Buongionro, il Re è nudo: sull'insostenibile inconsistenza del GDPR (aka "Se nemmeno le istrituzioni europee sono in grado di esercitare il controllo sui propri dati significa che nel digitale siamo messi male, ma proprio male, male, al limite dell'irrecuperabile".): https://edps.europa.eu/sites/edp/files/publication/20-07-02_edps_euis_micros... --8<---------------cut here---------------start------------->8--- [...] The EDPS made the following key findings in its investigation into the EU institutions’ use of Microsoft products and services. First, the licensing agreement between Microsoft and the EU institutions allowed Microsoft to define and change the parameters of its processing activities carried out on behalf of EU institutions and contractual data protection obligations. The discretion that Microsoft had, amounted to a broad right for Microsoft to act as a controller. Given the EU institutions’ role as public service institutions, the EDPS did not consider this appropriate. The EDPS recommended to EU institutions that they act to retain controllership. Second, EU institutions needed to put in place a comprehensive and compliant controller-processor agreement and documented instructions of the EU institutions to the processors. Their lack of control over which sub-processors Microsoft used and lack of meaningful audit rights also presented significant issues. The EDPS made recommendations on how to improve the controller-processor agreement and put robust audit checks in place. Third, EU institutions faced a number of linked issues concerning data location, international transfers and the risk of unlawful disclosure of data. They were unable to control the location of a large portion of the data processed by Microsoft. Nor did they properly control what was transferred out of the EU/EEA and how. There was also a lack of proper safeguards to protect data that left the EU/EEA. EU institutions also had few guarantees at their disposal to defend their privileges and immunities and ensure that Microsoft would only disclose personal data insofar as permitted by EU law. The EDPS made recommendations to assist EU institutions in addressing these issues. Fourth, the EDPS considered the technical measures that the Commission had put in place to stem the flow of personal data generated by Microsoft products and services and sent to Microsoft. The EDPS recommended that all EU institutions perform tests using a revised and comprehensive approach, share among them the knowledge and technical solutions they developed to prevent unauthorised data flows to Microsoft and inform each other of any data protection issues they identify with the products or services. Fifth, the EU institutions had insufficient clarity as to the nature, scope and purposes of the processing and the risks to data subjects to be able to meet their transparency obligations towards data subjects. The EDPS recommended that EU institutions seek the clarity and assurances allowing them to keep data subjects properly informed. [...] --8<---------------cut here---------------end--------------->8--- ...e questo è solo l'inizio, il rapporto va letto tutto, anche a piccole dosi. Saluti, Giovanni. P.S.: lascia una strana sensazione di SMARRIMENTO anche a voi il fatto che analisi di contratti come questo vengano svolte DOPO più di due anni dalla loro stipula, quasi come se le istituzioni europee non avessero sufficienti risorse legali per farlo PRIMA?!? P.P.S.: il solo fatto che siano le istituzioni europee a dover contrattare per ottenere qualche emendamento ai contratti standard di una di queste aziende e non IL CONTRARIO la dice lunga sul livello di potere che certe aziende sono riuscite a ottenere, ben oltre quello delle nazioni, anche coalizzate assieme nella EU. -- Giovanni Biscuolo