As the supervisory authority for all EU institutions, the European Data Protection Supervisor (EDPS) is responsible for enforcing and monitoring their compliance with data protection rules.
Article continues below
In this capacity, the EDPS is undertaking an investigation into the compliance of contractual arrangements concluded between the EU institutions and Microsoft, the European Data Protection Supervisor said.
The EU institutions rely on Microsoft services and products to carry out their daily activities.
This includes the processing of large amounts of personal data.
Considering the nature, scope, context and purposes of this data processing, it is vitally important that appropriate contractual safeguards and risk-mitigating measures are in place to ensure compliance with the new Regulation.
The EDPS investigation will therefore assess which Microsoft products and services are currently being used by the EU institutions, and whether the contractual arrangements concluded between Microsoft and the EU institutions are fully compliant with data protection rules.
Regulation 2018/1725 brings the data protection rules applicable to the EU institutions in line with the rules for other organisations and businesses operating in the EU, set out in the General Data Protection Regulation (GDPR).
As the data protection supervisory authority for the EU institutions, the EDPS is not only responsible for monitoring their compliance, but also for ensuring public awareness of any possible risks to individual and societal rights and freedoms in relation to the processing of personal data, and for working in close cooperation with national data protection authorities and other relevant national bodies to mitigate these risks.
It is in this spirit of cooperation that the EDPS takes note of the Data Protection Impact Assessment Report on diagnostic data in Microsoft Office ProPlus of 5 November 2018, commissioned by the Dutch Ministry of Justice and Security.
Any EU institutions using the Microsoft applications investigated in this report are likely to face similar issues to those encountered by national public authorities, including increased risks to the rights and freedoms of individuals. ■