Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC generally known as GDPR to us lawyers and big headache to our customers.
GDPR is all encompassing. It covers all areas of the business, past, present and future and organizations had to be compliant by May 2018 following a two year transition period. We asked our clients, what are the basic lessons learnt and which were the challenges faced by their organizations since GDPR came into effect.
They consistently mention that the task is not easy, it is very time consuming and that they often feel uncertain as to whether the end result of their efforts is indeed compliant. On the other hand, they also comment on the fact that the regulation was the justification they needed to clean up house and take control of the data, personal and otherwise, flowing through the organization. It was an opportunity to question the collection of information, the procedures followed and the objectives of specific actions. In the end GDPR resulted in a step change in management processes that benefited the organization.
One of the basic questions asked in the course of data analysis is whether any piece of personal data was legally collected, ie was there a lawful basis for its collection? And if no lawful basis existed to justify collecting the information, did the organization obtain consent from the data subject to do so? These are indeed the right questions to ask. However, we noted that generally people were under the impression that if they had obtained consent they were authorized to collect the information. This is a misconception and it is very clearly explained in the recent opinion of the Hellenic Data Protection Authority regarding PWC Business Solutions (PWC) in Greece.
In Greece PWC used consent to process employee personal data for payroll and employment purposes. The Regulator argued that the consent was the wrong legal basis to process employee records. In his published opinion the Regulator noted that personal data may only be processed under a lawful legal basis as listed in Article 6(1) and the data subject must be informed of its use under Articles 13(1)(c) and 14(1)(c). Article 5(1)(a) require that consent be used only where no other legal basis is available and it should be given freely, so that in the event where consent is withdrawn then the organization has no authority to continue processing the data. In this instance, the Regulator noted, one cannot accept that consent in the context of employment is freely given and refusal of such consent could not rise to an absolute prohibition on the processing of personal data as the employer had other legitimate reasons, such as compliance with legal requirements, to process the data. Further, the Regulator noted that not only did the company not meet the legal requirement to provide a lawful basis for the processing, it transfer its compliance obligations to its employees to provide the lawful legal basis through consent.
In view of the above PWC was ordered within three months to engage in corrective measures to ensure compliance and to pay an additional administrative fine of €150,000.
You can find the summary of the decision here
For further information or clarifications, please contact S. Dionysiou & Partners LLC at info@dplawcyprus.com / +357 22 272360.