into that contract. Also, it must be ‘as easy to withdraw as to give consent’ (Article 7(3) GDPR). These provisions taken together mean that consent is a highly inappropriate lawful basis for the processing of employees data as the company would require their consent in order to be capable of employing them and processing their data as required by the relevant employment law and other provisions. Should an employee withdraw consent then the company would be required to cease processing the personal data of that person and so would be unable to pay their wages or any relevant tax or even monitor their attendance.
The Data Protection Authority confirmed that the choice of a clearly inappropriate lawful basis meant that employees data had been processed unlawfully. They imposed corrective measures on the company, requiring them to review the lawful basis and take relevant measures to ensure that the correct lawful basis was established and relevant records kept to ensure accountability. However, these measures were not considered sufficient to restore compliance, hence the €150,000 fine.
Here to help!
At Heringtons we can help you to review the lawful basis for your processing of personal data, whether that of your employees, customers or suppliers. Our approach to GDPR compliance embraces the opportunity to use the documents required to increase trust in the business and therefore improve marketing ability.
This article is for information purposes only and does not amount to professional advice. If the issues raised effect you then professional legal advice should be sought. Please contact Rosemarie Close for assistance. https://www.heringtons.com/site/people/profile/rosemarie.close
