导读:2019年7月31日,普华永道(PwC)因在处理员工个人数据时缺少合法依据而被认定违反欧盟《通用数据保护条例》(GDPR)。对此,希腊数据保护执法机构对其处以了15万欧元的罚款。这也是欧盟第一次针对涉及员工数据违规行为的处罚。执法机构认为,普华永道作为个人信息的控制者:
(1)违反GDPR第5条(1)款第(a)项的规定,使用了不恰当的法律依据非法处理其员工的个人信息;
(2)违反GDPR第5条第(1)款(a)(b)和(c)款的规定,以不公平且不透明的方式处理其员工的个人信息,使员工错误地认为公司处理他们个人信息的法律依据是GDPR第6条第(1)款第(a)项,而这些信息实际是基于员工从未被告知的其他法律依据进行处理的;
(3)普华永道负有证明其信息处理行为符合GDPR的义务,但其却无法证明,而这违反GDPR第5条第(2)款规定的可问责性原则。
为此,执法机构要求普华永道在三个月内进行整改。(本文源自欧洲数据保护委员会官网。导读系本公众号原创,转载请注明文字出自本公众号。)]
Exercise of the Hellenic DPA’s corrective powers pursuant to the GDPR for selection and application of inappropriate legal basis and violation of the principle of accountability by a company
Company fined €150,000 by the Hellenic DPA
The Hellenic Data Protection Authority, in response to a complaint, conducted an ex officio investigation of the lawfulness of the processing of personal data of the employees of the company ‘PRICEWATERHOUSECOOPERS BUSINESSSOLUTIONS SA’ (PWC BS). According to the above complaint the employees were required to provide consent to the processing of their personal data.
The DPA considered that PWC BS as the controller:
i. has unlawfully processed the personal data of its employees contrary to the provisions of Article 5(1)(a) indent (a) of the GDPR since it used an inappropriate legal basis.
ii. has processed the personal data of its employees in an unfair and non-transparent manner contrary to the provisions of Article 5(1)(a) indent (b) and (c) of the GDPR giving them the false impression that it was processing their data under the legal basis of consent pursuant to Article 6(1)(a) of the GDPR, while in reality it was processing their data under a different legal basis about which the employees had never been informed.
iii. although it was responsible in its capacity as the controller, it was not able to demonstrate compliance with Article 5(1) of the GDPR, and that it violated the principle of accountability set out in Article 5(2) of the GDPR by transferring the burden of proof of compliance to the data subjects.
The Hellenic DPA, after ascertaining the infringements of the GDPR, decided that in this case it should exercise the corrective powers conferred on it under Article 58(2) of the GDPR by imposing corrective measures, and that it would order the company in its capacity as the controller within three months:
to bring the processing operations of its employees’ personal data as described in Annex I submitted by the company into compliance with the provisions of the GDPR;
to restore the correct application of the provisions of Article 5(1)(a) and (2) in conjunction with Article 6(1) of the GDPR in accordance with the grounds of the decision;
to subsequently restore the correct application of the rest of the provisions of Article 5(1)(b)-(f) of the GDPR insofar as the infringement established affects the internal organisation and compliance with the provisions of the GDPR taking all necessary measures under the accountability principle.
Moreover, as the above corrective measure is not sufficient in itself to restore compliance with the GDPR provisions infringed, the Hellenic DPA considered that, based on the circumstances identified in this case and under Article 58(2)(i), an additional effective, proportionate and dissuasive administrative fine should be imposed in accordance with Article 83 of the GDPR, which amounts to one hundred and fifty thousand Euros (EUR 150,000.00).
声明:本文来自个人信息与数据保护实务评论,版权归作者所有。文章内容仅代表作者独立观点,不代表安全内参立场,转载目的在于传递更多信息。如有侵权,请联系 anquanneican@163.com。