The European Commission has claimed it is not subject to the strict new data protection law that it has imposed across Europe, following an “embarrassing” leak of personal data on its website.

Officials in Brussels admitted the bureaucracy that designed the rules is not itself compliant with the General Data Protection Regulation (GDPR). A spokesman said the European Commission was "taking and will continue to take all the necessary steps to comply".

The revelation comes after tech site Indivigital sent the The Daily Telegraph evidence that the European Commission has leaked the personal details of hundreds of citizens. This would constitute a breach of GDPR were other organisations to have done it.

However a spokesman said the European institutions were separate from the data protection regulations for “legal reasons”. Officials in Brussels will instead follow a new law that “mirrors” GDPR but does not come into ­effect until autumn.

GDPR is a new EU law that restricts how companies may use the personal information of Europeans, and came into force last week. The crackdown triggered an outcry about the burden of compliance from some businesses. They were left scrambling to meet the deadline and avoid hefty fines.