€150,000 GDPR fine for wrongly using “consent” as a basis for processing personal data of staff

The Greek Data Protection Authority (“DPA” the equivalent of the UK’s Information Commissioner’s Office/ICO) has just fined PWC €150,000 for GDPR breaches in connection with its processing of employee data. In particular, the DPA found that PWC was incorrectly processing personal data on the basis of consent where this was not appropriate.

For those employers and HR professionals who have been keeping up to speed with their GDPR obligations towards employees, job applicants, and other members of staff it will come as no surprise that consent, which has to be freely given, is very unlikely to be appropriate for employers to rely on to process personal data except in very limited cases. This is due to the imbalance in the nature of the employer/employee relationship and conditions around how “consent” is to be interpreted under the GDPR. The European Data Protection Board WP29 Guidelines specifically address the employment relationship with consent.

Previously, employers made wide use of employee consent for processing both personal data and sensitive personal data (now “special categories of data” – defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying someone, data concerning health, or a person’s sex life, or sexual orientation. Criminal offences are dealt with separately). However, the GDPR’s much stricter rules on consent, the limitations on it and the ease with which employees must be able to withdraw it, mean consent is very unlikely to be able to be relied on generally by employers. That is the recommendation both of the ICO and the EU GDPR Working Party (although there may still be specific very limited circumstances in individual cases where consent is appropriate). Therefore, employers must look to other lawful means of processing personal data under Article 6, such as those identified in the Greek DPA decision:

• for the performance of employment contracts;
• for compliance with a legal obligation to which the controller is subject;
• for the smooth and effective operation of the company, as its legitimate interest.

In addition, further safeguards are required where the personal data consists of special categories of data, which must not be processed unless different conditions are fulfilled.

The Greek DPA decision (No 26/2019) confirmed that consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties. It noted that:

• In this case, the choice of consent as the legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest.
• In addition, the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis about which the employees had never been informed. This was in violation of the principle of transparency and thus in breach of the obligation to provide information under Articles 13(1)(c) and 14(1)(c) of the GDPR.

The imposition of a 6-figure fine specifically in relation to employee information is a warning shot to those employers who have not yet got their house in order. Blake Morgan’s employment GDPR specialists can help you with:

• drafting/amending privacy notices for job applicants, employees and leavers;
• discussing and making changes to your contracts of employment and other documentation to ensure that consent is not a basis relied upon;
• drafting a bespoke “appropriate policy document” for special categories of data as required by the DPA 2018;
• advising on the impact of the GDPR in relation to day-to-day HR issues including recruitment, monitoring and social media;
• advising on staff subject access requests;
• training HR teams and staff on the changes.

In addition our specialist commercial GDPR team can help your organisation with their wider GDPR compliance not limited to the employment relationship.