The Hellenic Data Protection Authority (DPA) is requiring PwC to implement corrective measures within three months. 

In response to a complaint, the Hellenic DPA conducted an ex officio investigation into the lawfulness of the processing of personal data of employees working at PwC. According to the complaint, employees were required to give consent to the processing of their personal data. 

Following the investigation, the Hellenic DPA concluded that PWC BS as the controller, had unlawfully processed the personal data of its employees “contrary to the provisions of Article 5(1)(a) incident (a) of the GDPR since it used an inappropriate legal absis”.

Additionally it was concluded that PwC had unfairly and non-transparently processed the personal data of its employees, by giving them the false impression that their data was being processed under the legal basis of consent, in accordance to GDPR, whilst in reality their data was being processed under a different legal basis, to which the employees had not been informed about. 

Hellenic DPA also decided that though PwC was responsible in its capacity as a controller, “it was not able to demonstrate compliance with Article 5(1) of the GDPR”, and had violated the principle of accountability laid out in Article 5(2) of the GDPR “by transferring the burden of proof of compliance to the data subjects”. 

As a result The Hellenic DPA have imposed a fine, in accordance with Article 83 of GDPR, amounting to €150,000. 

Furthermore, corrective measures are being imposed by the DPA, and would require the company, “in its capacity as the controllower within three (3) months:

  • To bring the processing operations of its employees’ personal data as described in Annex I submitted by the company into compliance with the provisions of the GDPR;
  • To restore the correct application of the provisions of Article 5(1)(a) and (2) in conjunction with Article 6(1) of the GDPR in accordance with the grounds of the decision;
  • To subsequently restore the correct application of the rest of the provisions of Article 5(1)(b)-(f) of the GDPR insofar as the infringement established affects the internal organisation and compliance with the provisions of the GDPR taking all necessary measures under the accountability principle”

PwC have yet to comment.