Wojciech Wiewiórowski, Assistant EDPS, said: “New data protection rules for the EU institutions and bodies came into force on 11 December 2018. Regulation 2018/1725 introduced significant changes to the rules governing outsourcing. Contractors now have direct responsiblities when it comes to ensuring compliance. However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks. It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.”

The EU institutions rely on Microsoft services and products to carry out their daily activities. This includes the processing of large amounts of personal data. Considering the nature, scope, context and purposes of this data processing, it is vitally important that appropriate contractual safeguards and risk-mitigating measures are in place to ensure compliance with the new Regulation. The EDPS investigation will therefore assess which Microsoft products and services are currently being used by the EU institutions, and whether the contractual arrangements concluded between Microsoft and the EU institutions are fully compliant with data protection rules.

Regulation 2018/1725 brings the data protection rules applicable to the EU institutions in line with the rules for other organisations and businesses operating in the EU, set out in the General Data Protection Regulation (GDPR). As the data protection supervisory authority for the EU institutions, the EDPS is not only responsible for monitoring their compliance, but also for ensuring public awareness of any possible risks to individual and societal rights and freedoms in relation to the processing of personal data, and for working in close cooperation with national data protection authorities and other relevant national bodies to mitigate these risks.

It is in this spirit of cooperation that the EDPS takes note of the Data Protection Impact Assessment Report on diagnostic data in Microsoft Office ProPlus of 5 November 2018, commissioned by the Dutch Ministry of Justice and Security. Any EU institutions using the Microsoft applications investigated in this report are likely to face similar issues to those encountered by national public authorities, including increased risks to the rights and freedoms of individuals.

The EDPS is committed to ensuring compliance with the applicable data protection legislation at all levels. As their supervisory authority, we remain committed to supporting the EU institutions in coordinating their efforts to operate in accordance with the rules set out in Regulation 2018/1725 and, in doing so, to lead by example in their application of these rules. 

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in the new Regulation (EU) 2018/1725. These rules replace those set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.

Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.

Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).

Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossaryon the EDPS website.

EU Data Protection Reform package: On 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals:

• a general Regulation on data protection, which was adopted on 24 May 2016, applicable as of 25 May 2018; and
• a specific Directive on data protection in the area of police and justice, adopted on 5 May 2016, applicable as of 6 May 2018.

The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU) and are fully applicable across the EU.

Regulation 45/2001, which addresses data protection in the EU institutions and bodies, was replaced by Regulation (EU) 2018/1725 on 11 December 2018, while new rules on ePrivacy are also planned.