Go back to the Europarl portal

Choisissez la langue de votre document :

  • bg - български
  • es - español
  • cs - čeština
  • da - dansk
  • de - Deutsch
  • et - eesti keel
  • el - ελληνικά
  • en - English (Selected)
  • fr - français
  • ga - Gaeilge
  • hr - hrvatski
  • it - italiano
  • lv - latviešu valoda
  • lt - lietuvių kalba
  • hu - magyar
  • mt - Malti
  • nl - Nederlands
  • pl - polski
  • pt - português
  • ro - română
  • sk - slovenčina
  • sl - slovenščina
  • fi - suomi
  • sv - svenska
Parliamentary questions
PDF 26kWORD 20k
21 June 2019
Answer given by Ms Jourová on behalf of the European Commission
Question reference: E-001667/2019

The Commission has taken note of the issue reported in relation to the storing by Facebook of passwords to personal email accounts. Organisations, such as Facebook, processing personal data of individuals in the EU must fully comply with the rules laid down in the General Data Protection Regulation (‘GDPR’)(1).

In particular, pursuant to Article 32 of the GDPR, these organisations must implement appropriate technical and organisational measures to ensure a level of security of personal data appropriate to the risk.

Without prejudice to the powers of the Commission as guardian of the Treaties, the monitoring and enforcement of the application of data protection legislation falls primarily under the competence of national authorities and courts. The Irish Data Protection Commission is the lead competent supervisory authority regarding the handling of personal data by Facebook.

On 25 April 2019, the Irish Data Protection Commission announced that it was notified by Facebook of this incident and that it has opened an inquiry to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR(2).

It will be for the Irish Data Protection Commission, in cooperation with all the concerned data protection authorities in the EU, to determine whether European citizens have been affected and to impose possible sanctions, including administrative fines.

Failure to comply with the regulation can be sanctioned by an administrative fine up to EUR 20 million or to 4% of the total worldwide annual turnover of the company.

(1)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1‐88.

Last updated: 24 June 2019Legal notice