Digital rights group filed two complaints against European Parliament over alleged GDPR violations
Noyb filed complaints with the EDPS, accusing the European Parliament of inadequate security measures and violating GDPR by delaying notification of a significant data breach affecting 8,000 staff.
The Austrian digital rights non-profit organisation, noyb, has filed two complaints with the European Data Protection Supervisor (EDPS) against the European Parliament on behalf of four parliament employees. Essentially, in May 2024, the European Parliament revealed a significant data breach impacting over 8,000 staff members. The breach involved sensitive personal information, including ID cards, passports, criminal records, and documents like marriage certificates that could reveal sexual orientation. Noyb claims the breach occurred months before the Parliament became aware, and the cause remains unidentified.
Thus, in the two complaints, noyb, claims that the European Parliament lacked adequate security measures and thus violates Article 33 of the General Data Protection Regulations (GDPR), which reads that: In the event of a personal data breach, the controller must notify the supervisory authority within 72 hours unless the breach is unlikely to risk individuals’ rights. Any delay requires justification.
Why does it matter?
This situation highlights the European Parliament’s responsibility to implement effective security measures and promptly inform stakeholders when breaches occur. Noyb warns that such breaches could have severe consequences, as foreign adversaries may use techniques like spyware to obtain personal data on politicians.