EDPS investigates contractual agreements concerning software used by EU institutions
As the supervisory authority for all EU institutions, the EDPS is responsible for enforcing & monitoring their compliance with data protection rules. In this capacity, the EDPS is undertaking an investigation into the compliance of contractual arrangements concluded between the EU institutions and Microsoft.
Wojciech Wiewiórowski, Assistant EDPS, said: “New data protection rules for the EU institutions and bodies came into force on 11 December 2018. Regulation 2018/1725 introduced significant changes to the rules governing outsourcing. Contractors now have direct responsiblities when it comes to ensuring compliance. However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks. It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.”
The EU institutions rely on Microsoft services and products to carry out their daily activities. This includes the processing of large amounts of personal data. Considering the nature, scope, context and purposes of this data processing, it is vitally important that appropriate contractual safeguards and risk-mitigating measures are in place to ensure compliance with the new Regulation. The EDPS investigation will therefore assess which Microsoft products and services are currently being used by the EU institutions, and whether the contractual arrangements concluded between Microsoft and the EU institutions are fully compliant with data protection rules.
Regulation 2018/1725 brings the data protection rules applicable to the EU institutions in line with the rules for other organisations and businesses operating in the EU, set out in the General Data Protection Regulation (GDPR). As the data protection supervisory authority for the EU institutions, the EDPS is not only responsible for monitoring their compliance, but also for ensuring public awareness of any possible risks to individual and societal rights and freedoms in relation to the processing of personal data, and for working in close cooperation with national data protection authorities and other relevant national bodies to mitigate these risks.
It is in this spirit of cooperation that the EDPS takes note of the Data Protection Impact Assessment Report on diagnostic data in Microsoft Office ProPlus of 5 November 2018, commissioned by the Dutch Ministry of Justice and Security. Any EU institutions using the Microsoft applications investigated in this report are likely to face similar issues to those encountered by national public authorities, including increased risks to the rights and freedoms of individuals.
The EDPS is committed to ensuring compliance with the applicable data protection legislation at all levels. As their supervisory authority, we remain committed to supporting the EU institutions in coordinating their efforts to operate in accordance with the rules set out in Regulation 2018/1725 and, in doing so, to lead by example in their application of these rules.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in the new Regulation (EU) 2018/1725. These rules replace those set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossaryon the EDPS website.
EU Data Protection Reform package: On 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals:
- a general Regulation on data protection, which was adopted on 24 May 2016, applicable as of 25 May 2018; and
- a specific Directive on data protection in the area of police and justice, adopted on 5 May 2016, applicable as of 6 May 2018.
The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU) and are fully applicable across the EU.
Regulation 45/2001, which addresses data protection in the EU institutions and bodies, was replaced by Regulation (EU) 2018/1725 on 11 December 2018, while new rules on ePrivacy are also planned.
Latest News from
How Member States are failing victims of violent crime – EU Agency reports25/04/2019 15:25:00
Member States must do more to protect victims of violent crime, finds the EU Agency for Fundamental Rights (FRA). Its latest reports question current safeguards defending the rights of those seeking justice. FRA calls for positive action from police, support services, public prosecutors and courts.
#EUandMyFood – promoting the value of EU food safety25/04/2019 13:25:00
EFSA, the EU Member States and the EC are jointly launching a campaign called #EUandMyFood. Our aim is to remind EU citizens how we all benefit from the European food safety system that was created in 2002 under the General Food Law.
Code of practice against disinformation24/04/2019 12:25:00
EC welcomes the commitment of online platforms ahead of the European elections.
Public consultation: appropriate age for introduction of complementary feeding of infants19/04/2019 09:25:00
EFSA is seeking feedback from stakeholders and other interested parties on its scientific opinion on the appropriate age for introduction of complementary feeding of infants.
Stronger EU borders with a new standing corps of 10,000 border guards18/04/2019 15:25:00
TheEuropean Parliament hasadopted the ECs proposal to reinforce the European Border and Coast Guard Agency with a standing corps of 10,000 border guards by 2027.
European Parliament's vote on new rules to improve fairness & transparency of online platforms18/04/2019 13:37:00
The European Parliament has approved the new Regulation on platform-to-business trading practices that is aimed at establishing a fair, trusted and innovation-driven environment for businesses and traders when using online platforms.
WTO Boeing dispute: EU issues preliminary list of U.S. products considered for countermeasures18/04/2019 12:25:00
The EC has launched a public consultation on a preliminary list of products from the USA on which the EU may take countermeasures in the context of the ongoing Boeing dispute at the World Trade Organisation (WTO).
Registered substances mapped for regulatory action18/04/2019 09:25:00
The first report of the Integrated Regulatory Strategy presents a mapping of the universe of registered substances that are on the EU market. This information helps authorities to identify, plan and monitor the progress on identifying and regulating substances of concern.
The United States is Europe's main soya beans supplier with imports up by 121%17/04/2019 16:25:00
New figures released by the EC, show that imports of U.S. soya beans by the EU increased by 121% over the current market year (July 2018 to mid-April 2019), compared to the same period in the previous year.