All your applicant data will be collected in one place. To apply for a job at the European Parliament, applicants must first register on the Parliament’s recruitment platform, PEOPLE. There, applicants provide the Parliament with a large amount of personal information. This includes identity documents, passports, residence and education certificates, as well as sensitive data that may reveal sexual orientation, such as criminal record extracts and marriage certificates. This makes it all the more important that the Parliament takes appropriate security measures to ensure that this data cannot be accessed by third parties.
Data breach affects thousands of people. On April 26, 2024, the European Parliament informed the European Data Protection Supervisory Authority (EDPS) that a major data breach had occurred at PEOPLE, affecting more than 8,000 current and former employees. It is still unclear when and how the data breach actually occurred, but those affected have been informed: All Documents The personal information they uploaded to PEOPLE was compromised. On May 31, the council recommended that those affected replace their ID cards and passports as a precautionary measure and offered to reimburse them for the costs. At the time the complaint was filed, it was unclear how long the attackers had access to the applicants’ personal information.
Lorea Mendiguren, Data Protection Lawyer Noive: “This breach comes after repeated cybersecurity incidents at EU institutions over the past year. Given that staff are more likely to be targeted by malicious actors, Parliament has an obligation to take appropriate security measures.”
Known cybersecurity vulnerabilities. This incident is especially worrying because Congress has long been aware of its cybersecurity vulnerabilities. In November 2023, the Congressional IT department Cybersecurity Review – and the institution’s cybersecurity “It still doesn’t meet industry standards.” And the existing measures “It’s completely out of line with the threat level.” Not only that, but the intrusion into PEOPLE occurred in parallel with many other cyberattacks on EU institutions. Russian hacking groups attacked parliamentary websites in November 2022 and a number of European governments in the fall of 2023. In February 2024, another intrusion occurred at the parliamentary security and defense subcommittee, where two MEPs and staff found Israeli spyware on their devices.
Chairman Max Schrems Noive: “As an EU citizen, it worries me that EU institutions remain vulnerable to attack. The circulation of such information is not only frightening for the individuals affected, but it could also be used to influence democratic decisions.”
More data than you need. The data breach also revealed that Parliament had not complied with the data minimisation and retention requirements of the GDPR, Article 4(1)(c). EU GDPR The EU institutions: “Adequate, relevant and limited to what is necessary in relation to the purposes of the processing”That said, the EU Parliament’s retention period for adoption files is 10 years. This is all the more worrying given that these files also contain sensitive data that is specifically protected under Article 9 and may reveal people’s ethnicity, political opinions, religious beliefs and sexual orientation. In this case, the applicant uploaded a copy of her marriage certificate to the portal, which made it possible to determine her sexual orientation.
Chairman Max Schrems Noive: “This breach also shows that the impact of a breach could have been limited by simply deleting personal data in time.”
There have been two complaints about EDPs. Noive The company filed two complaints on behalf of its employees with the European Data Protection Supervisory Authority (EDPS), the authority responsible for data protection breaches by EU institutions. The European Parliament appears to have violated Articles 4(1)(c) and (f) and Article 33(1) of the EU GDPR. Moreover, in one complainant’s case, the Parliament rejected the post-breach erasure request due to the 10-year retention period, even though the complainant expressed concerns in light of the breach and the fact that he had not worked there for several years. Noive We call on EDPS to exercise its corrective powers and order Congress to bring the process into compliance. Noive EDPS proposes to impose appropriate administrative fines to prevent similar violations in the future.
