Hungary: Sanctions against the European Parliament for data transfers that violated “Schrems II”

The European Data Protection Supervisor (“EDPS”) has issued a decision after a complaint was filed against the European Parliament (“Parliament”) due to unlawful data transfer to the US, a deceptive cookie banner and unclear data protection notices.

The Parliament entrusted a service provider to set up a website regarding Covid testing. This website used Stripe and Google Analytics cookies to gather data which are considered as personal data. The cookies were transferred to the US, since both companies are located in the US. The EDPS emphasized in its decision that “data transfers to the US can only take place if they are framed by effective supplementary measures in order to ensure an essentially equivalent level of protection for the personal data transferred”. Since the Parliament did not provide any documentation or evidence regarding an equivalent level of protection, the EDPS came to the conclusion that the requirements placed on data transfer to the US were not met.

The EDPS confirmed the violation of data protection laws on the grounds indicated in the complaint. Accordingly, the EDPS issued a reprimand and ordered the Parliament to comply with the relevant laws.