EDPS investigating contractual arrangements concerning software used by EU firms

Regulation 2018/1725, new data protection rules that came into force on 11 December 2018, “introduced significant changes to the rules governing outsourcing,” said Assistant EDPS Wojciech Wiewiórowski. Contractors now have direct responsibilities for ensuring compliance. “However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf.”

“They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks,” Wiewiórowski added. “It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.”

The EU institutions rely on Microsoft services and products to carry out their daily activities, including the processing of large amounts of personal data. Considering the nature, scope, context, and purposes of this data processing, the EDPS said it is “vitally important that appropriate contractual safeguards and risk mitigating measures are in place to ensure compliance with the new regulation.”

The EDPS investigation will, therefore, assess which Microsoft products and services are currently being used by the EU institutions and whether the contractual arrangements concluded between Microsoft and the EU institutions are fully compliant with data protection rules.

Regulation 2018/1725 brings the data protection rules applicable to the EU institutions in line with the rules for other organisations and businesses operating in the European Union, set out in the General Data Protection Regulation (GDPR). As the data protection supervisory authority for the EU institutions, the EDPS is not only responsible for monitoring their compliance, but also for ensuring public awareness of any possible risks to individual and societal rights and freedoms in relation to the processing of personal data, and for working in close cooperation with national data protection authorities and other relevant national bodies to mitigate these risks.

It is in this spirit of cooperation that the EDPS said it takes note of the Data Protection Impact Assessment Report on diagnostic data in Microsoft Office ProPlus of 5 November 2018, commissioned by the Dutch Ministry of Justice and Security. Any EU institutions using the Microsoft applications investigated in this report are likely to face similar issues to those encountered by national public authorities, including increased risks to the rights and freedoms of individuals.

The EDPS said it is “committed to ensuring compliance with the applicable data protection legislation at all levels. As their supervisory authority, we remain committed to supporting the EU institutions in coordinating their efforts to operate in accordance with the rules set out in Regulation 2018/1725 and, in doing so, to lead by example in their application of these rules.”