PricewaterhouseCoopers (PwC) is the first of the “Big 4” to be fined under GDPR.
The Greek Data Protection Authority (DPA) recently fined the audit group €150,000 for wrongly using “consent” as a basis for processing personal data on staff.
The DPA have now given PwC three months to implement corrective measures and comply with GDPR.
An investigation was made into the lawfulness of the processing of personal data of PwC employees.
It was found that as the controller, PwC had unlawfully processed the personal data of its employees “contrary to the provisions of Article 5(1)(a) indent (a) of the GDPR since it used an inappropriate legal basis”.
The GDPR clearly establishes legal bases, under which personal data may be processed by controllers. Consent is one such basis, but it’s not the only one.
PwC had been found to have unfairly and non-transparently processed the personal data of its employees, by giving them the false impression that their data was being processed under the legal basis of consent, in accordance to GDPR.
Employees were required to give consent to the processing of their personal data.
However, their data was being processed under a different legal basis, to which the employees had not been informed about.
PwC’s choice of consent as a legal basis for processing personal data of its employees was found to be not appropriate.
The data was processed in the course of the company’s commercial activities, and the employees were not informed about that.
The company has now been told:
• To bring the processing operations of its employees’ personal data as described in Annex I submitted by the company into compliance with the provisions of the GDPR;
• To restore the correct application of the provisions of Article 5(1)(a) and (2) in conjunction with Article 6(1) of the GDPR in accordance with the grounds of the decision;
• To subsequently restore the correct application of the rest of the provisions of Article 5(1)(b)-(f) of the GDPR insofar as the infringement established affects the internal organisation and compliance with the provisions of the GDPR taking all necessary measures under the accountability principle”
As PwC failed to demonstrate appropriate compliance and transferred the burden to data subjects, they did not comply with the accountability principle as their role was controller.
And PwC’s choice of consent as a legal basis for processing personal data of its employees was found to be not appropriate and in violation of the GDPR’s fairness and transparency principles.
The company is known globally as a market leader in GDPR support and customers trust the consultancy to bring their policies in line with GDPR.
Clients all over Europe have relied on the company to bring their policies and approaches in line with the new regulation that was brought in last year.
PwC leads the professional services sector, as one of the top 50 brands world-wide in the annual Brand Finance Global 500.
The Global 500 is a list of the strongest and most valuable brands world-wide, with top positions dominated by the technology sector.
They must now surely undertake some damage limitation to regain public confidence.
Reputation and trust are vital assets in any business and it’s fair to say that they must now take measures to reassure their clients that they will adhere to the terms as set out by the GDPR.
PwC should now take this as an opportunity to rectify their failings and to come back wiser and clearer on what is required from the regulation. Lessons must be learnt, and they must make sure they are fully GDPR compliant.