On 18 June 2019 the Minister of Justice and Security, Ferd Grapperhaus, and the Minister of the Interior and Kingdom Relations, Kajsa Ollongren, informed the House of Representatives on the verification of the implementation of the remedial plan agreed with Microsoft.
In 2018, SLM Microsoft had a data protection impact assessment (DPIA) carried out for diagnostic data collection (data about the use of the software) in new versions of Microsoft Office. The DPIA established that diagnostic data from and about users was being collected and stored in a database in the US through the product ‘Microsoft Office ProPlus’. The collection, storage and use of this data was not in accordance with the General Data Protection Regulation (GDPR).
SLM Microsoft Rijk entered into discussions with Microsoft and on 26 October 2018 agreement was reached on a remedial plan. In that plan, Microsoft committed to adapting its products so that their use by Dutch government bodies that fall under SLM Microsoft Rijk would be possible in accordance with the GDPR .
Microsoft has in the meantime made the most urgent adjustments as agreed in the remedial plan. These include adding an option for administrators to limit the collection of data to a minimum and the possibility to verify the data collected. At the end of April 2019, Microsoft presented a new version of the software for verification. This new version has been tested and approved. Microsoft has implemented the promised improvements to Office ProPlus and Windows 10 Enterprise worldwide.
Additional agreements were made in May 2019, as agreed in the remedial plan, between the Dutch state and Microsoft, further detailing the obligations of central government organisations as data controllers and of Microsoft as data processor. These additional agreements concern the obligations relating to Microsoft products and services with an online component[i], including Office ProPlus and Windows 10 Enterprise, and the measures to address the eight risks with regard to Office ProPlus identified in the DPIA. The agreements primarily relate to risk 6 (‘insufficient purpose limitation/basis for authorised purposes’. This risk has been removed by including in the additional agreements:
- highly detailed agreements on the purposes for which Microsoft may use the controller’s data (including personal data) that falls within the scope of the agreements between the State and Microsoft;
- a ban on the use and distribution to third parties of data for the purposes of data analysis, profiling, advertising and market research, unless the State has issued written instructions permitting this;
- detailed agreements on how data is anonymised.[ii]
This means the risks identified in the DPIA have been satisfactorily addressed, so that no violations of the GDPR will occur if a central government organisation that falls under SLM Microsoft Rijk decides to use the Microsoft products and services in question and in doing so adheres to the implementation guidelines.
In order to assess Microsoft’s compliance with the contractual provisions and the GDPR – one of the data controller’s responsibilities – the Dutch state stipulated a procedure for exercising improved audit rights. These audits will take place annually and a summary of the findings will subsequently be published on SLM Microsoft’s website.
For the record, although product changes agreed with Microsoft by the Dutch state have been rolled out for all Enterprise customers worldwide, this is not the case for the additional agreements laying down the obligations of the data controller and data processor. SLM Microsoft’s scope only covers government bodies and the associated departmental and non-departmental agencies. The additional agreements therefore apply exclusively to the government bodies and non-departmental agencies that are party to the Central Government Microsoft Business and Services contract managed by SLM Microsoft Rijk.
For operational management reasons it is important that the current versions of a supplier’s software are used. These versions offer the best opportunities for keeping IT environments up-to-date, secure and protected against cyberattacks, and meet the requirements in recent legislation such as the GDPR.
In light of the results achieved, which have been set out above, SLM Microsoft Rijk sees no objections relating to the GDPR for organisations that fall under SLM Microsoft to use Microsoft Office ProPlus, Windows 10 Enterprise and Azure. However, organisations remain responsible in their role as data controller for deciding whether a product or service is suitable for a specific purpose. Factors such as information security and specific legalisation that applies to the organisation must also be considered.
[i] These products and services are described in the Online Service Terms.
[ii] WP29 Opinion 05/2014 on Anonymisation Techniques (WP216)