€ 150.000,- GDPR fine imposed on PWC by Greek Data Protection Authority for being not accountable

 in Privacy

The Greek HDPA (Hellenic Data Protection Authority) imposed a fine of € 150.000,- on PWC Greece.

The employees of PWC were “forced” to sign a Statement of Acceptance of Terms of Personal Data and consent was not freely given in conformity with article 7 par 4 GDPR, given the advantageous position of the employer over the employees. Consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties.

Moreover the statement required staff to unconditionally give their consent to PWC to use its personal information both already filed and in the future filed on databases, although the nature of the business of the company does not provide any security reason that would allow such registration and processing of employees personal data.

PWC made the false impression on employees that PWC was processing their personal data in accordance with the legal basis of consent while in fact they were processing it with another legal basis, for which employees were never informed, in breach of the principle of transparency article 5 GDPR. and consequently, in breach of the obligation to provide information pursuant to Article 13, 14 GDPR.

PWC preaching the GDPR on seminars was itself not accountable according to the HDPA violating the principle of accountability under Art. 5 GDPR not being able to provide internal documentation of its choice of legal basis. PWC could not show documents giving another legal basis which is in itself logical if you think consent is the proper legal basis. What kind of other legal basis there could have been for PWC cannot be read in the decision of the HDPA. No documents could been shown a fundamental principle of the GDPR’s accountability. This must be in place in your processor register and / or internal privacy statement.

PWC may restore this within three months taking all necessary measures in the light of the principle of accountability but has to pay a fine of € 150,000,- anyhow. PWC will have this opportunity due to the fact that this is the initial period of the GDPR’s application as stated by HDPA. In this application period of the GDPR the HDPA submits specific questions and requests, while exercising its investigative powers in order to facilitate the documentation of accountability by controllers.

This is the first time I have seen a DPA controlling accountability so thoroughly. An accountant being checked for accountability. A clear example of not freely give consent as well.

Recente berichten
  • 11 mei 2021

    INPLP article May 11, 2021

    Wouter Huisman
    Bob Cordemeyer
    Fine of €475,000 for Booking.com reporting data breach 22 days to late. According to a press release of April 6 the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA into compliance with Article 33 GDPR.
    Lees verder
  • 13 april 2021

    Het doolhof van de wet- en regelgeving op het gebied van de zieke werknemer: deel 1.

    Marion Hagenaars
    Wie bepaalt: de bedrijfsarts of het UWV? Verzuimbegeleiding en re-integratie De werkgever is verantwoordelijk voor de verzuimbegeleiding en re-integratie van de zieke werknemer. De werknemer is verplicht om aan zijn re-integratie mee te werken. In de Arbeidsomstandighedenwet is bepaald dat de werkgever zich hierbij moet laten bijstaan door een gecertificeerde arbodienst of bevoegde bedrijfsarts. De
    Lees verder
  • 17 februari 2021

    440,000 EUR fine for Dutch hospital OLVG for access by unauthorized personnel to medical records

    Bob Cordemeyer
    On 11 February 2021 the Dutch Data Protection Authority imposed a fine of EUR 440.000, = on Amsterdam hospital OLVG for having no sufficient measures in place to prevent access to medical records by unauthorized personnel and therefore infringing article 32 (1) GDPR. An investigation was started after the DPA received several complaints of potential violations.
    Lees verder

Plaats een reactie

Top