The EU’s privacy agency said that the European Commission infringed several key data protection rules when using Microsoft’s (NASDAQ:MSFT) 365 product suite.
The European Data Protection Supervisor, or EDPS, said the Commission infringed several provisions of EU’s data protection law for EU institutions, bodies, offices and agencies, or EUIs, including those on transfers of personal data outside the EU/European Economic Area, or EEA.
In particular, the Commission failed to provide adequate safeguards for personal data transferred outside the EU/EEA.
In addition, in its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which purposes when using Microsoft 365, the EDPS noted.
The privacy watchdog added that the Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.
The EDPS ordered the Commission, effective Dec. 9 2024, to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates located in countries outside the EU/EEA not covered by an adequacy decision.
In addition, the EDPS ordered the Commission to bring the processing operations resulting from its use of Microsoft 365 into compliance with EU rules.
The Commission should comply with both orders by Dec. 9 of this year, according to the EDPS.
Th probe was opened in May 2021 with the aim to verify the Commission’s compliance with the recommendations previously issued by the EDPS on the use of Microsoft’s products and services by EU institutions.