Publications & Insights Employers beware: €150,000 fine for employer relying on consent as the legal basis for processing employee personal data
Share This

Employers beware: €150,000 fine for employer relying on consent as the legal basis for processing employee personal data

Monday, 26 August 2019

The Hellenic Data Protection Authority (HDPA) recently fined PWC Business Solutions SA €150,000 and ordered the company to take corrective actions following an investigation that uncovered breaches by the company of Article 5 of the GDPR.

The investigation revealed that the company was requiring employees to give their consent for the processing of their personal data at work. The HDPA determined that this was not the appropriate legal basis for processing this employee personal data, noting that:

“Consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties.”

It is a common misconception that data controllers must always seek the consent of a data subject before the data controller may process the subject’s personal data. Further to the GDPR, consent is only one among a number of legal bases for processing. If there is a different basis for processing available then consent is not necessary. If consent is not necessary (because there is another legal basis for processing) then consent should not be sought.

In the PWC Business Solutions SA case, the HDPA found that the choice of consent as the legal basis was inappropriate and that other bases under Article 6 were more appropriate e.g. the processing was necessary for the performance of the employment contract (Article 6 (1)(b)) or the processing was necessary for compliance with a legal obligation to which the company was subject (Article 6(1)(c)). 

The HDPA determined that the company was in breach of its transparency obligations under Article 5 of the GDPR in giving employees the false impression that it was processing their personal data under the legal basis of consent.

In addition to the administrative fine, the HDPA gave the company 3 months to bring the processing operations of its employees’ personal data into compliance with the provisions of the GDPR.

This case acts as a warning for employers who have yet to update their employment contracts and policies to reflect a legal basis other than consent for the processing of employee personal data.

If you have any queries in respect of the above or the obligations on employers to update employee contracts and policies in line with the GDPR, please contact Loughlin Deegan, Stephen Kane or a member of the ByrneWallace Data Protection Team.