On 26 July 2019, the Greek Supervisory Authority (SA) found Pricewaterhouse Coopers (“PwC”) not compliant with General Data Protection Regulation (GDPR) in relation to the processing of its Greek employees’ personal data. The SA issued a €150,000 fine and an injunction requiring PwC to take measures to comply within three months (which is has apparently done). A summary of the decision in English is available on the Greek SA’s website.
Why is employee data important?
In the PwC case, the complaint with the SA was filed by the Attica Accounting Trade Union (Attica is the administrative region that encompasses Athens). The information in that complaint is believed to have been provided by a current or former employee of PwC.
When the GDPR was in draft form, the conventional wisdom was that this new regulation was targeting large US-based tech companies that collect significant amounts of data from internet users. But this view ignored the fact that employee data is the most commonly processed by personal data. Indeed, the first European lawyers who developed experience in data protection laws were the employment law specialists. And the SA’s PwC decision reflects an emphasis on employee data.
Experience also shows that non-compliance in the data protection field may have unintended consequences. For example, in labor disputes, some employees have seized upon their employer’s alleged non-compliance with data protection laws as leverage to obtain more compensation or other benefits. For example, employees have sought additional compensation based on their former employers’ continued use of their images on the company’s website.
Lesson 1: When in doubt, refrain from using employee data
Before the GDPR went into effect, PwC requested that its employees sign a document in which they stated that they consented to the processing of their personal data for a variety of purposes, including the communication of the data to third parties and the monitoring of the use of the company’s computers.
One of the fundamental principles of GDPR (an earlier version of which already existed in the 1995 Directive) is that personal data must be “processed lawfully” (Article 5.1(a)). In other words, any processing must have a legal basis. Article 6.1 lists several legal bases but the most commonly used are:
- the data subject’s consent,
- the performance of a contract concluded by the data subject,
- compliance by the processor of a legal obligation,
- legitimate interests pursued by the controller.
Article 7 provides that such consent must be freely given and the Article 29 Working Party (which became the European Data Protection Board) has issued Guidelines on consent that clearly state that because of the imbalance in the relationship between employees and employers, the employee’s consent is usually not an appropriate legal basis.
In its decision, the Greek SA quoted these Guidelines, and stated clearly: “Consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties.” and gave an example of circumstances where obtaining employee consent would be appropriate: when employees are requested to participate in a film that depicts them at work. As a consequence, consent was not an appropriate legal basis for PwC’s processing which was therefore unlawful.
The Greek SA characterized US law as different from EU law in relation to the use by employees of company computers. Under the GDPR, employees’ privacy is protected at work as well even when using equipment provided by their employer.
PwC argued that it should not be held liable because at the time the alleged breach occurred, the GDPR was new and complex and that PwC has requested the employees sign a consent form. The SA disagreed and held that when in doubt, the processor must abstain to process the personal data and found that PwC had unlawfully processed the personal data.
Lesson 2: Be careful when using consent as a legal basis for using employee data
The Greek SA found PwC liable for two additional violations. The SA concluded that PwC had given its employees the false impression that it was processing their data legally. The SA found such a misrepresentation contrary to the obligation to process data in a fair and transparent manner. Employers inclined to use consent as a legal basis should also keep in mind that data subjects can withdraw their consent at any time and for any reason. In addition, the SA found that PwC could not meet its burden of demonstrating that it was processing the employees’ data in compliance with GDPR and therefore violated the GDPR’s accountability principle.
* * *
The choice of the correct legal basis for the use of the personal data of EU residents is essential; while such measures may seem excessive to those in the United States, failure to comply with this step in the GDPR compliance process results in complaints, investigations, and fines.