In February 2023, the EDPS (EUROPEAN DATA PROTECTION SUPERVISOR) has started piloting the use of the Open Source Software Nextcloud and LibreOffice Online. Together, they offer the possibility to share files, send messages, make video calls, and allows collaborative drafting, in a secured cloud environment.
The contract negotiated by the EDPS with an EU-based service provider is accessible to all EU institutions, bodies, offices and agencies (EUIs), and ensures compliance with the EU’s data protection law applicable to EUIs, Regulation (EU) 2018/1725, as well as other rules specifically applicable to EUIs as an international organisation.
Wojciech Wiewiórowski, EDPS, said: “Open Source Software offers data protection-friendly alternatives to commonly used large-scale cloud service providers that often imply the transfer of individuals’ personal data to non-EU countries. Solutions like this may therefore minimise reliance on monopoly providers and detrimental vendor lock-in. By negotiating a contract with an EU-based provider of cloud services, the EDPS is delivering on its commitments, as set out in its 2020-2024 Strategy, to support EUIs in leading by example to safeguard digital rights and process data responsibly.”
By procuring the Open Source Software from one single entity in the EU, the use of sub-processors is avoided. In doing so, the EDPS avoids data transfers to non-EU countries and allows for a more effective control over the processing of personal data.
The EDPS will assess in the coming months how these tools can support EUIs’ day-to-day work. This pilot phase is part of a larger IT reflection process that the EDPS already started last year aimed at encouraging EUIs to consider alternatives to large-scale service providers to ensure better compliance with Regulation