Consent was often treated as the easiest way to process personal data under the GDPR. However, a closer look showed that it was not always the best or most responsible choice. This was made especially clear, when the Hellenic Data Protection Authority (DPA) announced a €150,000 fine against PricewaterhouseCoopers Business Solutions S.A. (PwC BS). The DPA found that PwC BS had relied on consent from employees in an inappropriate manner, violating several core GDPR principles, including the requirement to use the correct legal basis for processing and the principle of accountability.

At the time, the GDPR listed six lawful bases for data processing: consent, contractual obligation, legal obligation, vital interests, public interest, and legitimate interests. Relying solely on consent could become problematic, particularly where there was a power imbalance—such as between an employer and its employees. In theory, consent had to be freely given, specific, informed, and unambiguous. But, in practice, this was difficult to achieve if an employee believed refusal might lead to negative consequences. The PwC BS case illustrated how this imbalance could undermine the idea of “free” consent.

According to the statement published by the Hellenic DPA, employees at PwC BS were asked to provide consent for the processing of their personal data. However, investigators discovered that PwC BS was processing employee data on a different legal basis without informing them. By framing its operations as consent-based, PwC BS gave workers the false impression that they had a choice in the matter. In reality, the DPA determined that PwC BS should have relied on another lawful basis—perhaps performance of a contract or legitimate interests—rather than consent.

Key Findings by the Hellenic DPA

1. Unlawful Processing: PwC BS was found to be unlawfully processing employee data, contrary to Article 5(1)(a) of the GDPR. The DPA held that consent was not the right legal basis in this scenario.
2. Lack of Transparency: PwC BS processed personal data unfairly and without proper transparency. The employees were led to believe consent applied, but the company was actually processing under a different basis that remained undisclosed. This misled employees and violated the GDPR’s transparency obligations, also under Article 5(1)(a).
3. Breach of Accountability: Under Article 5(2) of the GDPR, controllers must prove compliance. PwC BS, however, shifted the burden of proof onto employees. The DPA stressed that accountability rests with the controller, and in this case, PwC BS did not demonstrate compliance or maintain adequate records to show it had chosen the right legal basis.

As a result, the DPA used the corrective powers granted by Article 58(2) of the GDPR. The fine of €150,000 was deemed necessary not just to address past failings but also to act as a deterrent. The DPA also ordered PwC BS to correct its data-processing operations within three months, bringing them in line with the GDPR. This included properly identifying and applying the correct lawful basis, ensuring that employees were fully aware of how their data was being used, and taking all steps needed to restore compliance with the principles of fairness, transparency, and accountability.

This case echoed broader concerns in the data protection world about the overuse of consent. When there was a clear imbalance of power, it was challenging to show that individuals had given genuine, free, and informed consent. Regulators emphasised that other legal bases—such as contractual necessity or legitimate interests—might be more suitable, especially if withdrawing consent was not really an option for workers. If an employer’s daily operations hinged on data processing, it made more sense to rely on a legal basis that accurately reflected that necessity, rather than pretending employees had a true choice to refuse.

At the time, many organisations re-evaluated their data protection practices following the PwC BS ruling. They looked more carefully at whether consent was truly appropriate for each scenario. The Information Commissioner’s Office (ICO) in the United Kingdom had issued guidance stating that consent should be used only when people could freely say “no” without facing negative repercussions. In relationships where that freedom was questionable—such as employer-employee relationships—organisations were encouraged to explore other lawful bases. This approach helped them avoid the pitfalls illustrated by the PwC BS fine.

Ultimately, the PwC BS case highlighted the importance of aligning data-processing practices with the actual relationship between the organisation and the data subjects. The GDPR was built on the principles of fairness, transparency, and accountability. Controllers were expected to ensure that people understood why their data was collected and processed. They also had to pick the lawful basis that best fit the real-world purpose, rather than defaulting to consent for every data-processing activity.

The fine from the Hellenic DPA in July 2019 served as a warning: if organisations misled data subjects—whether deliberately or through negligence—they risked significant penalties. PwC BS had to adjust its practices and keep detailed records to prove future compliance. This case became a talking point for businesses everywhere, reminding them that consent was neither a shortcut nor a “silver bullet.” Instead, it was merely one option among several, each with its own requirements and limitations.