The Hague Forum, jointly organised with the Dutch Ministry of Justice and Security and the European Commission, met for the second time, on 2 July. The Hague Forum is a cooperation platform for public authorities in the EU, EU institutions (EUIs) and other international organisations to exchange information and strengthen their negotiation power with ICT service providers, including cloud service and communications providers.
On this occasion, the EDPS issued a Public Paper detailing its findings and recommendations on the use of Microsoft products and services by EU institutions. These findings may help any public administrations when contracting ICT services, because of the similarities between the General Data Protection Regulation (GDPR) and Regulation (EU) 2018/1725 which applies to the EUIs.
Wojciech Wiewiórowski, EDPS, said: “Our expectation is that by sharing the results of our recent investigation, we will help public administrations to improve data protection compliance when negotiating contracts with their service providers. It is not appropriate that the data of people collected in the provision of services to public authorities is processed for their own purposes by these service providers. By sharing technical expertise and by reinforcing regulatory cooperation through this Forum, we can also contribute to ensuring the same level of data protection safeguards and measures for all consumers and public authorities living and operating in the EEA”.
Underlining the EDPS’ strategic objective on digital sovereignty, as outlined in the EDPS Strategy 2020-2024, the Public Paper emphasises that when public administrations enter into contractual relationships with ICT service providers, the terms of these contracts should reinforce the EUIs control over how and why personal data is processed.
To this end, the EDPS recommends that the roles and responsibilities of data processors and sub-processors should be clearly defined and monitored to minimise risks for the privacy of individuals.
In his address to the participants of the event, Wojciech Wiewiórowski pointed out that The Hague Forum is an example of the type of cooperation he wants for his mandate, with smart public authorities promoting responsible data processing in accordance with European values and for the benefit of everyone.
Background information
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority responsible for monitoring the processing of personal data by the EU institutions, bodies, offices and agencies, advising on policies and legislation that affect privacy and personal data protection and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content – related to or provided by end-users of communications services – are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. See the glossary on the EDPS website.
The Hague Forum: The Dutch Ministry of Justice and Security and the EDPS organised the first EU software and Cloud Suppliers Customer Council in The Hague on 29 August 2019, where participants established The Hague Forum. The Forum aims at discussing both how to take back control over the IT services and products offered by the big IT service providers and the need to collectively create standard contracts instead of accepting the terms and conditions as they are written by these providers. Participants are encouraged to work in synergy to set fair contractual terms for public administration and exchanging best practices in outsourcing services, especially in the demanding cloud environment. The participation at the Hague Forum is only open to EU institutions, public authorities, international organisations and NGOs.
The powers of the EDPS are clearly outlined in Article 58 of Regulation (EU) 2018/1725.