Brussels mandarins have raised more than a few eyebrows after claiming that the European Commission does not have to adhere to GDPR following reports that its own website has been leaking personal data.
The documents, exposed by tech website Indivigital, contain the names, email addresses, telephone numbers and mobile phone numbers of individuals who have attended EC workshops and events.
One of the spreadsheets identified also contains columns labelled “postcode” and “address”. Some of the postcodes published in one of the spreadsheets appear to belong to residential addresses, the site reports.
However, a spokesman for the Commission told the Telegraph that European institutions were separate from the data protection regulations for “legal reasons”. Officials in Brussels will instead follow a new law that “mirrors” GDPR but does not come into effect until autumn.
The move comes after it emerged that Belgium – home of the Commission – is one of a raft of countries which are nowhere near passing domestic legislation to enforce GDPR.
Jon Baines, a data protection advisor at law firm Mishcon de Reya, said: “Although the information disclosed here does not appear to be particularly sensitive, it does raise questions about the general level of compliance, and whether any further inadvertent disclosures have been made.”
This is not the first problem to best the Commission; despite vowing to launch a “massive” GDPR consumer awareness campaign about “by January at the latest”, there has not been a peep out of Brussels.
God wades in as GDPR hits church service traditions
GDPR zero hour: Now the hard work begins say experts
Four days until GDPR D-Day: Only seven EU states ready
European Commission fails to hit its own GDPR deadline