This week is being hectic for the European Union (EU) on data protection. Two great news have come to us from Brussels. On the one hand, the European Parliament has discovered that the EU was breaking its own rules with a website that had hired an external company and that collected our data related to Covid-19.
On the other hand, Europol, the European Police Office (Europol), the agency in charge of ensuring compliance with the law in the EU, will have to delete huge amounts of citizen data that we are not related to any crime, by order of the European Data Protection Supervisor (EDPS).
The website that did not comply with the Data Law
The chief data protection supervisor of the European Union has sanctioned the European Parliament for a series of infringements of the Data Protection regulations (or GDPR). Problems they were found on a website that was used to reserve a Covid-19 test and that the European Parliament launched in September 2020 in Brussels: EcoCare, a subsidiary of the company Ecolog, based in the United Arab Emirates.
In 2021 (almost a year ago now), six MEPs filed complaints about this website with the support of the nyob group, focused on privacy issues in Europe, after finding third-party tracking and misleading cookie consent banners . Too there were complaints about access to data and the transparency of how they were treated.
Cookies associated with US companies
It was found that the site booking website for Covid-19 test it left aside the cookies associated with Google Analytics and Stripe (both companies are based in the United States).
With this, parliament did not show that it had applied any special measures to ensure that any transfer of personal data associated with the United States was adequately protected (as it should be after the Schrems II decision also known as the annulment of the Privacy Shield).
An investigation was carried out into these allegations and the SEPD determined that the Parliament had committed several faults. Now he has issued a warning that goes through the rectification of the problems found within a month. There is no financial penalty.