Following the breach, parliament advised affected people to replace their identity cards and passports as a precautionary measure and offered to reimburse them for the costs.
The committee announced on Thursday that it had filed two complaints with the European Data Protection Supervisory Authority (EDPS) on behalf of four parliamentary employees. Both complaints allege that the agency violated GDPR by compromising the confidentiality of personal data, that its storage practices enabled the breach, and that it “lacked appropriate security measures” despite known cybersecurity vulnerabilities, citing two previous POLITICO reports.
However, the first case concerns a complainant whose sexual orientation was revealed through the leaking of a certificate, which according to noyb is a special category of data.
“This breach comes after a series of cybersecurity incidents at EU institutions over the past year,” Lorea Mendegren, a data protection lawyer at noyb, said in a statement. “Given that parliamentary staff are likely to be targeted by bad actors, parliament has an obligation to take appropriate security measures.”
The second claim is that the parliament refused to erase the complainant’s personal data submitted after the breach, which noyb considers “unnecessary” as the complainant had not worked for the institution since 2018.
“This breach also shows that the impact of a breach could have been limited by simply disposing of personal data in a timely manner,” noyb co-founder Max Schrems said in a statement.
Neub argues that Parliament still does not seem to understand the cause of the violations and is calling on the EDPS to use its powers to bring the agency’s processes into compliance. The rights group also suggests that the EDPS impose “appropriate administrative fines” to prevent similar violations in the future.
The council did not respond to a request for comment by time of publication.
