News

📍 Greece | HDPA | €150,000 Fine

🔍 Following a complaint, the Hellenic Data Protection Authority (HDPA) investigated an IT services company (SS2I) regarding the processing of employee data.

❌ Issue Identified:
Employees were forced to give their consent for the processing of their personal data.

💡 Key Point:
👉 Consent cannot be considered freely given when there is a relationship of subordination between the data subject and the controller.
👉 In the workplace, employees must have a genuine choice, and must not suffer consequences or discrimination for refusing.

📜 Violations Noted:

• Articles 5.1.a and 5.2 of the GDPR: Principle of lawfulness and accountability.
• Article 6.1.a of the GDPR: Use of consent as an inappropriate legal basis.

⚖️ Consequences:
💸 Administrative fine of €150,000
📉 Damage to reputation
🔧 Obligation to bring data processing activities into compliance

📢 Key Takeaway:
Consent is not the default legal basis in an employment context.
Controllers should consider other valid grounds (e.g., performance of a contract, legal obligation, legitimate interest) depending on the processing purpose.