European commission’s use of Microsoft 365 infringes data protection law for EU institutions and bodies

The European Data Protection Supervisor (EDPS) has found that the EU Commission has breached several provisions of EU data protection law applicable to EU institutions, bodies, offices and agencies, including the provisions on the transfer of personal data outside the EU/European Economic Area (EEA). In particular, the Commission has failed to provide for appropriate safeguards to ensure that personal data transferred outside the EU/EEA enjoy an essentially equivalent level of protection to that guaranteed in the EU/EEA. In addition, the Commission did not sufficiently specify in its contract with Microsoft what types of personal data should be collected when using Microsoft 365 and for what clear and specified purposes. The infringements committed by the Commission, as a controller, also relate to data processing, including the transfer of personal data carried out on its behalf. The EDPS has therefore decided to instruct the Commission, with effect from 9 December 2024, to suspend all data transfers resulting from the use of Microsoft 365 to Microsoft and its affiliates and sub-processors in countries outside the EU/EEA that are not covered by an adequacy decision. The EDPS has also decided to instruct the Commission to bring the processing operations resulting from the use of Microsoft 365 into line with Regulation (EU) 2018/1725. The Commission has until 9 December 2024 to demonstrate that it complies with both orders.

For more information please click here.