€150.000 – GDPR FINE IMPOSED ON PWC BY GREEK DATA PROTECTION AUTHORITY FOR BEING NOT ACCOUNTABLE
The employees of PWC were “forced” to sign a Statement of Acceptance of Terms of Personal Data and consent was not freely given in conformity with article 7 par 4 GDPR, given the advantageous position of the employer over the employees. Consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties.
Moreover the statement required staff to unconditionally give their consent to PWC to use its personal information both already filed and in the future filed on databases, although the nature of the business of the company does not provide any security reason that would allow such registration and processing of employees personal data.
PWC made the false impression on employees that PWC was processing their personal data in accordance with the legal basis of consent while in fact they were processing it with another legal basis, for which employees were never informed, in breach of the principle of transparency article 5 GDPR. and consequently, in breach of the obligation to provide information pursuant to Article 13, 14 GDPR.
PWC preaching the GDPR on seminars was itself not accountable according to the HDPA violating the principle of accountability under Art. 5 GDPR not being able to provide internal documentation of its choice of legal basis. PWC could not show documents giving another legal basis which is in itself logical if you think consent is the proper legal basis. What kind of other legal basis there could have been for PWC cannot be read in the decision of the HDPA. No documents could be shown a fundamental principle of the GDPR’s accountability. This must be in place in your processor register and / or internal privacy statement.
Continue Reading on EuroCloud>>
Article provided by: Bob Cordemeyer (Cordemeyer & Slager Advocaten, The Netherlands)
It’s the middle of the night. Do you know who your iPhone is talking to?