In September 2020, the European Parliament launched a website for MEPs and its employees to book Covid-19 tests. During 2021, six MEPs filed complaints against the site for non-compliance with the GDPR.
Indeed, the site imposed the presence of third-party cookies without users’ consent and, above all, did not have a protocol to prevent Google Analytics and Stripe from transferring users’ personal data to the United States. The site is thus in contradiction with the Schrems II decision handed down by the Court of Justice of the European Union (CJEU) in July 2020, which invalidated the Privacy Shield.
After investigation, the European Data Protection Supervisor (EDPS) found the Parliament responsible for these failings and issued a warning, with an obligation to address all issues within one month.