The Greek Data Protection Authority issued a fine of € 150,000 against a major consulting company under the GDPR for unlawful processing of the personal data of its employees.
The Greek data protection authority, HDPA, challenged the privacy information notice provided by the company under the GDPR to its employees since it relied on the legal basis on consent, rather than the performance of the contract.
The decision of the Greek data protection authority under the GDPR
Following an investigation, the Green DPA concluded that the company:
- had unlawfully processed the personal data of its employees contrary to the provisions of the GDPR since it used an inappropriate legal basis of the processing;
- had processed the personal data of its employees in an unfair and non-transparent manner contrary to the provisions of Article 5(1), letters (a), (b) and (c) of the GDPR, giving them the false impression that it was processing their data under the legal basis of consent pursuant to Article 6(1)(a) of the GDPR, while in reality, it was processing their data under a different legal basis about which the employees had never been informed; and
- although it was responsible in its capacity as the controller, was not able to demonstrate compliance with Article 5(1) of the GDPR, and that it violated the principle of accountability set out in Article 5(2) of the GDPR by transferring the burden of proof of compliance to the data subjects.
The GDPR sanction issued
The Greek data protection authority issued a fine of € 150,000 against the company and gave to the company three months to:
- bring the processing operations of its employees’ personal data into compliance with the provisions of the GDPR;
- restore the correct application of the provisions of Article 5(1)(a) and (2) in conjunction with Article 6(1) of the GDPR in line with the grounds of the decision; and subsequently,
- restore the correct application of the rest of the provisions of Article 5(1)(b) to (f) of the GDPR insofar as the infringement established affects the internal organization and compliance with the provisions of the GDPR taking all necessary measures under the accountability principle.
Considering the net turnover of the company indicated in the decision, the fine of € 150,000 amounted to approximately 0.35% of the same. This circumstance is peculiar, since – under the GDPR -the violation of the accountability principle could have led to a fine of € 20 million or 4% of the global turnover, whichever is higher (Read on the topic “Are privacy fines really massive under the GDPR?“).
The decision comes during a period of exceptionally high fines that might change the approach to privacy compliance. I refer for instance to the fine of $ 5 billion issued against Facebook on which you can read “How Facebook $ 5 billion fine is a milestone in the history of privacy“.
Also, it shows that the identification of the appropriate legal basis of the data processing is crucial to avoid potential challenges. Indeed, we often notice privacy information notices where there is a reference to multiple legal bases of the data processing, without clarifying which one is applicable to the specific activity.