GDPR: Here we go (the first fine already imposed in Greece)
“The eye of Justice, which sees it all” wrote Menandros in his Monostiha (Single-Line Quotes).
This phrase, more or less, refers to what we know as “divine retribution”, which always, sooner or later, “administers justice”. Since, in reality, “divine retribution” (and often human retribution) does not exist and no authority has “the eye of justice, which sees it all”. Of course, neither the Data Protection Authority (hereafter: “Authority”) has such an eye that “sees it all”.
On the contrary: we know all too well how the human eye works -it (often restlessly) watches over everything taking place and, sometimes, reports to the relevant authorities. Sometimes it reports to the Authority as well (the moral dimension of reporting or the morality of the one making the report is a different, big issue). Specifically when it comes to the Authority, it has to make good use of the human eye (its own or the eye of the person who by name or anonymously makes relevant reports). The Authority is obligated to do so as part of its duties imposed to it by law. Especially the duties of the protector of the General Data Protection Regulation (hereafter: “Regulation”) and imposer of the fines provided, in case of a violation of the provisions of the Regulation.
ΙΙ. It all started when…
The Union of Accountants of the Region of Attica (and of course, behind the Union, an unpleased, probably for irrelevant reasons, employee) logged, on December 2017, a complaint against PriceWaterhouseCoopers S.A. (hereafter: “PwC”). This complaint was logged with the Authority as well as with the Ministry of Labor and Body of Labor Inspectors (ΣΕΠΕ) (obviously to bring more pressure).
The complaint regarded the illegal processing of PwC’s employees’ data (hereafter: “Data”). According to the complaint, the illegal processing was connected with the “Declaration of Acceptance of the Processing of Personal Data” as well as with the new individual contracts of employment, both of which contained provisions stating that the employees were giving their consent to the processing of their personal data and, even further than that, to their, in many levels, surveillance in the workplace (against the provisions of Act 2472/1997). PwC, being on the stronger side as the employer, dictated -according to the complaint- the employees to sign the two documents (contract agreement and declaration).
ΙΙΙ. The requirements needing to be met in order for the processing to be lawful, according to the Regulation
The Regulation came into force on the 25.5.2018. A highly interesting provision of the Regulation is that of article 6 par. 1, stating that:
“1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.”
IV. The procedure followed by the Authority that lead to the issuing of its no. 26/2019 decision.
The Authority, dealing for the first time with an issue in relation to the Regulation, spent quite some time researching the issue at hand, submitting a wide range of inquiries and requests. To avoid any misunderstandings and the creation of a precedent, the Authority felt the need to emphasize in its decision that “due to the fact that this is the initial period of the GDPR’s application, the Hellenic DPA submits specific questions and requests, while exercising its investigative – inspective powers in order to facilitate the documentation of accountability by controllers. Controllers are obligated, because of the Hellenic DPA’s investigative – inspective powers, to submit on their own, and without any inquiries or requests from the Authority, the measures taken and policies adopted internally in order to comply, since they already know them all, being the ones who planned and implemented that very internal organization” (§ 8).
What does that mean?
Sometime in the near future the Authority will require that the Controllers “justify their accountability”, without it (the Authority) feeling like it has to ask any questions at all. If the Controllers succeed in doing so sufficiently, good. If not, that’s good too…
V. The assumptions of the (no. 26/2019) decision of the Authority
A number of highly significant assumptions are stated in this decision. According to the writer’s opinion, the following are some of the most important ones:
i. Choosing the legal base for the processing of Data
(a) According to the Authority (§ 6):
“Collecting and processing personal data should not take place in secret or by hiding it from the data subject or by hiding all the necessary information (unless it is provided so from relevant legislation, in accordance with article 8 ECHR). The identification and choice of the appropriate legal basis under Article 6(1) of the GDPR is closely related both with the principle of fair and transparent processing and the principle of purpose limitation, and the controller must not only choose the appropriate legal basis before initiating the processing -documenting this choice internally in accordance with the principle of accountability-, but also inform the data subject about its use under Articles 13(1)(c) and 14(1)(c) of the GDPR, as the choice of each legal basis has a legal effect on the application of the rights of data subjects.
The data subject must be informed of its rights, of the lawful and reasonably expected true way its data is being processed as well as of the purpose behind the processing. The way and purpose of processing must not contradict with the reasonable and legitimate expectations regarding the protection of the subject’s privacy, or threat its fundamental rights and freedom, especially that of its right to the protection of its personal data, without the subject knowing.
As per the principle of fair and transparent processing, it is extremely important for the controller to choose the appropriate legal base, so as for the data subject to not falsely believe that it gives its consent as per article 6 par. 1.a’ GDPR, when in reality its data is being processed for the performance of a contract.”
Choosing the proper legal basis for the processing of personal data (hereafter: Data) is extremely important. It should be one of the legal bases provided for in paragraph 1 of article 6 of the Regulation exclusively and it should be communicated to the subject before the processing starts.
ii. Stating that more than one legal basis apply for the processing of Data
(a) According to the Authority (§ 12):
“While, for the processing of employees’ personal data which immediately relate to their work, the legal basis of article 6(1) b’ of GDPR applies, or for the fulfillment of the employer’s obligations in relation with the employees’ social security or the relating tax obligation the legal basis of article 6(1) c’ of GDPR applies or for the protection of the business’s property and effective operation of the business the legal basis of article 6(1) f’ of GDPR applies, nevertheless, the legal basis of consent, per article 6(1) a’ GDPR only applies to those cases where no other legal basis applies, as, for example, when an employer asks for its employees’ consent in order for them to be filmed in a video containing moments of the life in the workplace … or, for example, for them to be photographed in a photograph that will be posted on the corporate intranet along with other data of theirs…”
Choosing the consent of the subject as the legal basis for the processing of their Data is not a panacea: it solely applies in cases where no other legal basis does.
iii. Regarding the appropriate application of the legal base of consent -in general
(a) According to the Authority
(§ 14): “Where the legal basis of consent is properly applied, in the sense that no other legal basis is applicable, refusal of consent or its withdrawal is equivalent to an absolute prohibition on the processing of personal data.”
(§ 21): “In addition to what is already stated, it has to be stressed that where the controller has doubts concerning the lawfulness of the processing, the controller must, according to the provisions of GDPR and especially according to article 5(1) of GDPR and the principals of accountability according to paragraph 2 of the same article, remove those doubts before processing or refrain from processing until the doubts have been removed.
(§ 24): “Given that the company chose the legal basis of consent, whereas it was obligated, according to the aforementioned (see par. 14), to previously consider and rule out all other regal bases by justifying why it made that choice, so the Authority can examine whether that choice was correct. Thus, the company violated the principal of accountability.”
When the legal basis of consent is appropriately implemented for processing Data, refusal of consent or its withdrawal is equivalent to an absolute prohibition on their processing. Where there are doubts, the controller must refrain from processing until the doubts have been removed and until they first justify their choice.
iv. Regarding the proper application of the legal base in consent in monitoring the employees’ electronic communication
(a) According to the Authority
(§ 16): “Consent does not constitute the proper legal basis for processing employees’ personal data when monitoring their electronic communications, the legal basis of art.6 par. 1 ver. f of GDPR does, as stated before… Respectively, in that case, choosing legal basis of art. 6 (1) b’ of GDPR for the performance of the contract is problematic, because, on one hand, (depending on the nature of the employment) such processing might exceed what is necessary for the performance (of the contract), while, on the other hand, the argument… that controlling the employees for security or management purposes, installing and operating systems for reporting malpractices and for the protection of the physical safety as well as for the protection of IT and networks are generally considered … the legitimate interest of the DPO, is well founded, as long as it is “allowed by law”…”
(§ 23): “The Authority has referenced in detail to the conditions, procedures and guarantees relating to monitoring the employees’ means of communication and electronic equipment by the employer, with its no. 34/2018 decision, where it ruled that among the conditions for the lawful processing of personal data, is the creation and application of an internal regulation for the proper use and operation of the equipment and information network and communications, and it also listed the regulation’s minimum content (policies etc).”
The issue regarding the conditions, procedures, and guarantees in relation to the monitoring of the employees’ means of communication and electronic equipment is extremely wide and important and it exceeds the limits of this article. What can be mentioned and stressed in this regard, is that, usually, such monitoring must take place within article 6(1)f’ of the Regulation: when the processing is necessary in order for the controller or a third party -given the very important restrictions- to serve their legitimate interests.
v. Shifting the obligation for accountability to the employees
(a) According to the Authority (§ 24):
“ Furthermore, as mentioned in no. 18 ii of the present decision, the company shifted its own accountability, with which it was charged in that specific case, over to the employees, violating article 5, par. 2 GDPR. Specifically, the company asked its employees to sign at Annex I that they “recognize”:
By doing so, the company shifted its own obligation for accountability in relation to the principal of data minimization over to the data to the subjects, when only itself was responsible, as part of its internal organization and compliance, to assess which of the personal data are relevant and appropriate for the pursued legitimate aim pursued, given that the company requests from its employees to give data that are necessary for the interests pursued. In any other case, the employees would submit whichever data they wanted, or even none.
Combining the above with the company’s statement made at the hearing of their memo before the Authority, containing that: “[…] facing the (still) new and specialized legislation for the protection of personal data, we adopted a conservative approach and, trying to be as secure as possible, and also so as to not compromise -not even create any thoughts that we might compromise the rights of our employees, we asked for the consent of our staff…”, we deduct that the company wrongfully assumed that by having the data subjects sign the provisions in Annex I, it is “exonerated from all liabilities”, when, in reality, the employees usually do not have the specialized knowledge to check the legality and compliance with the principles of article 5 par. 1 GDPR, with which, according to article 5 par.2, burdens the Controller. Therefore, the company in this case also, violated the principle of accountability.
Finally, the company by choosing an inappropriate legal basis for the processing, according to article 6, par. 1 GDPR (initially the basis of consent, followed by the basis of performing a contract for all data processed) the company violated its, according to article 5 par. 2, obligation to comply and prove its compliance with paragraph 1 of the same article (principle of accountability)”.
Accountability is a very important obligation of the Controller, with which the Controller is solely burdened. The shifting of this obligation and the relevant burden over to the employee [i.e. (the Controller) “is doing everything right”] is not only ineffective, but also aggravating and problematic for the Controller.
VI. The ruling no. 26/2019 decision of the Authority
With this ruling, the Authority: a) required PwC to comply with the provisions of the Regulation within 3 months and b) imposed on PwC an “… effective, proportional and deterrent administrational fine of 150.000 euros”.
VII. In conclusion
Most of the companies in our country: either did not bother with GDPR at all until (and/or after) the Regulation came into force (25.5.2018) because of lack of information, indifference or an expectation of “an extension” or did as little as possible [either it being a choice (thinking “let’s do the minimum/cheapest”) or the result from choosing the wrong consultants].
The Authority with its 26/2019 decision proves that the “grace period” has come to an end and that “the salad days are over”. The case we referred to is indicative of the fact that the size and/or specialization of the controller does not mean anything. Among others: neither that they will be treaded favorably by the Authority.
The Regulation is based on the principal of self-regulation. The Authority will neither approve the relevant compliance of the businesses nor become aware of possible diversions. Unless…
Unless it conducts an inspection on its own, as it is entitled to do, or receives a complaint.
Our initial fears, even before the Regulation was implemented, are unfortunately now a reality: the majority of businesses (a) are insufficiently prepared or not prepared at all for their compliance with the Regulation and (b) are exposed to serious sanctions.
Is there still time?
Of course! But only until the “eye that sees it all” discovers the “ills” and decides to make relevant complaints: obviously not to serve a higher cause (e.g. justice) but, most likely, having low motives.
P.S. A brief version of this article has been published in MAKEDONIA Newspaper (August, 11th, 2019).