Austrian privacy group filed complaints following a data breach in the European Parliament.
Privacy advocacy group NOYB has lodged two complaints with the European Data Protection Supervisor (EDPS) alleging violations of the General Data Protection Regulation (GDPR) by the European Parliament after sensitive data related to Parliamentary job applicants was compromised in early 2024, the group announced today (22 August).
The NGO highlights in its complaints the mishandling of information that ultimately led to the breach, as well as the Parliament's refusal to delete data after a formal request was made by a complainant.
The breach, which was revealed in May involved around 8,000 candidates for temporary positions - including parliamentary assistants and contractual agents - that used 'PEOPLE', an external application under the control of the institution’s human resources service.
NOYB claims that the compromised sensitive data includes “ID cards and passports, criminal record extracts, residence documents, and even sensitive information such as marriage certificates that reveal a person’s sexual orientation.” They further allege that “every single document” processed by PEOPLE was affected.
It is still unclear when exactly the breach occurred, but an internal investigation by the Parliament which concluded in April suggested that data has been compromised for a few months. Victims of the breach were notified in May.
As of today, the origin of the breach remains unidentified.
Lorea Mendiguren, a data protection lawyer at NOYB, noted that the breach comes after a series of cybersecurity incidents in EU institutions over the past year. "The Parliament has an obligation to ensure proper security measures, given that its employees are likely targets for bad actors," she added.
Now that the case has been handed to the EDPS – a regulator overseeing the privacy compliance of EU institutions - an investigation will be conducted to determine whether the Parliament's handling of data is an infringement of the GDPR. If necessary, corrective measures could be imposed, such as a ban on processing operations or suspension of data flows.
In the case of a significant violation, the case could be referred to the Court of Justice of the European Union.