The corporate world has gotten a shock of its recently when the data protection enforcement body of Greece has imposed a fine on one of the Big 4. PwC’s Greek holdings, “PRICEWATERHOUSECOOPERS BUSINESS SOLUTIONS SA”, has received a fine under Article 83 of the GDPR amounting to 150 000 EUR.
In addition, the Hellenic DPA has also imposed corrective measures on the organization to be complied with under the European Regulation.
Why was PwC fined?
The GDPR clearly establishes legal bases, under which personal data may be processed by controllers. Consent is one such basis, but it’s not the only one. And PwC’s choice of consent as a legal basis for processing personal data of its employees was not appropriate, the DPA found.
The data was processed in the course of the company’s commercial activities, and the employees were not informed about that. That kind of approach was found to be in violation of the GDPR’s fairness and transparency principles.
The accountability principle was also not complied with since the company failed to demonstrate appropriate compliance and transferred the burden to data subjects. As PwC was in this case a controller of personal data, such transfer was inappropriate.
The Greek company was therefore fined and given a deadline of three months to take certain measures to become compliant.
What does it mean?…