On 12 April, the European Data Protection Supervisor (EDPS) reported in a press release that it has reprimanded Frontex for a breach of the data protection regulation applicable to EU institutions, offices, bodies, and agencies.
The institution found that Frontex transferred all of its services “to the cloud without a timely, exhaustive assessment of the data protection risks and without the identification of appropriate mitigating measures or relevant safeguards for processing”.
The EDPS launched an investigation in 2020 after the head of Frontex informed the EDPS that the agency was going to move all of its services to the cloud in several progressive steps.
Frontex “failed to demonstrate the necessity of the planned cloud services, as it has not shown that the chosen solution (‘Microsoft 365’) was the outcome of a thorough process whereby the existence of data protection compliant, alternative products and services meeting Frontex’s specific needs were assessed”.
Furthermore, “Frontex failed to demonstrate that it limited Microsoft’s collection of personal data to what is necessary”. Frontex has therefore breached the accountability principle and its obligations as a controller as well as the requirements of data protection by design and by default.
Link to the decision: https://aeur.eu/f/186 (Original version in French by Solenn Paulic)