First-Time Fine Imposed for GDPR Violations Involving Employee Data Breach
The Hellenic Data Protection Authority (HDPA) recently imposed a EUR 150,000 fine on the international consulting firm PwC for its violations of the new European data protection regulations (the General Data Protection Regulations, or GDPR).
An inquiry conducted by the HDPA revealed that PwC required its employees to provide their consent to the processing of their personal data. The HDPA found this data processing to be without a proper legal basis, as consent cannot be freely given in an employer-employee relationship. In addition, the HDPA determined the consulting firm had violated its duty of fairness and transparency toward employees by creating the wrongful impression that the data about them was processed with their consent, when in effect it was required to maintain working relationships with the employees and to fulfill legal requirements imposed upon the firm. Further, the HDPA held the firm failed by not maintaining a record of its decision-making process regarding establishing a lawful basis for the data processing. In light of these findings, the HDPA ordered PwC to remedy the flaws in its conduct within three months, and imposed upon it a EUR 150,000 fine.
This decision sends out an important message to Israeli employers as well, and lessons should be learnt from it here as well. One year after the entry into force of the GDPR, it was evident that the enforcement activity of privacy protection agencies around the world had been focused on companies’ business doings. As a result, companies rarely invest resources in complying with the requirements of privacy protection laws in terms of their employees’ data processing. The HDPA’s decision marks a change in this trend and signals to employers around the world to put in order their employees’ data collection and use practices as well.