The European Data Protection Supervisor (EDPS, independent supervisory authority) announced this Monday that following its investigation, it “found that the Commission has infringed several provisions of Regulation (EU) 2018/1725, the law of the EU on data protection for EU institutions, bodies and agencies (EUI), including those relating to transfers of personal data outside the European Union and the Economic Area (EEA) ). In particular, the Commission has not provided appropriate safeguards to ensure that personal data transferred outside the EU/EEA benefit from a level of protection essentially equivalent to that guaranteed in the EU/EEA.
Corrections to be applied by December
The EDPS also issued a reprimand to the Commission for these infringements, which cover issues such as purpose limitation, data transfers outside the EU/EEA, and unauthorized disclosures of personal data. The EDPS’ actions highlight the need to put in place strong data protection safeguards in cloud-based services used by EU institutions, to ensure the protection of individuals’ information as required EU legislation.
The EDPS prescribes corrective measures, which must be effective by December 9, 2024: he demands that the Commission stops all data transfers to Microsoft and its subsidiaries and subcontractors located outside the EU/ EEA in countries that have not been subject to an adequacy decision. Furthermore, the Commission must ensure that its data processing activities comply with the Regulation, including by carrying out a transfer mapping exercise identifying which personal data are transferred, to which recipients, in which third countries and for what purposes. The Commission must also provide assurance that transfers are carried out for tasks falling within its competence, and the implementation of contractual and organizational measures to secure data processing.
The EDPS (European Data Protection Supervisor, EDPS) is an independent supervisory authority whose mission is to ensure that European institutions and bodies respect the right to privacy and data protection when processing data of a personal nature and develop new policies.
Read also
The CNIL regretfully validates the hosting of health data at Microsoft – February 2, 2024
Data transfers to the United States restored. Temporarily? – July 11, 2023
Brussels launches investigation into GDPR compliance of Azure and AWS services – May 28, 2021