DPA’s Supervision and Compliance of ICT, Cloud and Communications’ Providers


  • Wojciech Wiewiórowski


  • Paul van den Berg
  • Andres Barreto Gonzalez
  • Maryant Fernández Perez
  • Amanda Edmunds

Organisation: EDPS

Room: Online 3

Timing: 16:00 - 17:15 on 27 January 2021

EU controllers’ accountability includes the creation design of compliant processing systems, e.g. by observing data protection by design and by default. In practice, public authorities in the EU are using the systems and applications provided by large companies, often with built-in tracking and data collection features, based on the companies’ standards, and frequently unilateral terms and conditions. Some argue that the available technology limits their capability to achieve data protection compliance and that terms and conditions cannot be adapted to specific processing operations.

In line with its 2020-2024 strategy, the EDPS concluded an investigation on widely used office automation tools by the EU institutions. Findings and recommendations on the use of Microsoft products and services by EU institutions are likely to be of interest to all public authorities in EU/EEA Member States. This concrete case helps to assess the EDPS’ strategic objective, like that of other DPAs, to ensure that public administrations in their contractual relationships with ICT service providers use terms that reinforce the public administrations’ control over how and for which what purpose personal data is processed.

• How can DPAs use their enforcement powers through supervision of public authorities to influence the data protection compliance of ICT service providers, including cloud service and communications providers?
• What is the role of ICT providers with regard to public administrations and how do their practices affect consumers and clients of public authorities?
• How should public authorities shape their contractual and business relationships with service providers and systems developers in order to improve data protection compliance?
• What should be a controller-processor contract in terms of form and content and how it could guarantee that controllers keep control and ensure fair and lawful processing of personal data of citizens?


Wojciech Wiewiórowski


European Data Protection Supervisor (EDPS). Adjunct professor in the Faculty of Law and Administration of the University of Gdańsk. He was among others adviser in the field of e-government and information society for the Minister of Interior and Administration, the Director of the Informatisation Department at the Ministry of Interior and Administration. He also represented Poland in committee on Interoperability Solutions for European Public Administrations (the ISA Committee) assisting the European Commission.
The Inspector General for the Protection of Personal Data (Polish Data Protection Commissioner) 2010-2014 and the Vice Chair of the Working Party Art. 29 in 2014. From December 2014 to December 2019, he was Assistant European Data Protection Supervisor. After the death of the Supervisor - Giovanni Buttarelli in August 2019 - he replaced Mr. Buttarelli as acting EDPS. European Parliament and Council appointed him as European Data Protection Supervisor from 6 December 2019.
His areas of scientific activity include first of all Polish and European IT law, processing and security of information, legal information retrieval systems, informatisation of public administration, and application of new IT tools (semantic web, legal ontologies, cloud, blockchain) in legal information processing.


Paul van den Berg

Dutch Ministry of Justice and Security (NL)

Managing the relationship between Microsoft and Dutch central government organisations. Focussing on the challenges and opportunities when using Cloud products and services in a GDPR compliant way. Negotiating the indispensable contract amendments to achieve this. Architecting compliant implementations.

Andres Barreto Gonzalez

Data Protection Authority of Colombia (CO)

Andrés Barreto was appointed as Superintendent of Industry and Commerce in August 2018. He holds a law degree (JD) from the Rosario University, Colombia as well as two Master’s degrees one in International Affairs from the Universities (Externado/Columbia/SciencesPo) and the second in International Legal Studies from the University of Barcelona (Spain). He has over ten years’ experience working as a lawyer, professor and researcher in the fields of public, business and international law. He is a member of the Colombian Academy of International Law (ACCOLDI), the International Bar Association (IBA) and the Colombian Jurists’ Association (CCJ), where he serves as Secretary General.

Maryant Fernández Perez


Maryant is a lawyer and Senior Digital Policy Officer at BEUC - The European Consumer Organisation, where she represents 44 consumer associations from 32 countries. With more than six years of experience in Brussels, she defends consumer interests in the fields of telecommunications, platform regulation, digital trade, privacy and data protection. She is also part of the Board of Women AT Privacy and the 'Data Protection On The Ground Chair' at the Vrije Universiteit Brussel. Previously, she worked at European Digital Rights (EDRi), was the EU digital committee Chair of the Transatlantic Consumer Dialogue, a member of the NetCompetition Alliance Steering Group as well as the European Commission’s Trade Expert Group.

Amanda Edmunds

Office of the Privacy Commissioner of Canada (CA)

Since 2019 Amanda Edmunds has led the Office of the Privacy Commissioner’s compliance work with federal government institutions, including investigations of a broad range of privacy practices by federal government institution. Previously, since 2012, Amanda Edmunds managed complaint intake and data breach investigations under Canada’s federal private sector privacy law. In this role she led a number of investigations examining safeguards of mass data, including technical, organizational and contractual measures. This included the OPC’s investigation of the Ashley Madison data breach in 2016, and the Equifax data breach in 2017.