Audit and consulting services company PwC has been fined EUR 150,000 by the Hellenic DPA upon choosing ‘consent’ as the legal basis for processing data on employees. According to the DPA, the processing was in fact already lawful, seeing it was required in order to fulfil a contract, comply with a legal obligation and pursue a legitimate interest.
It follows from the GDPR that personal data may only be processed when there is a lawful basis for processing, including, for example, consent. Meanwhile, according to the Hellenic DPA, the fundamental principle of the GDPR about transparency entails that consent may not be used as legal basis for processing, if one of the other principles apply.
Hence, the decision states that consent may not be obtained 'as a precautionary measure', but instead in those cases where processing is not lawful in the light of another legal basis.
A summary of the decision is available here (in English)
In order to streamline recording of absence, a Swedish high school initiated a 3-week pilot project, where a facerecognition camera was set up in one of the classrooms. Rather than savings, the monitoring resulted in a fine of SEK 200,000 (approx EUR 18,600); hence Sweden has been added to the list of countries having issued fines in the light of the GDPR.
Before setting up the camera, the high school had obtained consent from the student guardians. However, the Swedish DPA did not consider consent a lawful basis for processing. It follows from the GDPR that consent must be 'voluntary' and can therefore not be used as a basis for processing in situations where there is considerable inequality between the parties. The DPA emphasised that this would be the exact case, as the students were regarded in a state of dependence on the school in terms of grades, education, etc.
Moreover, the monitoring was contrary to the principle on data minimisation. The DPA was of the opinion that the monitoring violated the personal integrity disproportionately, as the recording of absence could be carried out effectively by much less intrusive methods. Finally, the impact assessment was insufficient; for example, there was no description of the proportionality of the processing in relation to the purpose.
Read the decision here (in Swedish)