The data protection regulator in Greece has reported that the leading consultancy PriceWaterhouseCoopers (PwC) will be fined $170k USD for violations of Article 83 of the European Union’s General Data Protection Regulation (GDPR), data protection specialists report. Data protection authorities in Greece also imposed some corrective measures that must be implemented by the company to comply with European data law.
European community data legislation lays down
the regulatory bases to which any organization that operates on personal data
must submit to control this information. While the consent of the data subjects
is one of these bases, it is not the only one, so the way to control PwC’s
personal data was inappropriate, according to the opinion of the Greek data
The company processed this information in the course of its business activities without employees being informed about it. The authorities determined that this way of working with personal information violates the principles of fairness and transparency set out in the GDPR.
The company also has accountability issues, as
it failed to demonstrate adequate compliance with the GDPR and transferred the
burden to data subjects, an inappropriate procedure as set out in the
regulations, mentioned by data protection specialists. Therefore, the Greek
company was fined and now has a three-month deadline to comply with the taxes
established by the authorities.
This is the first time that one of the 4
greatest consultants in the world receives a fine for non-compliance with the
GDPR. The irony of this issue is that PcW is one of the companies that had the
most work a couple of years ago advising multiple companies to comply with
European data legislation. “It’s really amazing that this company is
generating so many revenue from GDPR-related services and now it turns out that
it has violated an article of this legislation,” data protection experts
This is a sign that any company that controls
personal data could default to GDPR, regardless of whether they are small
companies or large companies. Another well-known case is that of Google,
although in this case the fine was much higher, reaching 5 billion dollars. In
the case of PwC, the data regulator in Greece stated that “this amount has
been established as an effective, proportionate and deterrent method”, in
other words, the strictly provisions of European data regulation have not been
However, this does not mean that this decision
is an irrelevant fact; according to data protection specialists from the
International Institute of Cyber Security (IICS), this fine could trigger a number
of similar measures, as many companies have contracted PwC’s advice to comply
with the European data; a bad computer security practice at PwC could replicate
in many other companies, increasing this problem of non-compliance.
To the company’s fortune, its reputation in the
field of data security has not suffered irreversible damage; PwC executives can
still demonstrate to data regulators that they are able to implement the
measures recommended by the Greek government, so more than a big fiasco, this is
a great opportunity to learn.