The EU Imposes a Penalty on Itself for Violating Its Own Data Protection Regulation

The European Union (EU) has imposed a penalty on itself for breaching its own General Data Protection Regulation (GDPR). The General Secretariat of the Council of the European Union, which is part of the EU itself, has been hit with a fine of €50,000 (about $60,000).This penalty comes as a result of a data leak that happened in 2020. The leak allowed more than 1,000 German citizens' CVs to be freely accessible online for several months. The data breach was discovered by German non-profit organization D64, and it took place on a website managed by the European Institute of Public Administration (EIPA).EIPA had been contracted by the General Secretariat of the Council of the European Union to manage applications for the EU's annual 'Blue Book' traineeship program. However, due to an error, the website leaked a large number of applications, including the personal data of applicants.The Luxembourg National Commission for Data Protection (CNPD), which is responsible for ensuring GDPR compliance, found that the General Secretariat neglected its responsibility to ensure that its third-party contractors, like EIPA, were following the GDPR rules. This fine is a clear message that even organizations within the EU itself are not immune to GDPR penalties if they fail to comply with the data protection rules. Regardless of the size and nature of the organization, all entities must ensure that they are properly protecting people's personal data.