According to the European Data Protection Supervisor (EDPS), the European Parliament did not respect the General Data Protection Regulation (GDPR). The intervention of the regulator concerns a booking website for carrying out Covid-19 tests which the Parliament launched in September 2020. This site would have allowed the transfer of data outside the European Union.
Several infringements committed by the European Parliament
This decision sounds like a warning for European sites about the need to demonstrate compliance with rules regarding data flows and transfers. If the European Parliament has avoided the financial penalty, this will not always be the case in the future. The EDPS clarifies that the site has been the subject of a number of complaints, lodged by six MEPs over the past year.
Europol is ordered to erase part of its database
Several breaches of the GDPR have been raised on this site intended for Parliament’s teams: the presence of third-party cookies imposed without the consent of users, as well as problems of transparency of access and transfer relating to personal data. Following his investigation, the EDPS concluded that the European Parliament was indeed at fault in several respects. In addition to a warning, the regulator orders the rectification of all problems identified within one month.
The transfer of data outside the EU at the heart of the complaint
It is indeed the transfer of user data to the United States that is once again at the heart of the problem. Indeed, the website in question did not have the necessary protocol in place to prevent Google Analytics and Stripe from transferring users’ personal data to the United States. However, the European Parliament is well placed to know that in July 2020, the European Court of Justice (CJEU) canceled the agreement on the transfer of personal data (the Privacy Shield) with the United States. A decision taken to respond to the concerns of European citizens.
The complainants claimed that with this website, the Parliament transferred personal data relating to Members and employees, outside the European Union, to Google and other American companies. In all, the site of the European Parliament would have violated six articles of the data protection regulation. The EDPS clarifies that the Parliament has been “constantly responsive and collaborative throughout the investigation of the complaint”, and that on the date of the decision, most violations have been corrected.