PRESS RELEASE
EDPS/2019/02
Brussels, 8 April 2019
EDPS investigates contractual agreements concerning software
used by EU institutions
As the supervisory authority for all EU institutions, the European Data Protection Supervisor
(EDPS) is responsible for enforcing and monitoring their compliance with data protection
rules. In this capacity, the EDPS is undertaking an investigation into the compliance of
contractual arrangements concluded between the EU institutions and Microsoft, the
European Data Protection Supervisor said today.
Wojciech Wiewiórowski, Assistant EDPS, said: “New data protection rules for the EU
instiutions and bodies came into force on 11 December 2018. Regulation 2018/1725
introduced significant changes to the rules governing outsourcing. Contractors now have direct
responsiblities when it comes to ensuring compliance. However, when relying on third parties
to provide services, the EU institutions remain accountable for any data processing carried
out on their behalf. They also have a duty to ensure that any contractual arrangements respect
the new rules and to identify and mitigate any risks. It is with this in mind that the contractual
relationship between the EU institutions and Microsoft is now under EDPS scrutiny.”
The EU institutions rely on Microsoft services and products to carry out their daily activities.
This includes the processing of large amounts of personal data. Considering the nature,
scope, context and purposes of this data processing, it is vitally important that appropriate
contractual safeguards and risk-mitigating measures are in place to ensure compliance with
the new Regulation. The EDPS investigation will therefore assess which Microsoft products
and services are currently being used by the EU institutions, and whether the contractual
arrangements concluded between Microsoft and the EU institutions are fully compliant with
data protection rules.
Regulation 2018/1725 brings the data protection rules applicable to the EU institutions in line
with the rules for other organisations and businesses operating in the EU, set out in the
General Data Protection Regulation (GDPR). As the data protection supervisory authority
for the EU institutions, the EDPS is not only responsible for monitoring their compliance, but
also for ensuring public awareness of any possible risks to individual and societal rights and
freedoms in relation to the processing of personal data, and for working in close cooperation
with national data protection authorities and other relevant national bodies to mitigate these
risks.
It is in this spirit of cooperation that the EDPS takes note of the Data Protection Impact
Assessment Report on diagnostic data in Microsoft Office ProPlus of 5 November 2018,
commissioned by the Dutch Ministry of Justice and Security. Any EU institutions using the
Microsoft applications investigated in this report are likely to face similar issues to those
encountered by national public authorities, including increased risks to the rights and freedoms
of individuals.
The EDPS is committed to ensuring compliance with the applicable data protection legislation
at all levels. As their supervisory authority, we remain committed to supporting the EU
institutions in coordinating their efforts to operate in accordance with the rules set out in
Regulation 2018/1725 and, in doing so, to lead by example in their application of these rules.
Background information
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor
(EDPS), are set out in the new Regulation (EU) 2018/1725. These rules replace those set out in Regulation
(EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with
responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies
and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution,
appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took
office on 4 December 2014.
Personal information or data: any information relating to an identified or identifiable natural (living) person.
Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers.
Other details, such as IP addresses and communications content - related to or provided by end-users of
communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to
privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European
Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter
also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal
data refers to “any operation or set of operations which is performed on personal data or on sets of personal data,
whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction." See the glossary on the EDPS website.
EU Data Protection Reform package: On 25 January 2012, the European Commission adopted its reform
package, comprising two legislative proposals:
•
a general Regulation on data protection, which was adopted on 24 May 2016, applicable as of 25 May
2018; and
•
a specific Directive on data protection in the area of police and justice, adopted on 5 May 2016, applicable
as of 6 May 2018.
The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU)
and are fully applicable across the EU.
Regulation 45/2001, which addresses data protection in the EU institutions and bodies, was replaced by Regulation
(EU) 2018/1725 on 11 December 2018, while new rules on ePrivacy are also planned.
The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting
personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by:
monitoring the EU administration's processing of personal data;
advising on policies and legislation that affect privacy;
cooperating with similar authorities to ensure consistent data protection.
Questions can be directed to: press@edps.europa.eu
EDPS - The European guardian of data protection
www.edps.europa.eu
Follow us on Twitter: @EU_EDPS