U ime nizozemske vlade, njihovo Ministarstvo pravosuđa i sigurnosti izradilo je Procjenu učinka na zaštitu podataka prema članku 35. GDPR-a (DPIA, Data Protection Impact Assessment) za Microsoft Office 2016 i 365, i otkrilo značajne rizike na privatnost korisnika i zaštitu podataka, posebice s aspekta nepoštivanja pojedinih odredbi GDPR-a i možebitnog izbjegavanja obveza voditelja obrada isključivim stavom da su u poziciji isključivo izvršitelja obrade. Ovaj ishod DPIA može imati uskoro značajne implikacije i na Facebook for Businesses, GSuite, MailChimp....

Vrlo zanimljiva tvrdnja u dokumentu je:

"Government organisations should also refrain from using the SharePoint/OneDrive online storage, and delay switching to the web-only version of Office 365 until Microsoft has provided adequate guarantees with regard to the types of personal data and purposes of the processing."

Prenosimo sažeti pregled rizika, citiramo:

These circumstances lead to the following high data protection risks:

1. No overview of the specific risks for individual organisations due to the lack of transparency (no data viewer tool, no public documentation)

2. No possibility to influence or end the collection of diagnostic data (no settings for telemetry levels)

3. The unlawful storage of sensitive/classified/special categories of data, both in metadata and in content, such as for example subject lines of e-mails

4. The incorrect qualification of Microsoft as a data processor, in stead of a joint controller as defined in article 26 of the GDPR

5. Not enough control over sub-processors and factual processing

6. The lack of purpose limitation both for the processing of historically collected diagnostic data and the possibility to dynamically add new events

7. The transfer of (all kinds of) diagnostic data outside of the EEA, while the current legal ground is the Privacy Shield and the validity of this agreement is subject of a procedure at the European Court of Justice

8. The indefinite retention period of diagnostic data and the lack of a tool to delete historical diagnostical data

 

Puni tekst na

https://lnkd.in/dkfK5V3