Following a major breach of the European Parliament’s hiring system in April 2024, when sensitive personal information was exposed, digital rights NGO Noyb has filed two legal complaints for alleged breaches of data protection law.
In May, the Parliament said it had experienced a data breach in its PEOPLE recruitment app, used to hire temporary staff. It was confirmed that the leak occurred in April, when sensitive personal data, such as identity documents, criminal records, and work experience, were exposed.
Parliament recommended that affected individuals replace their ID cards and passports as a precautionary measure, offering to cover the costs involved.
Now the NGO Noyb, the European Centre for Digital Rights, has lodged two complaints with the European Data Protection Supervisor (EDPS) on behalf of four parliamentary staff, noting that the data of more than 8,000 employees, including that of former employees, has been affected. Max Schrems, activist and chairman of Noyb, said:
As an EU citizen, it is worrying that EU institutions are still so vulnerable to attacks. Having such information floating around is not only frightening for the individuals affected, but it can also be used to influence democratic decisions.
Personal data processing requirements
Noyb believes that the breach highlights Parliament’s failure to comply with the General Data Protection Regulation (GDPR) on data minimisation and retention.
The data minimisation rules require organisations to collect and retain the minimum amount of personal data necessary for a particular purpose. Meanwhile, the data retention requirement sets limits on how long this data can be retained, ensuring that it is not kept for longer than necessary.
One of the legal complaints concerns Parliament’s refusal to delete the data after the leak, citing a 10-year retention policy, despite the complainant’s concerns and the fact that he had not worked at the EU institution for many years. The NGO also called on EDPS to use its remedial powers to bring the EU institution into compliance and impose an administrative fine to prevent future breaches.
The leaked files may contain sensitive data that must be protected under the GDPR, including ethnicity, political views, and sexual orientation. One of the plaintiffs emphasises that an uploaded marriage certificate inadvertently revealed an employee’s sexual orientation.