The EU has launched an investigation into contracts Microsoft holds with its institutions to ensure data processing is conducted in compliance with the GDPR.
Regulator the European Data Protection Supervisor (EDPS) revealed yesterday that it was undertaking the investigation into contractual arrangements with the US tech giant after a Data Protection Impact Assessment Report in the Netherlands last November highlighted issues.
That audit found that: “Microsoft collects and stores personal data about the behavior of individual employees on a large scale, without any public documentation.”
Microsoft Office ProPlus was singled out for attention in that report.
Now the EDPS is warning of “increased risks to the rights and freedoms of individuals” for any EU institutions using the same apps detailed in the audit.
“The EU institutions rely on Microsoft services and products to carry out their daily activities. This includes the processing of large amounts of personal data. Considering the nature, scope, context and purposes of this data processing, it is vitally important that appropriate contractual safeguards and risk-mitigating measures are in place to ensure compliance with the new regulation,” said the EDPS.
“The EDPS investigation will therefore assess which Microsoft products and services are currently being used by the EU institutions, and whether the contractual arrangements concluded between Microsoft and the EU institutions are fully compliant with data protection rules.”
The regulation it is auditing against is Regulation 2018/1725, which is designed to bring the data protection rules governing EU institutions in line with the GDPR.
For its part, Microsoft has already committed to helping its customers comply with the GDPR and Regulation 2018/1725.
“We stand ready to help our customers answer any questions the European Data Protection Supervisor may have,” it added in a statement.