1 minute read
5 Technical measures
• In the medium term, if EU institutions wished to maintain the protections afforded by
Protocol No 7 to the TFEU and Regulation (EU) 2018/1725 against unauthorised disclosure, they should seriously consider:
Advertisement
– first, ensuring that data processed on their behalf is located in the EU/EEA, and – second, only using service providers that were not subject to conflicting third-country laws with extra-territorial scope.
5.1 Context
133 In 2016, the Commission identified a security and data protection issue posed by Microsoft’s collection of diagnostic data from its software. The software concerned was principally Office
Pro Plus 2016 andWindows 10 Enterprise. This software did not offer built-in means by which EU institutions could completely manage or stop the flows of diagnostic data to Microsoft. 134 The Commission’s work in detecting and mitigating the security and data protection issues posed by Microsoft software illustrated the fact that on a technical (so not just contractual) level,
Microsoft’s approach to providing its products and services was not fully compliant with the principles of data protection by design and by default.58
135 Controllers are required to implement technical and organisational measures to ensure data protection by design and by default and to meet their duty of accountability.59 The EDPS has issued guidelines to EU institutions to assist them in doing so.60
136 In general, the EDPS recommends that controllers should also evaluate the need for an assessment of data protection risks when they plan to use products or services offered by third-party providers, which will process large amounts of personal data.
5.2 Recommendations
137 In the particular context of the ILA and the products and services EU institutions were using at the time of the investigation, the EDPS issued the following recommendations.
58Regulation 2018/1725 (na)art 27;GDPR (nb)art 25. 59 60 Regulation 2018/1725 (na)art 26 and 27;GDPR (nb)art 24 and 25. EDPS,Guidelines on the protection of personal data in IT governance and IT managementof EU institutions (2018) ⟨https://edps.europa.eu/sites/edp/files/publication/it_governance_management_en.pdf⟩; EDPS web services guidelines (n48).
27
