Menu
Glass building facade with the Microsoft logo. The logo features a square composed of four smaller colored squares: red, green, blue, and yellow, followed by the word "Microsoft" in white letters. The sky is clear and blue in the background.

EDPS closes proceedings after Commission fixes Microsoft 365 data protection issues

, , , , ,

The European Commission has brought its use of Microsoft 365 into compliance with Regulation (EU) 2018/1725 (EUDPR) after addressing issues identified by the European Data Protection Supervisor (EDPS). Following the EDPS Decision of 8 March 2024, which found infringements on purpose limitation, international transfers and unauthorised disclosures, the Commission submitted a compliance report in December 2024 and engaged in follow-up discussions. After receiving further information and a letter from the Commission on 3 July 2025 describing additional and planned measures by both the Commission and Microsoft, the EDPS concluded on 11 July that the previously identified infringements have been remedied and closed the enforcement proceedings.

Key remedial actions addressed purpose limitation by clearly specifying the types of personal data processed and the purposes for which Microsoft 365 is used. Contractual, technical and organisational measures were updated to ensure Microsoft and its sub-processors act only on documented instructions and process data solely for specified public-interest purposes. The Commission also established that any further processing carried out within the European Economic Area (EEA) or, where necessary, outside the EEA, complies with applicable EU or Member State law or with third-country rules that provide an essentially equivalent level of protection.

The Commission narrowed and formalised the conditions for transfers to third countries by identifying specific recipients and purposes for which data transfers are permitted and ensuring compliance with Article 47 of Regulation (EU) 2018/1725. Transfers outside the EU/EEA are now confined to countries listed in the amended contract and depend on adequacy decisions or the derogation for important reasons of public interest under Article 50(1)(d). The Commission also issued binding instructions to Microsoft and its sub-processors and implemented complementary technical and organisational measures to reduce the risk of unauthorised transfers.

Additional contractual clauses limit disclosures and notification exemptions so that only EU or Member State law may require Microsoft or its sub-processors to withhold notification of disclosure requests for data processed within the EEA. For data processed outside the EEA, withholding notification is only acceptable under third-country law that provides essentially equivalent protection. The EDPS welcomed the Commission’s role in sharing improvements to the Inter‑Institutional Licensing Agreement with other EU institutions, bodies, offices and agencies, and encouraged these entities to adopt comparable technical and organisational safeguards. The EDPS clarified that closing these proceedings relates only to the specific provisions examined and does not amount to a full assessment of all obligations under the Regulation.

  • Save

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Facebook
Twitter
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Copy link
CopyCopied