Print

European Commission’s use of Microsoft 365 infringes data protection law for EU institutions and bodies

11
Mar
2024

European Commission’s use of Microsoft 365 infringes data protection law for EU institutions and bodies

Following its investigation, the EDPS has found that the European Commission (Commission) has infringed several key data protection rules when using Microsoft 365. In its decision, the EDPS imposes corrective measures on the Commission.

The EDPS has found that the Commission has infringed several provisions of Regulation (EU) 2018/1725, the EU’s data protection law for EU institutions, bodies, offices and agencies (EUIs), including those on transfers of personal data outside the EU/European Economic Area (EEA). In particular, the Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA. Furthermore, in its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365. The Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.

Wojciech Wiewiórowski, EDPS, said: “It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI.”

The EDPS has therefore decided to order the Commission, effective on 9 December 2024, to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision. The EDPS has also decided to order the Commission to bring the processing operations resulting from its use of Microsoft 365 into compliance with Regulation (EU) 2018/1725. The Commission must demonstrate compliance with both orders by 9 December 2024.

The EDPS considers that the corrective measures it imposes (see annex for a detailed excerpt) are appropriate, necessary and proportionate in light of the seriousness and duration of the infringements found.

Many of the infringements found concern all processing operations carried out by the Commission, or on its behalf, when using Microsoft 365, and impact a large number of individuals.

The EDPS also takes into account the need not to compromise the Commission’s ability to carry out its tasks in the public interest or to exercise official authority vested in the Commission, and the need to allow appropriate time for the Commission to implement the foreseen suspension of relevant data flows, and to bring the processing of data into compliance with Regulation (EU) 2018/1725.

The measures imposed by the EDPS in its decision of 8 March 2024 are without prejudice to any other or further action that the EDPS may undertake.

The findings of infringements and corrective measures imposed by the EDPS in its decision can be found in annex.

Background information

The rules for data protection in the EU institutions, bodies, offices and agencies, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.

Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.

About the EDPS’ investigation into the Commission’s use of Microsoft 365: This investigation was opened in May 2021 following the Schrems II judgment. Its aim was to verify the Commission's compliance with the Recommendations previously issued by the EDPS on the use of Microsoft's products and services by EU institutions and bodies. This investigation is part of the EDPS’ actions in the context of the EDPS’ participation in the 2022 Coordinated Enforcement Action of the EDPB. For more information, please read the EDPB Report on the 2022 Coordinated Enforcement Action.

About EDPS Investigations: For more information on the EDPS’ investigation process, please find the EDPS Investigation Policy, EDPS Investigation Factsheet, on the EDPS Website.