[ad_1]
Following a major breach in the European Parliament’s recruitment system in April 2024, in which sensitive personal information was leaked, digital rights NGO Noyb filed two legal complaints against EU institutions on Thursday (August 22) for alleged violations of data protection laws.
In May, the parliament said it had experienced Data breach The company’s recruitment app PEOPLE was used to recruit temporary staff. The intrusion was confirmed to have occurred in April. When sensitive personal data is compromised For example, identity documents, criminal records, work experience, etc.
Concerns were raised at the time about delays in notification and the potential misuse of the leaked data. The parliament advised affected individuals to replace their ID cards and passports as a precaution and offered to cover the associated costs.
Now, the NGO Noyb (European Centre for Digital Rights) Two complaints filed Communicated with the European Data Protection Supervisory Authority (EDPS) on behalf of four parliamentary employees, stating that the data of more than 8,000 employees was affected, including that of former employees.
“As an EU citizen, it is worrying that EU institutions remain so vulnerable. Having this information spread around is not only frightening for the individuals affected, but it could also be used to influence democratic decisions,” said Max Schrems, activist and chairman of Noyb.
Back in May this year, the EDPS confirmed to Euractiv that it had been notified of the breach in less than 72 hours from the moment Parliament became aware of it.
complaint
Nyob believes the leak highlights the parliament’s non-compliance with the data minimisation and retention requirements of the General Data Protection Regulation (GDPR).
The GDPR’s data minimization rules require organizations to collect and retain the minimum amount of personal data necessary for a specific purpose. Retention requirements limit how long this data is stored, ensuring it is not kept longer than necessary.
One of the legal complaints concerned the parliament’s refusal to delete data after a breach, citing a 10-year data retention policy, despite concerns raised by the complainants and the fact that they had not worked for the EU institutions in years.
The NGO also urged the EDPS to use its corrective powers to bring EU institutions into compliance and to impose administrative fines to prevent future violations.
Noyb said that under the GDPR, data should only be processed if it is necessary and relevant, and the parliament’s 10-year retention period for recruitment documents exceeded this standard, which raised concerns.
Especially because these files may contain sensitive data that should be protected by GDPR, including ethnicity, political views and sexual orientation. For example, the NGO noted that one of the legal complainants highlighted that an uploaded marriage certificate inadvertently revealed the sexual orientation of a staff member.
Noyb said the hack was particularly concerning given parliament’s known cybersecurity vulnerabilities. A November 2023 review found parliament’s defences were below industry standards and not fully aligned with the threat posed by state-sponsored hackers.
The PEOPLE data breach was part of a series of cyberattacks that included Russian hackers 2022 and 2023, and Israel Spyware It was found on the devices of MEPs in early 2024.
(Editing by Rajnish Singh)
Read more by Euractiv
[ad_2]
Source link
