It was recently determined by the Hellenic Data Protection Authority (‘HDPA’), the Greek version of Irelands Data Protection Commission, that PwC were in breach of the General Data Protection Regulation 2016 (GDPR), more specifically Article 5 therein, for incorrectly processing their employees’ data on the legal basis of consent alone. As a result, the company was fined €150,000 and given 3 months to correct the breaches.
The investigation carried out by HDPA uncovered that the company was falsely requiring their employees to give unconditional consent for processing their personal data at work. Employees were required to sign a Statement of Acceptance of Terms of Personal Data to permit PwC to process their data. Article 6 (1) of GDPR provides that in order for consent to be valid, it must be given ‘freely and explicitly’ by the Data subject. The HDPA deemed that in an employee and employer relationship consent cannot be obtained in this manner due to the clear imbalance of bargaining power between the parties, thus rendering the consent invalid.
Data protection in Ireland is governed by the Data Protection Acts 1988-2018. The protection of data subjects is of paramount importance and so, these Acts require that their data be processed in a ‘lawful, fair and transparent manner’ as per Art 6 of GDPR. The processing of personal data can only be done on one of the following grounds:
- With the consent of the data subject;
- To fulfill a contractual obligation which is owed to the data subject;
- To satisfy a legal obligation;
- To protect the vital interests of the data subject;
- To carry out a task that is in the public interest;
- For the legitimate interests of the processor.
When processing data, the data controller (‘the Employer’) must rely on one of the above in order to render said processing valid and lawful. The most common basis for processing data is through the mode of consent. This is often achieved through what is commonly known as a ‘Privacy Notice’. The notice, which comes in a variety of forms, must set out the exact information that is being collected from the data subject; the basis for which the data is being gathered; and to whom this information is being shared with, if any. Upon receiving such notice, only then may an individual accurately consent to their data being processed. GDPR and the 2018 Acts require such consent to be ‘clear, direct and unambiguous’. Failure to meet that standard renders any and all consent for lawful processing invalid.
A common misconception is that all processing of data must be consented to. Alternatively, data may be processed for the ‘performance of contract’. An example of this can been seen with an employment relationship, whereby employers collect information such as PPS, bank details and addresses relating to the data subject, as said data is necessary to pay that individual. This in turn justifies its collection without the employee’s consent therein through the execution of their contract. However again, data controllers are subject to strict limitations, in that data may only be collected for a specific purpose and can go no further than is necessary to achieve said goal.
HDPA found in their investigation of PwC, that consent as the legal basis in an employment scenario is inappropriate and that ‘performance of a contract’ under Article 6 (1) (b) of the GDPR and/or ‘compliance with a legal obligation’ would be more appropriate. This serves as an important reminder for all employers processing data. In light of this decision, employers should be more tentative to the manner in which data is processed and the basis which they are relying upon. As a result, company policies and employees contracts of employment may need to be reviewed in that regard, otherwise they may be exposing themselves to potential contraventions of the Date Protection Acts down the line.
Under the new legislative framework, data subjects are entitled to compensation for ‘non-material’ damage – otherwise known as emotional distress – if a data controller is found to be engaging in unlawful processing. Specifically, a data subject may seek compensation pursuant to s 117 of the 2018 Act and Article 82(1) of GDPR. Section 117 of the 2018 Act provides that a data subject may, where he considers that his rights under a relevant enactment have been infringed as a result of the processing of his personal data in a manner that fails to comply with a relevant provision, bring an action against the controller concerned for material and non-material damage suffered. Due to the lack of clarity associated with quantifying emotional distress, there is a corresponding lack of guidance as to how such will be interpreted before the courts. Despite this, the 2018 Act provides that a claim may be pursued in either the Circuit Court or the High Court. This suggests that awards for non-material damage would at the very least be for €15,000, the minimum standard for a claim before the Circuit Court.
As it stands, this area of law is in its infancy and no claim has yet to run under the new legislation as all cases have been settled out of court. This has created a degree of uncertainty and it remains to be seen how the courts will determine the extent of compensation payable for such breaches going forward. In any event, this does not prevent the Data Protection Commission from issuing fines for breaches of the law.
Robin Hyde is a trainee solicitor at Purdy & Co Solicitors in Galway. For those seeking further information on data protection generally, consider taking out a free trial of our IP / IT Law service by clicking below.