GDPR is a complex matter, also for those who are at the source of the ideas & regulation: even with the best intentions, European Parliament has been spotted by the EDPS for a lack of compliance !
Investigation is still ongoing, and learnings will be more than useful for all EU Institutions (leading by example), as well as private companies at the end.
Some might ask if we don't go too far in applying privacy protection ideas. I believe this will only be answered once possible sanctions will be known, with a clear link with effective misuse - if any.
parliament had contravened regulations governing how EU institutions can use personal data related to the selection and approval of sub-processors