With an year of GDPR enforcement behind us, the Companies are now exposed to different interpretations of the law by different Supervisory authorities imposing fines on various counts.
Two recent decisions that attract special attention are
a) The Hellenic (Greek) DPA decision imposing a fine of EUR 150,000 on Price Water House coopers Business Solutions SA (PWC)
The Hellenic decision focuses on the GDPR issues related to employee data while the UK ICO order relates to the jurisdiction aspect of the UK DPA on a Canadian Company.
In the Hellenic order, the DPA imposed the fine based on a complaint and an ex-officio investigation on the “lawfulness” of the processing of personal data of the employees.
According to the order it appears that the DPA objected to the company demanding consent to the processing of the personal data. The DPA considered that for the data to be considered as processed “lawfully”, all the conditions mentioned in Article 5(1) should be met.
Article 5(1) is reproduced below and states:
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); (1) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
The DPA further held that “The identification and choice of the appropriate legal basis under Article 6(1) should be informed to the data subject since the choice of the legal basis has an effect on the application of the rights of the Data subjects.
Article 6(1) stats that
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child…..
While Article 6(1) states that processing would be lawful if “atleast one” of the conditions stated here are satisfied, the DPA made an observation as follows.
“The principles of lawful, fair and transparent processing of personal data pursuant to Article 5(1)(a) of the GDPR require that consent be used as the legal basis in accordance with Article 6(1) of the GDPR only where the other legal bases do not apply so that once the initial choice has been made it is impossible to swap to a different legal basis”..Consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties.
It further held “In this case, the choice of consent as the legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest”.
The decision of the DPA appears too harsh since an employer-employee relationship which is bound by a contract and the alleged violations were too technical in nature.
Organizations therefore need to ensure that their legitimate interest is properly defined and bound to the employment contracts.
The GDPR itself does not seem to indicate the need for such a harsh treatment of the issue since Article 88 leaves it to the individual states to provide more specific rules for protecting the employee’s personal data.
Managing employer-employee relationship is a contract in which the employer should have the right to make background checks before employment, profile the employee behaviour during employment and also conduct appropriate exit interview to document the reasons for exit etc. If GDPR interpretation should therefore not interferes in the management of the company.
The decision should therefore be challenged in an appeal to ensure that wrong precedents are set by over enthusiastic DPAs. Every organization will have a set of employees who are disgruntled and they are likely to raise any issue of this nature just to put the employer into a legal tangle.
GDPR is not clear about the appeal process and it is to be interpreted under Article 79(1) that any legal person aggrieved by the order of a supervisory authority shall have a recourse to the normal judicial remedies in the member state.