Data Protection Complaints against EU Parliament

In the wake of a significant data breach affecting the European Parliament's recruitment system in April 2024, the digital rights NGO Noyb has lodged two legal complaints with the European Data Protection Supervisor (EDPS). The breach, which exposed sensitive personal information of over 8,000 current and former employees, prompted the Parliament to advise those affected to replace their identification documents, offering to cover the associated costs. Noyb's complaints, filed on August 22, highlight alleged violations of the General Data Protection Regulation (GDPR), particularly concerning data minimization and retention requirements. The organization argues that the Parliament's retention policy, which allows for the storage of recruitment data for up to ten years, is excessive and non-compliant with GDPR standards. Activist Max Schrems emphasized the risks posed by the leaked data, stating that it could potentially influence democratic processes. The breach was confirmed by the EDPS, which noted that the Parliament reported the incident within 72 hours of its discovery. Noyb's complaints also address the Parliament's failure to delete sensitive data post-breach, despite requests from affected individuals. The organization is urging the EDPS to enforce corrective measures and impose fines to ensure compliance with data protection laws. The breach has raised serious concerns about the adequacy of the Parliament's data protection measures, particularly in light of a November 2023 review that indicated its defenses were below industry standards and vulnerable to state-sponsored cyber threats.