After the complaints by the Members of the Parliament (MEP) and nyob, the European Data Protection Supervisor (EDPS) issued a decision confirming the European Parliament violated data protection law on one of its websites.
Details of the case
In order to provide efficient and quick tests for the COVID-19 pandemic for the Members of the Parliament and staff, the Parliament contracted the private company Ecolog to conduct COVID-19 PCR testing and run the website for online registration.
Using the software for scanning websites to identify cookies and trackers, the MEPs found Google Analytics and Stripe cookies and required justification for the transfers of MEPs’ and staff’s personal data to the US.
On 29 October 2020, the EDPS received a complaint jointly signed by six Members of the European Parliament (MEP) against the European Parliament, regarding alleged infringements of the right of access to information about personal data processing and Chapter V of the GDPR through its COVID testing website.
On 22 January 2021, the EDPS received a complementary complaint by a non-profit organization noyb- European Center for Digital Rights, which drew attention to the main allegations mentioned in the previous complaint. This subsequently led to the joining of the two complaints.
The outlined issues included unclear data protection notices, deceptive cookie banners, failure to answer to the data subjects’ requests, and most importantly, illegal transfer of data to the US.
Illegal transfer of data to the US
The European Court of Justice delivered a decision on the Schrems II case in July 2020 which stated that personal data transfers from the EU to the US no longer fall under the protection of Privacy Shield, and organizations need to apply mechanisms that ensure appropriate safeguards and compliance with the GDPR in transatlantic data transfers.
In this particular case, the EDPS confirmed that the use of Google Analytics and the payment provided by Stripe on the website transferred data to the US without an adequate level of protection, thus violating the Court of Justice’s ruling in the Schrems II case.
Deceptive cookie banner
The Parliament’s cookie banner did not contain information about the details and purpose of the processing, failing to provide transparent information regarding the processing of personal data.
Additionally, there were discrepancies between the definition of consent in banners in different linguistic versions. The banner did not provide a proper opt-in and opt-out button for non-essential cookies enabling users to give valid consent.
Transparency and information requirements
Following the complaint, Parliament updated their notices. However, EDPS decided they needed further improvement to meet transparency and information requirements.
Previous notices were copied from one of the airport testing centers’ websites and therefore failed to provide relevant information and a valid lawful basis for personal data processing.
There were also inconsistencies between the English and the German version of the data protection notices, the notice referred to a wrong DPO contact information, failed to define data retention periods, or recognize the processing of sensitive health data.
The EDPS decision
The EDPS issued a reprimand to the EU Parliament for violations of the GDPR and an order to comply with their decision.
The Parliament is ordered to update their data protection notices and correct their omissions within one month.