EDPS Reviews European Commission’s Microsoft 365 Compliance
The European Data Protection Supervisor (EDPS) is reviewing the European Commission’s adherence to its decision from March 8, 2024, regarding the use of Microsoft 365. The Commission was required to demonstrate compliance by December 9, 2024. On December 6, 2024, the Commission submitted a compliance report to the EDPS. Wojciech Wiewiórowski, the EDPS, stated that the review of the provided information will be thorough due to the complexity of the processing operations involved.
The EDPS previously identified several violations of Regulation (EU) 2018/1725, which governs data protection for EU institutions. These violations included issues related to the transfer of personal data outside the EU and the European Economic Area (EEA). Consequently, the EDPS issued a suspension order, mandating the Commission to halt all data flows to Microsoft and its affiliates located in countries without an adequacy decision. Additionally, the Commission was instructed to align its processing operations with specified compliance measures.
The ongoing court cases, T-262/24 and T-265/24, contesting the EDPS decision, prevent further comments from the EDPS at this time. Nevertheless, the EDPS emphasizes that the decision from March 2024 remains in effect and must be adhered to by the Commission.
The EDPS is an independent authority responsible for monitoring personal data processing by EU institutions and ensuring compliance with data protection laws. The investigation into the Commission’s use of Microsoft 365 began in May 2021, following the Schrems II judgment, and aimed to assess compliance with previous recommendations issued by the EDPS regarding Microsoft’s services.
Source: The EDPS follows up on the compliance of European Commission’s use of Microsoft 365
