EDPS investigates contractual agreements concerning software used by EU institutions
As the supervisory authority for all EU institutions, the EDPS is responsible for enforcing & monitoring their compliance with data protection rules. In this capacity, the EDPS is undertaking an investigation into the compliance of contractual arrangements concluded between the EU institutions and Microsoft.
Wojciech Wiewiórowski, Assistant EDPS, said: “New data protection rules for the EU institutions and bodies came into force on 11 December 2018. Regulation 2018/1725 introduced significant changes to the rules governing outsourcing. Contractors now have direct responsiblities when it comes to ensuring compliance. However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks. It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.”
The EU institutions rely on Microsoft services and products to carry out their daily activities. This includes the processing of large amounts of personal data. Considering the nature, scope, context and purposes of this data processing, it is vitally important that appropriate contractual safeguards and risk-mitigating measures are in place to ensure compliance with the new Regulation. The EDPS investigation will therefore assess which Microsoft products and services are currently being used by the EU institutions, and whether the contractual arrangements concluded between Microsoft and the EU institutions are fully compliant with data protection rules.
Regulation 2018/1725 brings the data protection rules applicable to the EU institutions in line with the rules for other organisations and businesses operating in the EU, set out in the General Data Protection Regulation (GDPR). As the data protection supervisory authority for the EU institutions, the EDPS is not only responsible for monitoring their compliance, but also for ensuring public awareness of any possible risks to individual and societal rights and freedoms in relation to the processing of personal data, and for working in close cooperation with national data protection authorities and other relevant national bodies to mitigate these risks.
It is in this spirit of cooperation that the EDPS takes note of the Data Protection Impact Assessment Report on diagnostic data in Microsoft Office ProPlus of 5 November 2018, commissioned by the Dutch Ministry of Justice and Security. Any EU institutions using the Microsoft applications investigated in this report are likely to face similar issues to those encountered by national public authorities, including increased risks to the rights and freedoms of individuals.
The EDPS is committed to ensuring compliance with the applicable data protection legislation at all levels. As their supervisory authority, we remain committed to supporting the EU institutions in coordinating their efforts to operate in accordance with the rules set out in Regulation 2018/1725 and, in doing so, to lead by example in their application of these rules.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in the new Regulation (EU) 2018/1725. These rules replace those set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossaryon the EDPS website.
EU Data Protection Reform package: On 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals:
- a general Regulation on data protection, which was adopted on 24 May 2016, applicable as of 25 May 2018; and
- a specific Directive on data protection in the area of police and justice, adopted on 5 May 2016, applicable as of 6 May 2018.
The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU) and are fully applicable across the EU.
Regulation 45/2001, which addresses data protection in the EU institutions and bodies, was replaced by Regulation (EU) 2018/1725 on 11 December 2018, while new rules on ePrivacy are also planned.
Latest News from
Plans to keep EU budget funding in 2020 in the event of a no-deal Brexit15/10/2019 15:25:00
UK Researchers, students and farmers would continue to get EU support in the event of a no-deal Brexit, under provisions adopted by the Budgets Committee on Monday.
Article – Hohlmeier: fighting climate change is the priority for the EU's 2020 budget15/10/2019 13:37:00
The EU's budget for 2020 should include more climate action funding and higher investment in sustainable technologies, according to Monika Hohlmeier, Parliament's budget negotiator.
EPPO: Council confirms Laura Codruţa Kövesi as first European chief prosecutor15/10/2019 12:25:00
The Council has agreed to the appointment of Laura Codruţa Kövesi to be the first European chief prosecutor. The appointment must now also be confirmed by the European Parliament.
Chemical weapons: Council renews EU sanctions regime for one year15/10/2019 10:37:00
The Council has extended restrictive measures by the EU addressing the use and proliferation of chemical weapons until 16 October 2020.
Brexit: EC statement following this weekend's technical talks with the UK14/10/2019 16:47:00
Michel Barnier briefed EU27 Ambassadors this afternoon, following constructive technical-level talks with the UK over the weekend. He will also inform the European Parliament's Brexit Steering Group this evening.
Young people, particularly those low qualified, bear the brunt of social inequalities in Spain14/10/2019 15:25:00
This week Spain celebrates the Fiesta Nacional, and we mark the occasion by sharing our research data, findings & analysis to provide a snapshot of the country’s living & working conditions.
Plant Health: prioritising the fight against 20 quarantine plant pests on the EU territory14/10/2019 14:37:00
The Commission recently (11 October 2019) published a list of 20 regulated quarantine pests qualifying as priority pests, including Xylella fastidiosa, the Japanesebeetle, the Asian long-horned beetle, Citrus greening and Citrus Black Spot, whose economic, environmental and social impact on EU's territory is the most severe. Member States will have to launch information campaigns to the public, do annual surveys, prepare contingency plans, simulation exercises, and action plans for the eradication of these pests.
Priority plant pests in the EU: 5 things you need to know14/10/2019 13:43:00
The 20 pests on the list published by the EC in October 2019 are quarantine pests that have been identified as top priorities for EU Member States based on the severity of the economic, social and environmental problems they can cause.
Article - Brexit: plans in place to mitigate impact of no deal11/10/2019 16:25:00
If the UK leaves the EU without a deal, the effects will be felt by people and companies across Europe. The EU has adopted measures to mitigate the impact of a disorderly withdrawal.