European Commission brings use of Microsoft 365 into compliance with data protection rules for EU institutions and bodies
Following enforcement proceedings by the European Data Protection Supervisor (EDPS), the European Commission has demonstrated compliance with Regulation (EU) 2018/1725 in relation to its use of Microsoft 365 as examined by the EDPS. This follows the EDPS’ Decision of 8 March 2024, which identified a number of infringements and imposed corrective measures on the Commission.
After receiving a compliance report in December 2024, the EDPS held several discussions with the Commission services to obtain necessary clarifications. On that basis, and in particular following the Commission’s letter of 3 July 2025 on additional measures implemented and scheduled by the Commission and Microsoft, the EDPS has concluded in his letter of 11 July that the infringements identified in the EDPS’ 2024 Decision have been remedied.
Wojciech Wiewiórowski, Supervisor, said: “Thanks to our thorough investigation, and the Commission’s follow-up, we have jointly contributed to a significant improvement of data protection compliance in the Commission’s use of Microsoft 365. We also acknowledge and appreciate Microsoft’s efforts to align with the Commission’s requirements stemming from the EDPS decision of March 2024. This is a meaningful and shared success, and a strong signal of what can be achieved through constructive cooperation and effective supervision.”
The key improvements and compliance measures applied by the Commission include:
- Purpose Limitation: The Commission has explicitly specified the types of personal data processed and the purposes of processing in its use of Microsoft 365. Through updated contractual, technical, and organisational measures, it has ensured that Microsoft and sub-processors process data solely based on documented instructions and only for specified purposes in the public interest. The Commission has also ensured that further processing is carried out, within the European Economic Area (EEA), as required by EU or Member State law, or, outside of the EEA, in compliance with third-country law that ensures a level of protection essentially equivalent to that in the EEA.
- Transfers to Third Countries: The Commission has also determined the specific recipients and purposes for which personal data in its use of Microsoft 365 is allowed to be transferred, and ensured compliance with Article 47 of Regulation (EU) 2018/1725. This is complemented by technical and organisational measures implemented by the Commission and Microsoft, thereby reducing the possibility for transfers to third countries not covered by an adequacy decision to occur. Transfers outside the EU/EEA are now limited to countries listed in the amended contract and rely either on adequacy decisions or the derogation for important reasons of public interest, as per Article 50(1)(d) of Regulation (EU) 2018/1725. The Commission has also issued binding instructions to Microsoft and its sub-processors in that respect.
- Disclosures and Notifications: Additional contractual provisions ensure that only EU or Member State law may require that Microsoft or its sub-processors omit notification to the Commission of disclosure requests for personal data in the Commission’s use of Microsoft 365 processed within the EEA, or that they disclose such data. For data processed outside the EEA, the same may be required under third-country law as long as it provides an essentially equivalent protection. All this complements the existing technical and organisational measures implemented by the Commission and Microsoft for personal data processed within and outside of the EEA.
- Conclusion of Proceedings: In view of the measures taken, the factual situation has substantially changed compared to the one examined in the EDPS Decision of 8 March 2024. As a result, the EDPS has found that the infringements found have been remedied, and has therefore closed its enforcement proceedings.
A signal to other EU institutions, bodies, offices and agencies
The Commission has made the recent improvements to the Inter-Institutional Licensing Agreement with Microsoft available to other EU institutions, bodies, offices and agencies (EUIs) that are contracting Microsoft 365 under this contract.
Wojciech Wiewiórowski, Supervisor, said: “The EDPS welcomes such a proactive approach of the Commission in its role of the lead contracting authority to assist other EUIs. The EDPS calls on other EUIs that are considering or already using Microsoft 365 services, to carry out similar assessments and to implement technical and organisational measures comparable to those adopted by the Commission. Such measures are necessary to ensure compliance with Regulation (EU) 2018/1725.”
The EDPS also notes that these proceedings focused on specific provisions of Regulation (EU) 2018/1725. Their closure does not imply that the EDPS has assessed or confirmed the Commission’s overall compliance with other provisions of the Regulation that were not part of this examination.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
About the EDPS: The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
About the EDPS’ investigation into the Commission’s use of Microsoft 365: The EDPS opened an investigation into the Commission’s use of Microsoft 365 in May 2021. In its Decision of 8 March 2024 (Case 2021-0518), the EDPS found several infringements of Regulation (EU) 2018/1725, concerning purpose limitation, international data transfers and unauthorised disclosures of personal data. In its Decision, the EDPS consequently imposed corrective measures on the Commission. In the present enforcement proceedings, the EDPS has assessed the actions that the Commission took following the EDPS’ Decision of 8 March 2024.
Regulation (EU) 2018/1725 is the data protection framework applicable to EU institutions, bodies, offices and agencies. It sets out the responsibilities of data controllers and processors, including obligations related to EUIs’ control over the processing carried out on their behalf, purpose limitation, data transfers, and data security.
The EDPS is the independent data protection authority for the EU institutions and bodies. More information about its investigations and activities is available on the EDPS website.
About EDPS Investigations: For more information on the EDPS’ investigation process, please find the EDPS Investigation Policy, EDPS Investigation Factsheet, on the EDPS Website.