Fine EUR 150,000 to multinational company in Greece for GDPR violations


The Greek Data Protection Authority has imposed a fine of 150,000 euros on PWC BS A.E. for violations of the General Data Protection Regulation. In particular, the Personal Data Protection Authority, upon a complaint, investigated on its own motion the legality of the processing of the personal data of employees of PWC BS (PRICEWATERHOUSECOOPERS BUSINESSSOLUTIONS SA) pursuant to which the abovementioned employees were forced to consent to the processing their personal data for three (3) distinct purposes.
The Authority considered PWC BS as the controller:
1) has undergone unlawful processing, in breach of the provisions of Article 5 (1) (e); a) of the GDPR (principle of legality), the personal data of its employees, as it applied an inappropriate legal basis under Art. 6 (1)  a  GDPR (consent) instead of the appropriate legal basis for the performance of the contract, compliance with a legal obligation and the superior legal interest (Art. 6 (1), b, c' and g  GDPR).
2) in an unlawful and no transparent manner, in breach of Article 5 (1) (e); (a) b and c (GDPR) (the principle of objectivity and transparency), the personal data of its employees, as it gave them the false impression that they processed it in accordance with the legal basis of their consent in accordance to 6 (1) a’GDPR.In practice, it was processed on another legal basis, for which the employees were never informed.
3) as controller, although he was responsible, was unable to comply with and demonstrate compliance with Article 5 (1) of the GDPR in breach of the principle of accountability provided for in Article 5 (2) and he carried the burden of compliance on employees.

Comments

Post a Comment

Popular posts from this blog

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

The “Green Maze”: Environmental Obligations for Cement Companies in Greece and Cyprus

Image
Written by Efi Thoma * The cement industry plays a crucial role in the infrastructure development of both Greece and Cyprus. However, this essential sector also carries a significant environmental footprint. From quarrying raw materials to the energy-intensive production process, cement companies face increasing scrutiny and stringent legal obligations aimed at mitigating their impact on the environment. This article delves into the key environmental issues and the pertinent legal frameworks in Greece and Cyprus that cement manufacturers must navigate. Both Greece and Cyprus, as members of the European Union, are bound by a substantial body of EU environmental law. This includes cornerstone directives such as the Environmental Impact Assessment (EIA) Directive, the Industrial Emissions Directive (IED), the Waste Framework Directive, and legislation addressing climate change and biodiversity. These EU regulations are transposed into national law in both countries, forming the bedrock ...
Read more

Prohibiting contact between children and their mother in custody and contact rights case was unjustified (ECtHR)

Image
The case of X and Others v. Slovenia (application nos. 27746/22 and 28291/22) concerned custody decisions and contact rights following the separation of X from her children’s father in 2018. It also concerned the reassignment of X’s court case to a particular judge.  In Chamber's judgment in the case, the European Court of Human Rights held, unanimously, that there had been a violation of Article 6 § 1 (right to a fair trial) of the European Convention on Human Rights, as regards X’s right to a tribunal established by law, and violations of Article 8 (right to respect for private and family life) with respect both to:  - the applicant children, as regards the order to remove them from X’s (their mother’s) care in March 2020, their not being represented in the contact and custody proceedings, and their not being allowed contact with their mother;  - X, for not being allowed contact with her children.  The Court found in particular that the President of the District Co...
Read more

Automated credit assessment: The data subject is entitled to an explanation as to how the decision was taken in respect of him or her

Image
In its Judgment (27.2.2025) in Case C-203/22 (Dun & Bradstreet Austria) as regards the automated credit assessment, the Court of Justice ruled that the data subject is entitled to an explanation as to how the decision was taken in respect of him or her. The explanation provided must enable the data subject to understand and challenge the automated decision. In Austria, a mobile telephone operator refused to allow a customer to conclude a contract on the ground that her credit standing was insufficient. The operator relied in that regard on an assessment of the customer’s credit standing carried out by automated means by Dun & Bradstreet Austria, an undertaking specialising in the provision of such assessments. The contract would have involved a monthly payment of €10. In the ensuing dispute, an Austrian court found, by final decision, that Dun & Bradstreet had infringed the General Data Protection Regulation (GDPR). [1]. Dun & Bradstreet had failed to provide the custom...
Read more

Air passenger rights: A boarding pass may be sufficient to prove a confirmed reservation on a flight

Image
According to the Judgment of the European Court of Justice in Case C-20/24, a boarding pass may be sufficient to prove a confirmed reservation on a flight. Payment by a third party of the price of the package tour, including a flight, does not exclude the right to compensation in the event of long delay of a flight.  An air carrier offering charter flights concluded a contract with a tour operator. Under that contract, the carrier operated, on specific dates, flights for which that tour operator, after paying for the flights, sold tickets to air passengers. Two air passengers participated in a package tour, including a flight from Tenerife to Warsaw, the arrival of which was delayed by more than 22 hours. The contract relating to the package tour was concluded between a third company, on behalf of those passengers, and that tour operator. The passengers concerned claimed compensation from the air carrier under EU law. [1]  The latter refused to pay that compensation. It argued...
Read more