News
π¨ SS2I Inappropriate legal basis π¨
π Greece | HDPA | €150,000 Fine
π Following a complaint, the Hellenic Data Protection Authority (HDPA) investigated an IT services company (SS2I) regarding the processing of employee data.
β Issue Identified:
Employees were forced to give their consent for the processing of their personal data.
π‘ Key Point:
π Consent cannot be considered freely given when there is a relationship of subordination between the data subject and the controller.
π In the workplace, employees must have a genuine choice, and must not suffer consequences or discrimination for refusing.
π Violations Noted:
- Articles 5.1.a and 5.2 of the GDPR: Principle of lawfulness and accountability.
- Article 6.1.a of the GDPR: Use of consent as an inappropriate legal basis.
βοΈ Consequences:
πΈ Administrative fine of €150,000
π Damage to reputation
π§ Obligation to bring data processing activities into compliance
π’ Key Takeaway:
Consent is not the default legal basis in an employment context.
Controllers should consider other valid grounds (e.g., performance of a contract, legal obligation, legitimate interest) depending on the processing purpose.