The Hellenic Data Protection Authority of Greece, in response to a complaint, recently conducted an
investigation of the lawfulness of the processing of personal data of PricewaterhouseCoopers employees.
According to the complaint, the PwC employees were required to provide consent to the processing of their
personal data, however such consent was not received.

The Hellenic Data Protection Authority ruled that PwC, as the data controller:

i. Unlawfully processed the personal data of its employees contrary to the provisions of Article 5(1)(a) of
the GDPR since it used an inappropriate legal basis;

ii. Processed the personal data of its employees in an unfair and non-transparent manner contrary to the
provisions of Article 5(1)(a) indent (b) and (c) of the GDPR giving them the false impression that it was
processing their data under the legal basis of consent pursuant to Article 6(1)(a) of the GDPR, while in
reality it was processing their data under a different legal basis about which the employees had not been
informed; and

iii. Although it was responsible in its capacity as the controller, PwC was not able to demonstrate
compliance with Article 5(1) of the GDPR, and that it violated the principle of accountability set out in
Article 5(2) of the GDPR by transferring the burden of proof of compliance to the data subjects, its
employees.

The Hellenic DPA, after ascertaining the infringements of the GDPR, decided on July 30, 2019 that in this case
it should exercise the corrective powers conferred on it under Article 58(2) of the GDPR by imposing corrective
measures, and that it would order the company in its capacity as the controller within three months to:

• Bring the processing operations of its employees’ personal data as described in Annex I submitted by
the company into compliance with the provisions of the GDPR;

• Restore the correct application of the provisions of Article 5(1)(a) and (2) in conjunction with Article
6(1) of the GDPR in accordance with the grounds of the decision; and

• Subsequently restore the correct application of the rest of the provisions of Article 5(1)(b)-(f) of the
GDPR insofar as the infringement established affects the internal organization and compliance with the
provisions of the GDPR taking all necessary measures under the accountability principle.

Moreover, as the above corrective measure is not sufficient in itself to restore compliance with the GDPR
provisions infringed, the Hellenic DPA ruled that that, based on the circumstances and under Article 58(2)(i),
an additional administrative fine of €150,000.00 is to be imposed in accordance with Article 83 of the GDPR.

In the case of an employment relationship, consent of data subjects cannot be regarded as freely given due to the clear imbalance between the parties. The choice of consent as the legal basis was inappropriate, as the processing of personal data is directly linked to the performance of employment contracts, and compliance with a legal obligation to which the controller is subject, as its legitimate interest.

This decision demonstrates the importance of adequately classifying and identifying the legal bases for
processing personal data. Data protection, within the context of employment relations, is set to become a
topic of major discussion in the near future.

This document provides a general summary and is for information purposes only. It is not intended to be
comprehensive nor does it constitute legal advice. If you are interested in obtaining further information
please contact our office at:

Schuman & Co. Law Offices

13 Sederot Hareches

Building A Suite 27

Modiin, Israel 7178628

Tel: +972-8-990-0445| Fax: +972-8-990-0446

schuman@schumanlaw.co.il

http://www.schumanlaw.co.il/