August 23, 2019
Authored by: David Zetoony
The Greek data protection authority (“DPA”) recently announced a €150,000 fine against a company that required its employees “to provide consent to the processing of their personal data.” According to the DPA, as the “[c]onsent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties,” by asking for consent the employer had failed to identify the correct legal basis for processing which in turn caused the employer to issue an incorrect privacy notice to its employees (i.e., the privacy notice identified consent as the basis for processing instead of a basis approved by the DPA). While the amount of the fine fell well below the 4% of annual turnover maximum penalty theoretically permitted under the GDPR, its size has sent shockwaves through the human resource community as it represents one of the largest fines issued in the context of employment data. The overall message from the DPA was unmistakable – employers should stop asking their employees to broadly consent to a company’s privacy practices.
While technically the DPA’s holding only applies to data that is subject to Greek labor and employment laws, the DPA’s viewpoint is likely consistent with that of many supervisory authorities in the other Member States. In terms of understanding the larger context, the GDPR states that a company may process personal data so long as one (or more) of the following six situations applies: