The Greek arm of PriceWaterhouseCoopers have been fined €150,000 after an investigation found they were unlawfully relying on employees’ consent to process personal data.

PWC claimed to be relying on consent but data was in fact processed to comply with contract obligations. By allowing employees to believe that their data was being processed with their consent, PWC was misleading employees into thinking that PWC would stop the processing if consent was withdrawn. This was inaccurate.

The Hellenic Data Protection Authority (HDPA, the equivalent of the UK’s ICO) found that PWC had:

1. unlawfully processed the personal data of its employees contrary to Article 5(1)(a) indent (a) of the GDPR since it used an inappropriate legal basis.
2. processed the personal data of its employees in an unfair and non-transparent manner contrary to the provisions of Article 5(1)(a) indent (b) and (c) of the GDPR giving them the false impression that it was processing their data under the legal basis of consent, while in reality it was processing their data under a different legal basis about which the employees had never been informed.
3. violated the principle of accountability set out in Article 5(2) of the GDPR by transferring the burden of proof of compliance to the data subjects.

In addition to the €150,000 fine, PWC are required to:

• clearly and accurately identify the lawful basis on which they rely for each data processing activity, and communicate this to employees;
• demonstrate compliance by keeping accurate records of their processing activities, and having copies of data handling policies and privacy notices; and
• work with the relevant data authority as soon as they are notified of an investigation.

What does this mean for processing of criminal records data?

Employers who process criminal records data must identify both a lawful basis under Article 6 and a condition of processing under Article 10. We regularly see employers rely upon consent – ‘if they don’t want to work here, they don’t have to tell us’.

Where employers rely on consent to process criminal records data this must be genuine consent – for example, if applicants are asked about criminal records they can ignore the question and still be considered, or they can withdraw consent to the processing at a later stage. If the employer intends to use criminal records information regardless of the applicant’s consent, they must identify an alternative lawful basis and make applicants aware of this.

Employers should also demonstrate compliance, by having accessible and up-to-date policies on the handling of criminal records data and recruitment and privacy notices for applicants and employees.

More information: Unlock’s Guidance for employers on the GDPR

More information: Practical guidance on asking about criminal records