Tag: EDPS

EDPS investigates into contractual agreements between EU institutions and Microsoft

10. April 2019

The European Data Protection Supervisor (EDPS) is the supervisory authority for all EU institutions and therefore responsible for their compliance with data protection laws. It is currently investigating the compliance of contractual agreements between EU institutions and Microsoft as the different institutions use Microsoft products and services to conduct their day-to-day businesses including the processing of huge amounts of personal data.

The EDPS refers to a Data Processing Impact Assessment carried out last November by the Dutch Ministry of Justice and Security (we reported) in which they concluded that Microsoft collects and stores personal data of Office users on a large scale without informing them.

Wojciech Wiewiórowski, Assistant EDPS, said: “New data protection rules for the EU institutions and bodies came into force on 11 December 2018. Regulation 2018/1725 introduced significant changes to the rules governing outsourcing. Contractors now have direct responsibilities when it comes to ensuring compliance. However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks. It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.”

The investigation should reveal which products and systems are used right now and whether the existing contractual agreements are compliant with current Data Protection Laws, especially the GDPR.

Category: EU · GDPR · General
Tags: ,

Accountability initiative by the EDPS: achieving compliance with the GDPR

8. June 2016

The EDPS announced yesterday the launch of a new initiative that may help EU institutions, public bodies and private organizations to be compliant and prepare for the GDPR. This initiative relates to the accountability principle, which is explicitly mentioned in the GDPR. Accountability regarding the processing of personal data means:

  • Implementing policies within the organization in order to achieve transparency
  • Training employees and persons within the organization with regard to the implementation of the policies
  • Monitoring the implementation of the policies
  • Establishing procedures in order to identify incompliances and act against data breaches

The EDPS states that the accountability principle involves a culture change within organizations and means the promotion of sustainable data processing. This means that organizations should assess the fairness and legality of complex data processing operations. This involve that both, public bodies and private organizations, should develop a risk management strategy that addresses their specific needs, so that they are compliant with the GDPR upon its entry into force in May 2018.

This initiative has been firstly implemented at the EDPS institution itself by using questionnaires addressed to the Supervisors, the Director, the staff responsible for processing operations and the DPO. The implemented actions were also documented and followed up on a regular basis. The questions aimed at ensuring a control over the processing of personal data and the lawfulness of the processing.

European Data Protection Supervisor issues opinion on EU-U.S. Privacy Shield

1. June 2016

The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued this week his opinion on the EU-U.S. Privacy Shield. The EDPS is an independent EU institution created in 2004 that assesses EU institutions on policies and legislation related to privacy and data protection and cooperates with authorities in these matters.

The EDPS emphasized on the following key aspects related to the EU-U.S. Privacy Shield:

  • The current draft is not solid enough and improvements should be made in order to withstand scrutiny before the ECJ.
  • The Privacy Shield should offer a long-term solution regarding international data transfers to the U.S.
  • The protection provided by the Privacy Shield should ensure the rights to redress, transparency, data privacy and oversight.
  • It should also prevent from indiscriminate surveillance by American authorities.
  • The draft should comply with the GDPR, including international data transfers.
  • International companies should be aware of and comply with their obligations on privacy and data protection issues.

To sum up, the Privacy Shield should offer an equivalent data protection level to that existing in the EU.

Category: EU · General
Tags: ,