PWC: Her first fine based on General Data Protection Regulation (GDPR) imposed by the Personal Data Protection Authority.
According to the Authority, the case was brought before it following a complaint by the Association of Auditors of the Attica Region ("ELEPA") against the company "PWC" for unlawful processing of data personal nature of the employees therein.
The impression is even caused by the fact that PWC held seminars on GDPR as we can see and here.
As specifically stated in the complaint, the employees of the complained company distributed to its staff a "Statement of Acceptance of Terms of Personal Data" as well as new individual contracts (attached to the complaint), which included clauses stating to sign them, in violation of L. 2472 / 1997, given the advantageous position of the employer over the employees, so that they may be forced to sign them.
As specifically stated in that complaint,
(a) this statement required staff to give their consent and to expressly and unconditionally permit the company to register and use the personal information, both already filed and in the future, on databases which maintains, although the nature of the business of the company does not provide any security reason that would allow such registration and processing of employees' personal data.
(b) the employees were required by this statement to consent to the further disclosure of their personal data to third parties, even to customers of the company, requesting that the employees essentially consent to use and disclose their personal information to any third party; information, where and in what manner it deems that its business interests are being served; and
(c) thereby initiating further monitoring at the workplace as with cameras etc.
The Authority has considered that in order for personal data to be processed legally, that is to say, in accordance with the requirements of General Data Protection Regulation (CPD) no. 679 / 2016, cumulatively the conditions for applying and adhering to the principles of Article 5 par.
Recognition and selection of the appropriate legal basis as provided for in Article 6 par. 1 GATT are closely linked to the principle of fair or just treatment as well as to the principle of limitation of purpose, and the controller must not only choose the appropriate legal basis prior to the commencement of processing, internally substantiating this option in accordance with the principle of accountability, but also informing the ref. 13 par. 1 ed. c 'and 14 par. 1 ed. c) GGP for the use of the subject of data as the choice of any legal basis has legal effect on the exercise of the rights of the subjects.
Central to the conformity model adopted by the CPCG is the accountability principle whereby the controller is required to take the necessary compliance measures with the principles of Article 5 par. 1 CCGP and to prove them on its own without even requiring it the Authority, in the exercise of its investigative - audit powers, to submit specific - specific questions and requests for conformity assessment.
It is noted that the Authority, because of the expiry of the first period of application of the GBER, submits specialized questions and requests in the exercise of its related investigative - audit powers to facilitate the accountability of the documenting processors.
The principles of lawful, fair (or fair) and transparent processing of personal data no. 5 par. 1 ed. a) CPGs require the choice of consent as a legal basis no. 6 par. 1 CPC only if the other legal bases are not applied, making it impossible to change and move to another legal basis after the initial selection. If the data subject withdraws his consent, the processing of personal data under another legal basis may not be continued.
Where the legal basis for consent is properly applied, in the sense that no other legal basis applies, failure to grant or revoke it would amount to an absolute prohibition on the processing of personal data.
The consent of data subjects in the context of labor relations cannot be regarded as free due to the inherent inequality of the parties. In this case, the choice of the legal basis for the consent was incorrect as the processing of personal data was intended to carry out acts directly related to the performance of the employment contract, compliance with statutory obligations and its proper and effective operation. business.
In addition, the company made the wrong impression on employees that they were processing their personal data in accordance with the legal basis of consent while in fact they were processing it with another legal basis, for which employees were never informed, in breach of the principle of transparency. and consequently in breach of the obligation to provide information pursuant to Article 13 par. 1 ed. c 'and 14 par. 1 ed. c.
Where the controller has doubts as to the legality of the processing, he or she must remove them before processing or refrain from processing until the doubts are removed.
Finally, the Authority found in this case that the controller had violated the principle of accountability under Art. 5 par. 2 GGD as, on the one hand company failed to comply with its related obligation and in particular the Authority's request to provide internal documentation of its choice of legal basis.
On the other hand, the company transferred its compliance obligations to employees by asking them to sign a statement acknowledging that the personal data they hold and process is directly linked to the needs of the employment relationship and the organization of the work and that they also acknowledge that it is relevant. and appropriate in the context of the employment relationship and the organization of the work.
In view of the above, the Authority concluded that PWC BS as the controller:
i. subjected to unlawful processing in violation of the provisions of Article 5 par. 1 ed. a) the CPC the personal data of its employees as it applied an inappropriate legal basis.
ii. submitted in an unlawful and non-transparent manner in violation of the provisions of Article 5 par. (a) (b) and (c) CPC its employees' personal data as it gave them the false impression that they are processing them in accordance with the legal basis of consent no. 1 par. 6 ed. First, the CPC, while in fact it was processed by another legal basis, for which the employees were never informed.
iii. although he was responsible for processing, he was unable to demonstrate compliance with Article 1 paragraph 5 and that he violated the provision of article 5 par. compliance with data subjects.
Consequently, the Authority considered that it was unnecessary to examine the other principles of Article 5 par. a 'GATT' and the control of any other processing operation after the unlawful collection of personal data.
Following the finding of violations of the CPC, the Authority decided to ref. 58 par. 2 GPT Exercising its remedies in this case by imposing remedies and decided to order the company as a controller within three months (3):
- make the personal data processing operations of its employees as described in Annex I submitted in accordance with the provisions of the CPC,
- to restore the correct application of the provisions of Article 5 par. a 'and para. 1 in conjunction with Article 2 para. 6 CPC as set out in the grounds of the judgment,
- subsequently to re-establish the correct application of the other provisions of Article 5 par. 1 ed. b-FGDP insofar as the violation found affects the internal organization and compliance with the provisions of the FGC by taking all necessary measures in the light of the principle of accountability.
In addition, as the above remedy is not in itself sufficient to restore compliance with the infringing provisions of the GATT, the Authority has considered that in the present case in the light of the circumstances established it should apply pursuant to Article 58 par. 2 ed. (i) The CCP imposes an additional and effective, proportionate and dissuasive administrative fine of no. 83 DGT, amounting to one hundred and fifty thousand (150.000,00) euros, taking into account the Company's published financial statements for the period from 01-7-2017 to 20-6-2018 according to which the net turnover Her work amounted to 41.936.426,00 euros.