On 30th July 2019, the Greek Data Protection Authority (the DPA) has published the decision number 26/2019, regarding a company and the processing of its employees’ data.
According to the complaint received by the DPA, the Company in question has asked its employees to sign declarations of consent for the processing of their data by the Company, including the following: (a) their express consent for any processing of their data that is taking place by the Company at the moment or in the future, (b) consent to any processing and/or sharing of their data by third parties or Company’s clients, according to company’s business interests, (c) implied consent to video-recording of the working environment.
The Company claimed that consent was not the only legal basis for the processing, but that processing was allowed based on the employment contract (article 6(1)(b) of GDPR), however failed to prove what would happen in case the employee revokes or denies to provide its consent, by stating that a secondary legal basis for processing existed and the employees were promptly informed about the processing in any occasion.
EU’s General Data Protection Regulation 2016/679 (the GDPR) sets various principles for processing of personal data; fair and transparent processing, the principle of purpose limitation and, of course, the accountability, meaning a controller has to implement the necessary measures to comply with GDPR and to demonstrate its effectiveness. Article 6 of GDPR sets the legal grounds in accordance to which the controller could lawfully process personal data; such as consent, compliance with a legal obligation, to perform a contract, etc.
DPA pointed out that the principles of lawful, fair and transparent processing of personal data require the consent to be used as the legal basis only where other legal bases do not apply so that once the initial choice has been made, it is impossible to swap to a different legal basis. In case the data subject withdraws his or her consent, it is not allowed to carry on the processing of personal data under a different legal basis. DPA noted that where the legal basis of consent is properly applied, in the sense that no other legal basis is applicable, refusal of consent or its withdrawal is equivalent to an absolute prohibition on the processing of personal data.
Furthermore, DPA stressed out that consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties. In the above case, the choice of consent as legal basis was inappropriate as the processing was intended to carry out acts directly linked to the performance of employment contracts i.e.compliance with legal obligations to which the controller is subject and the effective operation of the company (legitimate interest). DPA emphasized that where the controller has doubts concerning the lawfulness of the processing, the controller must remove those doubts before processing or refrain from processing until the doubts have been removed.
The DPA found that the Company has unlawfully processed personal data, (ii) in an unfair and non-transparent manner (by giving false impression for the legal basis of the processing), and (iii) failed to demonstrate compliance with Article 5(1) of GDPR, thus violated the principle of accountability (Article 5(2) of GDPR) and imposed an administrative fine of €150.000.
Although many can argue that the fine imposed could be considered as disproportionate to the violation, the DPA was right to find that the Company used false legal basis for the processing. It is important for businesses to understand the ‘consent’ should only be used when none of the other legal bases apply.
Especially for employers, consent is rarely a legal basis, as it only applies when the employer provides an option to the employees to enter a scheme, or a health insurance plan, or publishing their photo on the Company’s website. In these occasions, the employee shall have the right to deny or withdraw his/her consent, without affecting his/her career in anyway. In case the employee withdraws his/her consent, the employer must immediately cease the processing of the data, for example by removing the employee’s photograph from the website. This could not be applicable if the employer is obliged by the employment legislation to hold employees’ data, therefore the employers should be careful when drafting such consent documents or the privacy notices according to Article 13 of GDPR.
Full text of the decision can be found here.
You can read the Summary in English.