The 28-country European Union adopted the General Data Protection Regulation (GDPR) about a year ago, giving Europeans more control over their online information and privacy enforcers the power to impose hefty fines.
The European Data Protection Supervisor (EDPS), which monitors the bloc’s 70 institutions on their GDPR compliance, launched an investigation on Monday into the software giant Vole’s deals.
The concern is if Microsoft products and services used by the institutions and whether the contractual agreements between them and the US software company are GDPR-compliant.
Assistant EDPS Wojciech Wiewiorowski said: “When relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks.”
The EDPS can impose fines up to 50,000 euro for each infringement.
Microsoft said it was committed to helping its customers comply with GDPR, Regulation 2018/1725, and other applicable laws and confident that its contractual arrangements allow customers to do so.
However, the EDPS said some of the data protection worries could be similar to Dutch concerns raised in November about the data collected through Microsoft ProPlus, which includes Microsoft Word and Microsoft Outlook email.
This information is being stored in a US database and the Netherlands says it posed major risks to users’ privacy. The company subsequently made some changes to comply with EU rules.