EDPS finds European Commission’s use of Microsoft 365 infringes EU data protection law

by | Mar 13, 2024

After its inquiry, the European Data Protection Supervisor (EDPS) found that the European Commission breached numerous essential data protection rules while using Microsoft 365. As a consequence, the EDPS has mandated that the Commission implement specific corrective actions. 

The EDPS discovered that the Commission breached several aspects of the EU Regulation 2018/1725, relating to EU data protection rules for EU institutions and entities, notably those regarding data transfers outside the European Economic Area (EEA). Specifically, it did not ensure that transferred personal data received equivalent protection as within the EEA. Additionally, the Commission’s contract with Microsoft lacked detailed specifications on the collection and intended use of personal data via Microsoft 365. The Commission’s breaches involved inadequate data processing carried out on its behalf, including transfers of personal data. 

As a result, the EDPS has mandated that starting 9 December 2024, the Commission must halt all data transfers from its use of Microsoft 365 to Microsoft and its related entities in non-EEA countries lacking adequacy decisions. Additionally, it’s required that the Commission align its Microsoft 365-related data handling practices with Regulation 2018/1725, ensuring all operations are compliant by the specified date. 

In its press release, the EDPS notes that it recognizes the importance of not hindering the Commission’s ability to carry out its tasks in the public interest or to exercise official authority vested in the Commission while providing sufficient time for it to adjust data flows and align its data processing practices with the Regulation 2018/1725 requirements.  

Background information 

In May 2021, the EDPS launched an investigation into the Commission’s usage of Microsoft 365, following the Schrems II decision. The purpose was to assess whether the Commission adhered to the EDPS’s earlier recommendations concerning Microsoft’s products and services within EU institutions. This inquiry is a component of the EDPS’s involvement in the 2022 Coordinated Enforcement Action led by the EDPB. 

If your organization has questions about international data transfers, contact us at info@dpoconsultancy.nl for assistance.  

Source: https://www.edps.europa.eu/system/files/2024-03/EDPS-2024-05-European-Commission_s-use-of-M365-infringes-data-protection-rules-for-EU-institutions-and-bodies_EN.pdf