The EDPS has issued a directive, effective as of 9 December 2024, instructing the Commission to cease all data transfers resulting from its utilisation of Microsoft 365 to Microsoft and its affiliated and sub-processing entities situated in non-EU/EEA countries lacking adequacy decisions
The EDPS finds violations of several key data protection rules in the EC's use of Microsoft 365. (Credit: EmDee/Wikipedia.org)
The European Data Protection Supervisor (EDPS) said that it has found violations of several key data protection rules in the European Commission (EC)’s use of Microsoft 365.
According to the EDPS, the EC has breached various provisions of Regulation (EU) 2018/1725, the European Union (EU)’s data protection law for the EU institutions, bodies, offices and agencies (EUIs).
These violations specifically pertain to regulations concerning the transfer of personal data outside the EU/European Economic Area (EEA).
The Commission has specifically failed to take necessary steps to guarantee that personal data transmitted beyond the EU/EEA is protected to a degree that is equivalent level to that ensured in the EU/EEA, said the EDPS.
In addition, the EC did not adequately outline the categories of personal data that will be gathered and the specific, explicit reasons for which they will be used while utilising Microsoft 365 in its contract with Microsoft.
Furthermore, the EDPS stated that the Commission’s infringements as data controller also pertain to processing of data, including transfers of personal data, undertaken on its behalf.
In this regard, the EDPS has issued a directive, effective as of 9 December 2024, instructing the Commission to cease all data transfers stemming from its utilisation of Microsoft 365 to Microsoft and its affiliated and sub-processing entities situated in non-EU/EEA countries lacking adequacy decisions.
The Supervisor has also asked the EC to bring the processing operations resulting from its use of Microsoft 365 into compliance with Regulation (EU) 2018/1725.
EDPS Wojciech Wiewiórowski said: “It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures.
“This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI.”