Digital Law Up(to)date: European Parliament violates several provisions of the GDPR for EU Institutions

Article
EU Law

On 5 January 2022, the European Data Protection Supervisory (EDPS) issued a reprimand to the European Parliament for non-compliance with several provisions of the GDPR for EU Institutions (the regulation 2018/1725). The EDPS ordered the European Parliament to update within one month from the date of the decision its data protection notices of an internal corona testing website.

The starting point for the decision was a complaint filed by NOYB on behalf of six members of the European Parliament.

In concrete terms, the EDPS concludes that the European Parliament:

  • Fails to fulfil its responsibilities as controller and to use a processor providing sufficient guarantees to implement appropriate technical and organisational measures (articles 26(1) and 29(1)); 
  • Fails to provide documentation relating to the detailed instructions given to the processor for the setting up and functioning of the website (article 29(3));
  • Fails to respect the principle of transparency, accountability and the data subjects’ right to information because of the inaccurate data protection notice and cookie banner on the dedicated website (articles 4(1)(a) and 14, 4(2), and 15);
  • Relies  on the Standard Contractual Clauses in the absence of a demonstration that personal data of data subjects transferred to the US (by the use of Google analytics and Stripe cookies) were provided an essential equivalent level of protection (articles 46 and 48(2)(b));
  • Fails to protect information (the cookies) transmitted to, stored in, related to, processed by and collected from the users’ terminal equipment (article 37); 
  • Fails to reply to the data subjects’ request for access to their personal data (articles 14(4) and 17)).

This article was co-authored by Edouard Cruysmans in his capacity of Professional Support Lawyer at Stibbe.