EU to check for GDPR violations in Microsoft’s contracts with EU institutions

The European Data Protection Supervisor (EDPS), the European Union’s data protection watchdog, has started an investigation into Microsoft’s contracts with EU institutions.

The investigation will focus on the contracts EU institutions have signed with Microsoft and if clauses in these contracts comply with the EU’s new data protection regulation -also known as the General Data Protection Rules (GDPR).

The inquiry was set in motion after Dutch authorities started an investigation into Microsoft’s Office hidden telemetry last November. The Dutch government’s investigation, which concluded in February, found eight GDPR violations in Office ProPlus and Office 365.

The EDPS inquiry, announced today, cited the Dutch government’s investigation as the main reason for auditing Microsoft’s contracts with EU institutions in search for other potential GDPR violations.

The EDPS said the EU extensively relies on Microsoft software for its daily activities.

“Any EU institutions using the Microsoft applications investigated in this [Dutch government] report are likely to face similar issues,” the EDPS said in a press release.

“This includes the processing of large amounts of personal data,” it said. “Considering the nature, scope, context and purposes of this data processing, it is vitally important that appropriate contractual safeguards and risk-mitigating measures are in place to ensure compliance with the new [GDPR] Regulation.”

Microsoft has already taken steps to address the Dutch government’s report. The software maker said in February that it plans to modify how Office ProPlus collects user data by the end of April 2019, to comply with the EU’s new data privacy rules.

“We are committed to helping our customers comply with GDPR, Regulation 2018/1725, and other applicable laws and are confident that our contractual arrangements allow customers to do so,” said a Microsoft spokesperson. “We stand ready to help our customers answer any questions the European Data Protection Supervisor may have.”

Article updated with Microsoft statement. Also clarified that the investigation will target Microsoft’s contracts with EU institutions, and not products.