Parliament

European Parliament accused of failing to protect employees’ personal data

Giuseppe de vita
Giuseppe de vita
European Parliament accused of failing to protect employees' personal data
Credit: REUTERS/Johanna Geron

Brussels (The Brussels Morning Newspaper) – Austrian advocacy body NOYB has filed two complaints with the EU privacy watchdog against the European Parliament, blaming it for inadequately protecting employees’ personal data.

Contents
How Did the European Parliament Fail to Protect Personal Data?What Sensitive Information Was Compromised in the Data Breach?Was the PEOPLE Recruitment Portal the Source of the Violation?Is the European Parliament Compliant with GDPR Standards?

How Did the European Parliament Fail to Protect Personal Data?

Noyb has filed two objections against the European Parliament over a massive data breach that affected the personal data of over 8,000 staff members. Noyb, a non-profit organization otherwise comprehended as ‘none of your business,’ has filed complaints against the European Parliament after a recruitment portal called ‘PEOPLE’ was violated.

What Sensitive Information Was Compromised in the Data Breach?

Attackers acquired sensitive data, including ID cards, passports, criminal histories, residence documents, and even marriage certifications that included the victim’s sexual orientation. According to Noyb, to apply for a job in the EU Parliament, you must report to a recruitment platform called PEOPLE, where you must supply information about yourself. This includes “heaps of personal data,” including ID cards, passports, home and education documents, criminal records, and marriage certificates.

Was the PEOPLE Recruitment Portal the Source of the Violation?

The violation itself happened earlier this year and was found on April 25th. It’s still unknown whether it was the result of hacking or another exposure. On April 26th, 2024, the European Parliament made ex-and current employees aware that “every single document…uploaded to PEOPLE (had) been compromised.” “At the time of filing this complaint, it is still unclear how long the assailants were able to access the personal data of the applicants,” Noyb stated.

Those concerned were asked to change their IDs and passports “as a precautionary measure.”

Is the European Parliament Compliant with GDPR Standards?

Noyb argues that the Parliament has “long been aware of cybersecurity vulnerabilities.” In November 2023, a cybersecurity review indicated that the organization’s cybersecurity did not meet industry standards. Furthermore, the non-profit said that the European Parliament isn’t conceding with the GDPR’s data minimization and retention requirements.

According to Noyb, the EU GDPR needs European institutions to only process data that is “adequate, relevant and restricted to what is necessary in relation to the purposes for which they are processed.” However, the European Parliament has maintained these recruitment files for 10 years. “This is even more worrying when you believe that these files also contain specially protected sensitive info…which can reveal people’s ethnicity, political views, religious beliefs, or sexual orientation,” Noyb states.

Noyb has filed two complaints with the EU Data Protection Supervisor (EDPS) on behalf of employees within the European Parliament. The non-profit also indicates that the EDPS imposes an “appropriate organisational fine to prevent similar violations in the future.”

About Us

Brussels Morning is a daily online newspaper based in Belgium. BM publishes unique and independent coverage on international and European affairs. With a Europe-wide perspective, BM covers policies and politics of the EU, significant Member State developments, and looks at the international agenda with a European perspective.
Share This Article
By Giuseppe de vita
Giuseppe De Vita is a journalist at Brussels Morning News, He is covering European politics, Law and Technology news. Lawyer at De Vita & Partners Law Firm specializing in Criminal Law, Military and Space Law, and Cyber Security. In April 2023, he authored the monograph "Governance in Extraterrestrial Space", showcasing his extensive legal expertise. He has acquired vast experience in handling criminal and civil matters, managing litigation before various levels of jurisdiction across the national territory. In 2010, he obtained a Master's degree in Information Technology Law. Additionally, in the same year, he served as a teacher in criminal-IT subjects at the Penitentiary Police School of Portici, providing courses aimed at officials and managers of the Penitentiary Police and the Penitentiary Administration, focusing on IT security. He also serves as a Workplace Safety teacher, conducting training courses at various organizations and educational institutions. Moreover, he is a lecturer on Anti-Corruption and Transparency. The law firm, under his guidance, assists both private and corporate clients in court, accumulating significant experience in criminal and civil disputes over the years. Furthermore, it conducts Risk Management and Compliance, Cyber Resilience, and Cyber Security activities, with a specific focus on privacy protection (EU Regulation 2016/679 - GDPR). Giuseppe frequently publishes articles in legal journals, analyzing various regulatory issues. He has contributed articles to the legal journal Altalex, of which he is also a member of the Scientific Committee.
Previous Article Brussels Police address rising house fires amid safety concerns Brussels Police address rising house fires amid safety concerns
Next Article Bilzen's main square A new hub for sports and community Bilzen’s main square: A new hub for sports and community
The Brussels Morning Newspaper Logo

Subscribe for Latest Updates