Brussels data protection chiefs are set to launch an internal investigation into cloud and software deals between EU institutions and Microsoft to ensure that they are GDPR compliant.
On the eve of the new regulation coming into force, the European Commission famously claimed that it did not have to adhere to GDPR, following reports that its own website had been leaking personal data.
However, it seems that the European Data Protection Supervisor (EDPS), which responsible for overseeing EU institutions to ensure their compliance with data protection rules, is not so sure.
EDPS assistant supervisor Wojciech Wiewiórowski said: “New data protection rules for the EU institutions and bodies came into force on 11 December 11 2018. Regulation 2018/1725 introduced significant changes to the rules governing outsourcing. Contractors now have direct responsibilities when it comes to ensuring compliance.
“However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks. It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.”
It wants to examine the nature of the contracts between the EU institutions and Microsoft to asses which Microsoft software and services are being used, and whether the contractual arrangements are fully compliant with data protection rules.
The investigation follows on from a Data Protection Impact Assessment Report in November 2018 by the Dutch Ministry of Justice & Security.
This examined the transmission of diagnostic data in Microsoft Office 365 ProPlus subscriptions, and found that 25,000 ‘events’ in Office 365 were recorded, transmitted and shared among 30 engineering teams at Microsoft.
“Any EU institutions using the Microsoft applications investigated in this report are likely to face similar issues to those encountered by national public authorities, including increased risks to the rights and freedoms of individuals,” claimed the EDPS.
European Commission claims it is exempt from GDPR
Two days until GDPR D-Day: Microsoft spanks Facebook
Most EU data enforcers in a shambles as GDPR looms
Half of UK firms have set aside money for GDPR fines