The European Data Protection Supervisor (“EDPS”) has found that the European Commission (the “Commission”) has infringed several provisions of the data protection Regulation (EU) 2018/1725 when using Microsoft 365.
In particular, the EDPS considers that the Commission has failed to:
- provide appropriate safeguards to ensure that personal data transferred outside the European Union are afforded an essentially equivalent level of protection as guaranteed in the European Union; and
- to specify clearly what types of personal data are to be collected and for which explicit and specified purposes.
As a consequence of the aforementioned findings or infringements, the EDPS has decided to impose corrective measures on the Commission, effective on 9th December 2024; specifically:
- to suspend all data flows to Microsoft and to its affiliates and sub-processors which are located in countries outside the European Union not covered by an adequacy decision; as well as
- to bring the processing operation, resulting from the use of Microsoft 365, into compliance with Regulation (EU) 2018/1725.
The EDPS’ investigation started in May 2021, following the Schrems II Judgement; before the Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, through which it concluded that the United States companies, adhering to the new privacy framework, ensure an adequate level of protection for personal data transferred from the European Union.
The aim of this procedure is to verify the Commissions’ compliance with the Recommendations previously issued by the EDPS on the use of Microsoft’s products and services: https://www.edps.europa.eu/data-protection/our-work/publications/investigations/outcome-own-initiative-investigation-eu_en
This investigation is part of the EDPS’ actions in the context of the EDPS’ participation in the 2022 Coordinated Enforcement Action of the European Data Protection Board (“EDPB”).