1 minute read
6 Transparency
Recommendation Set 6: implement measures to mitigate risks
• All EU institutions should perform tests to check the flow of personal data to Microsoft from its current and future products and services, following a comprehensive and documented approach. This approach should, in particular:
Advertisement
– cover the normal usage patterns of their users involving the Microsoft products and services to be tested;
– analyse all traffic exiting user computers and all its destinations so as to single out data flows from Microsoft software to Microsoft servers or its subcontractors.
• EU institutions should also monitor releases of Microsoft products updates and liaise with the company for their configuration to eliminate any unlawful transfer of personal data. • Where an EU institution negotiates the procurement of software products or services on behalf of other EU institutions, the negotiating EU institution should inform the other EU institution of any data protection issues it identifies with the products or services. • EU institutions should share with each other technical expertise and solutions to eliminate any unlawful transfer of personal data to Microsoft. • Where EU institutions planned to use Microsoft products and services they did not already use (such as Microsoft Office 365 or Microsoft Azure cloud services), they should perform comprehensive assessments of the data protection risks posed by those products and services prior to deploying them.
138 The abundance of contractual documents, the overlapping and conflicting terms within them, the lack of a clear order of precedence and the monthly updates to terms make it, at the very least, difficult for EU institutions, bodies, offices and agencies to discharge their information obligations to data subjects, as required byArticle 4(1)(a) of Regulation (EU) 2018/1725[see also Article 5(1)(a) of the GDPR].
6.1 Recommendations
139 In the particular context of transparency towards the data subject, which enables them to exercise their data protection and other rights, the EDPS issued the following recommendations.
28
