European Law Monitor

Make your voice heard!

newsEDPS investigates European Parliament’s 2019 election activities and takes enforcement actions


The European Data Protection Supervisor (EDPS) is carrying out an investigation into the European Parliament’s use of a US-based political campaigning company to process personal data as part of its activities relating to the 2019 EU parliamentary election, the Assistant EDPS announced today.

Wojciech Wiewiórowski, Assistant EDPS, said: “The EU parliamentary elections came in the wake of a series of electoral controversies, both within the EU Member States and abroad, which centred on the the threat posed by online manipulation. Strong data protection rules are essential for democracy, especially in the digital age. They help to foster trust in our institutions and the democratic process, through promoting the responsible use of personal data and respect for individual rights. With this in mind, starting in February 2019, the EDPS acted proactively and decisively in the interest of all individuals in the EU to ensure that the European Parliament upholds the highest of standards when collecting and using personal data. It has been encouraging to see a good level of cooperation developing between the EDPS and the European Parliament over the course of this investigation.”

Election campaigns are currently the subject of considerable scrutiny. The EDPS is actively engaged in seeking solutions to the challenges of online manipulation in elections while the European Parliament itself adopted a resolution to protect the European elections from data misuse in March 2019. Data protection plays a fundamental role in ensuring electoral integrity and must therefore be treated as a priority in the planning of any election campaign.

One of the European Parliament’s campaign activities for this year’s EU parliamentary elections was to promote public engagement through a website called The website collected personal data from over 329,000 people interested in the election campaign activities, which was processed on behalf of the Parliament by the US company NationBuilder. Taking into account previous controversy surrounding this company, the EDPS opened an own-initiative investigation in February 2019, in order to determine whether the Parliament’s use of the website, and the related processing operations of personal data, were in accordance with the rules applicable to the EU institutions, set out in Regulation (EU) 2018/1725This investigation is ongoing.

The investigation into the European Parliament’s use of NationBuilder resulted in the first ever EDPS reprimand issued to an EU institution: a contravention by the Parliament of Article 29 of Regulation (EU) 2018/1725, involving the selection and approval of sub-processors used by NationBuilder. A second reprimand was subsequently issued by the EDPS, after the Parliament failed to publish a compliant Privacy Policy for the thistimeimvoting website within the deadline set by the EDPS. In both instances, the European Parliament acted in line with EDPS recommendations.

EDPS actions are not limited to reprimands. The EDPS will continue to check the Parliament’s data protection processes, now that the European Parliament has finished informing individuals of their revised intention to retain personal data collected by the thistimeimvoting website until 2024. The outcome of these checks could lead to additional findings. The EDPS intends to finalise this investigation by the end of this year.

The EDPS expects the EU institutions, offices, bodies and agencies to lead by example in ensuring that the interests of all those living in the EU are adequately protected when their personal data is processed. This requires increased cooperation and more effective understanding between the EDPS and the EU institutions it supervises.

Copyright European Union