• The amendments that EU institutions negotiated to Microsoft’s standard terms should be included in the highest-ranking contractual document. So should all the provisions necessary to comply with Regulation (EU) 2018/1725. • It should only be possible to change provisions in the ILA affecting data protection by common agreement. • The scope of provisions in the ILA affecting data protection should be broadened to cover all personal data not only provided to Microsoft but also generated by Microsoft, as a consequence of the EU institutions’ use of all Microsoft products and services. • EU institutions should negotiate a specific, explicit and exhaustive set of purposes to cover all types of personal data involved in their use of Microsoft products and services. The purposes should be limited to those that were necessary for EU institutions to use those products and services. Other purposes should be expressly prohibited.
3 The controller-processor agreement 3.1 Comprehensiveness of the agreement 3.1.1 Assessment 60
In the EDPS’ view, if EU institutions were to remain the only controllers of personal data processed under the ILA, their controller-processor agreement with Microsoft needed to be substantially reinforced. Many of the necessary elements were either inadequately implemented or absent.
61
The requirements for a compliant controller-processor agreement are set out in Article 29 of Regulation (EU) 2018/1725 [see also Article 28 of the GDPR]. They permeate the whole of this paper. Article 29(3) of Regulation (EU) 2018/1725 requires the controller-processor agreement to be ‘binding on the processor with regard to the controller’.20 There is therefore no place for a processor to have an unlimited right of unilateral amendment in a controller-processor agreement. A processor should only process on the basis of documented instructions from the controller.
62
Article 29(3) of Regulation (EU) 2018/1725 requires the controller-processor agreement to set out ‘the type of personal data and categories of data subjects and the obligations and rights of the controller.’21 The EDPS’ analysis had concluded that it was unclear which contractual controls, if any, applied to the different categories of data processed by Microsoft under the ILA. As the EDPS has seen, although Microsoft had obligations and rights attributable to a controller under the ILA, they were generally not expressly stated. Following that, EU institutions’ obligations and rights as controllers were not fully set out. There was no mention in the negotiated ILA documents of categories of data subjects, although they were mentioned in the Data Protection Addendum.
20 21
GDPR (n b) art 28(3). ibid art 28(3).
14
