https://edps.europa.eu/press-publications/press-news/press-releases/2019/edp... Wojciech Wiewiórowski, Assistant EDPS, said: “New data protection rules for the EU institutions and bodies came into force on 11 December 2018. Regulation 2018/1725 introduced significant changes to the rules governing outsourcing. Contractors now have direct responsiblities when it comes to ensuring compliance. However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks. It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.” [...] It is in this spirit of cooperation that the EDPS takes note of the Data Protection Impact Assessment Report on diagnostic data in Microsoft Office ProPlus of 5 November 2018, commissioned by the Dutch Ministry of Justice and Security. Any EU institutions using the Microsoft applications investigated in this report are likely to face similar issues to those encountered by national public authorities, including increased risks to the rights and freedoms of individuals.