Connecteu-vos amb nosaltres

Supervisor europeu de Protecció de Dades (SEPD)

El SEPD sanciona el Parlament Europeu per transferència il·legal de dades als EUA




Following a complaint by six MEPs, including Patrick Breyer of the Pirate Party, the European Data Protection Supervisor (EDPS) has confirmed that the European Parliament‘s COVID test website violated data protection rules.[1] The EDPS highlights that the use of Google Analytics and the payment provider Stripe (both US companies) violated the European Court of Justice’s (CJEU) “Schrems II” ruling on data transfers between the EU and the US.

The ruling is one of the first decisions to implement “Schrems II” in practice and could be groundbreaking for many other cases currently being considered by regulators. On behalf of six MEPs, the data protection organisation noyb filed a data protection complaint against the European Parliament in January 2021.[2]

The main issues raised are the deceptive cookies banners of an internal corona testing website, the vague and unclear data protection notice, and the illegal transfer of data to the US. The EDPS investigated the matter and issued a reprimand on the Parliament for violation of the “GDPR for EU institutions” (Regulation (EU) 2018/1725 applicable only to EU institutions).

Illegal data transfers to the US In the so-called “Schrems II” case, the CJEU stressed that the transfer of personal data from the EU to the US is subject to very strict conditions. Websites must refrain from transferring personal data to the US where an adequate level of protection for the personal data cannot be ensured.

The EDPS confirmed that the website actually transferred data to the US without ensuring an adequate level of protection for the data and highlighted: “The Parliament provided no documentation, evidence or other information regarding the contractual, technical or organizational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.”

Co-complainant and MEP Patrick Breyer (Pirate Party) comments: “The Schrems II ruling was a great victory for the protection of our privacy and the confidentiality of our communications and internet use. Unfortunately, this case shows that our data is still being illegally transferred to the US in large numbers. With his decision, the EDPS makes it clear that this must end. There must be no more unnecessary disclosing of our personal data to the US without our consent, not even on the basis of the so-called standard contractual clauses, which do not protect us against the NSA mass surveillance schemes.”

Sense multa, però una amonestació i una ordre de compliment El SEPD va emetre una amonestació al Parlament pels diferents incompliments del reglament de protecció de dades aplicable a les institucions de la UE. A diferència de les autoritats nacionals de protecció de dades en virtut del RGPD, el SEPD només pot imposar una multa en determinades circumstàncies, que no es van complir en aquest cas. A més, el SEPD va donar al Parlament un mes per actualitzar el seu avís de protecció de dades i resoldre els problemes de transparència restants.



Comparteix aquest article:

EU Reporter publica articles de diverses fonts externes que expressen una àmplia gamma de punts de vista. Les posicions preses en aquests articles no són necessàriament les d'EU Reporter.