The protection of personal data is crucial, especially for institutions like the European Parliament. NYOB’s complaint against the EU parliament has shed light on serious data breaches in the Parliament’s recruitment platform, PEOPLE. These breaches have compromised the personal information of thousands of job applicants, exposing significant lapses in data security and compliance with the EU General Data Protection Regulation (GDPR). Let’s explore why these issues are relevant to your business and what these complaints reveal.

Who should care about NYOB’s complaint against EU parliament?

If your company handles any form of personal data, these complaints should matter to you. The data breach at the European Parliament isn’t just a cautionary tale for public institutions, it’s a wake-up call for any organisation that processes personal information. Whether you manage employee records, customer data, or sensitive documents, the risks highlighted here are directly applicable to your operations. Protecting data isn’t just about avoiding fines; it’s about safeguarding your company’s reputation and maintaining trust with your stakeholders.

Overview of the first NYOB complaint against EU parliament

The first complaint revolves around a data breach in the PEOPLE recruitment platform, which stores the personal information of over 8,000 current and former EU Parliament job applicants. The breach, discovered in April 2024, exposed highly sensitive documents such as ID cards, passports, and criminal records. Despite being aware of cybersecurity vulnerabilities since November 2023, the Parliament failed to implement adequate security measures. The breach occurred amid a series of cyberattacks on EU institutions, raising concerns about the Parliament’s ability to protect its data. The complaint argues that the Parliament violated GDPR by not securing the data adequately and by allowing attackers to access every single document uploaded by the affected individuals.

Overview of the second NYOB complaint against EU parliament

The second complaint expands on the issues of data security by highlighting the Parliament’s non-compliance with GDPR’s data minimisation and retention principles. The GDPR requires that data be processed only when necessary and stored only for as long as needed. However, the Parliament’s 10-year retention policy for recruitment files, which include sensitive data, is seen as excessive and unjustified. In one case, a complainant’s request for data erasure was denied, even after the breach and years of not working at the Parliament. This refusal, combined with the Parliament’s failure to minimise the amount of personal data collected, is another significant violation of GDPR. The complaint calls for the European Data Protection Supervisor (EDPS) to investigate these practices and impose fines to prevent future breaches.

Personal data exposed

The data affected by the breach involved over 8,000 current and former job applicants to the European Parliament. This included individuals who had registered on the Parliament’s recruitment platform, PEOPLE. The compromised data included highly sensitive personal documents such as ID cards, passports, criminal record extracts, educational documents, and even marriage certificates, which could reveal personal details like sexual orientation.

Lessons learned

  1. The breach highlights the importance of implementing security measures, especially when dealing with sensitive personal data. Even large institutions are vulnerable if they don’t maintain industry-standard cybersecurity practices.
  2. Only collect and store the data that is absolutely necessary for your business operations. The Parliament’s failure to minimise data collection and retention led to a larger scope of the breach, demonstrating how excessive data storage increases risk.
  3. Adhering to data retention policies that align with GDPR principles is vital. Regularly review and delete data that is no longer necessary to reduce the impact in case of a breach. The Parliament’s refusal to erase outdated data after a breach exposed a significant compliance failure.
  4. Conduct regular cybersecurity audits and act on their findings. The Parliament was aware of its cybersecurity shortcomings but failed to address them, which contributed to the breach.
  5. Communicate openly with affected individuals and regulatory bodies in the event of a breach. Transparency in handling data breaches helps maintain trust and demonstrates accountability.

Actions to take next

  • Protect yourself by asking us to conduct a gap analysis.
  • Ensure compliance by working with our team to tailor your privacy and data retention policies.
  • Join our Data Protection programme which can help you stay ahead of regulatory changes.