GDPR: First fine issued by the Greek Data Protection Authority
Company fined €150,000 by the Hellenic DPA for selection and application of inappropriate legal basis and violation of the principle of accountability
Hellenic Data Protection Authority
Exercise of the Hellenic DPA’s corrective powers pursuant to the GDPR for selection and application of inappropriate legal basis and violation of the principle of accountability by a company
Company fined €150,000 by the Hellenic DPA
The Hellenic Data Protection Authority, in response to a complaint, conducted an ex officio investigation of the lawfulness of the processing of personal data of the employees of the company ‘PRICEWATERHOUSECOOPERS BUSINESS SOLUTIONS SA’ (PWC BS). According to the above complaint the employees were required to provide consent to the processing of their personal data.
The DPA considered that PWC BS as the controller:
i. has unlawfully processed the personal data of its employees contrary to the provisions of Article 5(1)(a) indent (a) of the GDPR since it used an inappropriate legal basis.
ii. has processed the personal data of its employees in an unfair and non-transparent manner contrary to the provisions of Article 5(1)(a) indent (b) and (c) of the GDPR giving them the false impression that it was processing their data under the legal basis of consent pursuant to Article 6(1)(a) of the GDPR, while in reality it was processing their data under a different legal basis about which the employees had never been informed.
iii. although it was responsible in its capacity as the controller, it was not able to demonstrate compliance with Article 5(1) of the GDPR, and that it violated the principle of accountability set out in Article 5(2) of the GDPR by transferring the burden of proof of compliance to the data subjects.
The Hellenic DPA, after ascertaining the infringements of the GDPR, decided that in this case it should exercise the corrective powers conferred on it under Article 58(2) of the GDPR by imposing corrective measures, and that it would order the company in its capacity as the controller within three (3) months:
- to bring the processing operations of its employees’ personal data as described in Annex I submitted by the company into compliance with the provisions of the GDPR;
- to restore the correct application of the provisions of Article 5(1)(a) and (2) in conjunction with Article 6(1) of the GDPR in accordance with the grounds of the decision;
- to subsequently restore the correct application of the rest of the provisions of Article 5(1)(b)-(f) of the GDPR insofar as the infringement established affects the internal organisation and compliance with the provisions of the GDPR taking all necessary measures under the accountability principle.
Moreover, as the above corrective measure is not sufficient in itself to restore compliance with the GDPR provisions infringed, the Hellenic DPA considered that, based on the circumstances identified in this case and under Article 58(2)(i), an additional effective, proportionate and dissuasive administrative fine should be imposed in accordance with Article 83 of the GDPR, which amounts to one hundred and fifty thousand Euros (EUR 150,000.00).
The Decision (in Greek) is available on www.dpa.gr ( “Decisions”)
A summary of the Decision (in English) is available on http://www.dpa.gr/portal/page?_pageid=33,43590&_dad=portal&_schema=PORTAL