Fine EUR 150,000 to multinational company in Greece for GDPR violations


The Greek Data Protection Authority has imposed a fine of 150,000 euros on PWC BS A.E. for violations of the General Data Protection Regulation. In particular, the Personal Data Protection Authority, upon a complaint, investigated on its own motion the legality of the processing of the personal data of employees of PWC BS (PRICEWATERHOUSECOOPERS BUSINESSSOLUTIONS SA) pursuant to which the abovementioned employees were forced to consent to the processing their personal data for three (3) distinct purposes.
The Authority considered PWC BS as the controller:
1) has undergone unlawful processing, in breach of the provisions of Article 5 (1) (e); a) of the GDPR (principle of legality), the personal data of its employees, as it applied an inappropriate legal basis under Art. 6 (1)  a  GDPR (consent) instead of the appropriate legal basis for the performance of the contract, compliance with a legal obligation and the superior legal interest (Art. 6 (1), b, c' and g  GDPR).
2) in an unlawful and no transparent manner, in breach of Article 5 (1) (e); (a) b and c (GDPR) (the principle of objectivity and transparency), the personal data of its employees, as it gave them the false impression that they processed it in accordance with the legal basis of their consent in accordance to 6 (1) a’GDPR.In practice, it was processed on another legal basis, for which the employees were never informed.
3) as controller, although he was responsible, was unable to comply with and demonstrate compliance with Article 5 (1) of the GDPR in breach of the principle of accountability provided for in Article 5 (2) and he carried the burden of compliance on employees.

Comments

Post a Comment

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Climate change initiatives enshrined in AI, legal and political action

Image
Written by Efi Thoma, Lawyer LL.M. | IMES According to Professor, Yuval Noah Harari artificial intelligence (“AI”) and climate change constitute the challenges which will define the future of humanity, and addressing them is essential for global stability and progress.  His clairvoyance is aligned with other scholars who believe, however, that there are many different ways that AI can be an invaluable ally for combating climate change. Who shall take, however, the legal responsibility of any potential wrongdoings, in case that AI goes rogue, in lack of a robust legal framework regulating AI? Researches have shown that AI can predict accurately climate phenomena and perform climate simulations at a global level, enhancing the awareness and enabling the preparation of efficient climate policies as well as legal and regulatory frameworks to combat the climate crisis, by ensuring a proactive, informative approach. Could AI be also used for calculating and reducing CO₂ emi...
Read more

Protection of Lawyer Profession: Parliamentary Assembly gives green light to new Council of Europe treaty

Image
Parliamentary Assembly has warmly welcomed the draft  Council of Europe Convention for the Protection of the Profession of Lawyer , pointing out that lawyers play a key role in administering justice and ensuring public confidence in the law. Approving an opinion based on a report by Vladimir Vardanyan (Armenia, EPP/CD), the Assembly said lawyers are increasingly becoming targets of harassment, intimidation and attacks. The new Convention requires states to protect them in various ways, allowing them to practise without fear of discrimination or interference. It also establishes standards for professional associations of lawyers and sets up a robust monitoring mechanism. However, the Assembly regretted the lack of specific provisions on the use of secret surveillance against lawyers, and called for the addition of a clause specifically prohibiting states from entering reservations to the Convention, to ensure it is fully implemented. Taking part in the debate, the Attorne...
Read more

Prohibiting contact between children and their mother in custody and contact rights case was unjustified (ECtHR)

Image
The case of X and Others v. Slovenia (application nos. 27746/22 and 28291/22) concerned custody decisions and contact rights following the separation of X from her children’s father in 2018. It also concerned the reassignment of X’s court case to a particular judge.  In Chamber's judgment in the case, the European Court of Human Rights held, unanimously, that there had been a violation of Article 6 § 1 (right to a fair trial) of the European Convention on Human Rights, as regards X’s right to a tribunal established by law, and violations of Article 8 (right to respect for private and family life) with respect both to:  - the applicant children, as regards the order to remove them from X’s (their mother’s) care in March 2020, their not being represented in the contact and custody proceedings, and their not being allowed contact with their mother;  - X, for not being allowed contact with her children.  The Court found in particular that the President of the District Co...
Read more

GDPR and rail transport: A customer’s gender identity is not necessary data for the purchase of a transport ticket

Image
In its judgment in Case C-394/23 (Mousse) the EU Court of Justice ruled that a rail transport customer’s gender identity is not necessary data for the purchase of a transport ticket. The collection of data regarding customers’ titles is not objectively indispensable, in particular where its purpose is to personalise commercial communication.  The association Mousse challenged, before the French data protection authority (the CNIL), [1] the practice of the French railway undertaking SNCF Connect whereby the latter systematically requires its customers to indicate their title (‘Monsieur’ or ‘Madame’) (‘Mr’ or ‘Ms’) when purchasing transport tickets online. That association takes the view that that requirement infringes the General Data Protection Regulation (GDPR), [2] in particular in the light of the principle of data minimisation, because an indication of the title, which corresponds to a gender identity, does not appear to be necessary for the purchase of a rail transport ticket....
Read more