The commission will have to demonstrate compliance with the orders by 9 December 2024.
ADVERTISEMENTThe European Commission has been ordered to bring its use of Microsoft 365 office programs in line with EU protection rules, the European Data Protection Supervisor (EDPS) said today (11 March) following an investigation.
The EDPS, the watchdog for data protection issues at EU institutions, said the commission breached EU rules including those on transfers of personal data outside the EU or European Economic Area (EEA). In its contract with Microsoft, the commission did not sufficiently specify what types of personal data are to be collected and for which purposes.
The commission now needs to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA that are not covered by a data transfer agreement.
The commission will have to demonstrate compliance with the orders by 9 December 2024.
Wojciech Wiewiórowski, the EDPS supervisor, said in a statement: “It is the responsibility of the EU institutions, bodies, offices and agencies to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures.”
Data flows
The EDPS said that the corrective measures are appropriate, necessary and proportionate in light of the seriousness and duration of the infringements found. The EDPS also takes into account the need not to compromise the commission’s ability to carry out its tasks in the public interest.
The EU has adequacy agreements with Andorra, Argentina, Canada Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the UK, the United States and Uruguay. For data flows with other countries, EU companies and institutions first need to establish safeguards for its use through data protection authorities.
