European Commission’s use of Microsoft 365 infringes data protection law for EU institutions and bodies

Following its investigation, the EDPS has found that the European Commission (Commission) has infringed several key data protection rules when using Microsoft 365. In its decision, the EDPS imposes corrective measures on the Commission.

The EDPS has found that the Commission has infringed several provisions of Regulation (EU) 2018/1725, the EU’s data protection law for EU institutions, bodies, offices and agencies (EUIs), including those on transfers of personal data outside the EU/European Economic Area (EEA). In particular, the Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA. Furthermore, in its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365. The Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.

Wojciech Wiewiórowski, EDPS, said: “It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI.”

The EDPS has therefore decided to order the Commission, effective on 9 December 2024, to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision. The EDPS has also decided to order the Commission to bring the processing operations resulting from its use of Microsoft 365 into compliance with Regulation (EU) 2018/1725. The Commission must demonstrate compliance with both orders by 9 December 2024.

The EDPS considers that the corrective measures it imposes (see annex for a detailed excerpt) are appropriate, necessary and proportionate in light of the seriousness and duration of the infringements found.

Many of the infringements found concern all processing operations carried out by the Commission, or on its behalf, when using Microsoft 365, and impact a large number of individuals.

The EDPS also takes into account the need not to compromise the Commission’s ability to carry out its tasks in the public interest or to exercise official authority vested in the Commission, and the need to allow appropriate time for the Commission to implement the foreseen suspension of relevant data flows, and to bring the processing of data into compliance with Regulation (EU) 2018/1725.

The measures imposed by the EDPS in its decision of 8 March 2024 are without prejudice to any other or further action that the EDPS may undertake.

The findings of infringements and corrective measures imposed by the EDPS in its decision can be found in annex.