GDPR & HR: First fine imposed in Greece concerns the processing of personal data for HR-related purposes

The Greek Data Protection Authority issued the first fine after the entry into force of the GDPR, by sanctioning a company for the incorrect use of consent as legal basis for the processing of the personal data of the employees, for purposes related to the performance of the employment contract.

The employer used the consent as legal basis for the processing of the personal data of the employees in connection to the following purposes:

1. Registration and use of data for HR-related purposes (i.e. probably, the performance of employment relationship)
2. Disclosure of data to third parties (fiscal authorities, labour authorities etc.);
3. Monitoring of data for security purposes (i.e. through the equipment and resources made available by the employer).

Thus, one of the annexes of the individual labour agreement or any other collaboration form with the personnel had as object a statement of the envisaged data subjects with respect to accepting the terms for processing their personal data. The annex, which included the statement of the data subjects, was supposed to be signed by the latter.

During the investigation, the employer stated, amongst others, the following aspects:

• No disciplinary measures were taken against those individuals which have not signed (at the date of the investigation, there was a number of approximately 390 people how have signed, out of the total of 415 employees);
• The disclosure of personal data is performed solely in connection to purposes regarding the employment context, without being identified any situations in which illegal disclosures may take place, outside of this scope; 
• Considering that the statement also refers to the necessity that the employer respects its legal obligations or performs its contractual obligations in relation to the employees, the consent (as legal basis for processing) was justified by the need to have a conservatory approach.

As it was expected, the competent authority assessed that the consent as legal basis for processing personal data is not valid in the relationship with the employees, considering the subordination relationship, as well as its conditioning by the execution of the contract. At the same time, the authority mentioned the following aspects:

• The existence of a legal basis for processing personal data does not exempt the controller from its obligation to observe the data protection principles, including lawfulness, equity and transparency, data minimization and, in particular, accountability (i.e. to prove the observation of the data protection principles);
• The choosing, by the controller, of a legal basis for data processing (in this case, the consent) has a direct influence with respect to the enforcement of the rights for the data subjects. Thus a misleading perception is being created, with respect to the adequate legal basis (consent not being a valid one), as well as with respect to their applicable rights, such as possibility to withdraw the consent or to erase the data;
• Any possible withdrawal of the consent cannot have as consequence the change by the employer of the legal basis for processing (respectively, the fulfilment of a legal obligation, the performance of contract or the legitimate interest), as the legal basis needs to be determined at the moment of the initial collection of data;
• It is not appropriate the passing of the responsibility with respect to the adequate and relevant character of the data transmitted by the employees, or with respect to the choosing of a legal basis, as this is the obligation of the employer, not of the data subject.

The fine of 150,000 EUR has been imposed for the breach of data protection principles, including lawfulness (correct identification of the legal basis), transparency (informing the data subjects) and accountability (ability to prove the fulfillment of the other principles).

We consider that this decision is important not only because it draws the attention to the illegal choice of a legal basis in the employment context, but also, in particular, as it raises flags in connection with the wording of various annexes or statements signed by the employees in practice. More precisely, misleading wording may bring confusion with respect to the legal basis of processing personal data, the purposes for which the data is processed and, in particular, the liability with respect to observing the data protection principles.