Europe: EDPS finds that the European Commission has infringed data protection rules

By Rachel de Souza & Anna Rivera on March 21, 2024

On 11 March 2024, following an investigation, the European Data Protection Supervisor (EDPS) announced that the European Commission’s (Commission) use of a major software company infringes the data protection law for EU institutions, bodies, offices and agencies (Regulation (EU) 2018/1725). In particular, the EDPS found that the Commission had failed to provide appropriate safeguards to ensure that personal data transferred outside the EEA were afforded an essentially equivalent level of protection as guaranteed in the EEA. In addition, the EDPS concluded that the Commission did not sufficiently specify in its contract with the software company what types of personal data were to be collected and for which explicit and specified purposes.

Background

The EDPS investigation was opened following the Schrems II judgment and Recommendations previously issued by the EDPS on the use of the software company’s products and services by EU institutions and bodies. The investigation was part of the EDPS’ participation in the EDPB 2022 Coordinated Enforcement Action into the use of cloud- based services by the public sector.

Summary of EDPS findings

The EDPS found that the Commission had infringed several provisions of Regulation (EU) 2018/1725, including those on transfers of personal data outside the EEA. In particular, the EDPS found that the Commission had failed to:

provide appropriate safeguards ensuring that data transferred enjoy an essentially equivalent level of protection to that in the EEA;

provide what types of personal data can be transferred to which recipients in which third country and for which purposes;

map the proposed transfers, conduct a transfer impact assessment and include appropriate safeguards in the Standard Contractual Clauses (SCCs);

obtain authorisation of those SCCs from the EDPB; and

ensure that transfers took place “solely to allow tasks within the competence of the controller to be carried out.”

In addition, the EDPS found that the Commission had failed to comply with a number of other requirements of Regulation (EU) 2018/1725, including failing to adequately specify the types of personal data in relation to its intended purposes, leading to ambiguity and potential non- compliance with the Regulation (EU) 2018/1725; and failing to provide sufficiently clearly documented instructions for the processing.

EDPS Corrective Measures

As a result of its findings, the EDPS imposed a number of corrective measures on the Commission, including:

from 9 December 2024, suspend all data flows resulting from its use of the software to the software company and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision; and

bring the processing operations resulting from its use of the software into compliance with Regulation (EU) 2018/1725.

Taking into account the need not to compromise the Commission’s ability to carry out its tasks in the public interest or to exercise its official authority, as well as the need to allow appropriate time for the Commission to implement the suspension of relevant data flows, the EDPS held that the Commission has until 9 December 2024 to demonstrate compliance with both orders.