You know it’s bad when an entity you authorized says you violated the law that you helped enact.
The European Data Protection Supervisor (EDPS) is an independent body that oversees the privacy practices of European institutions, such as the European Commission itself. In an order on March 11, 2024, the EDPS has determined that the European Commission has violated several provisions of Regulation 2018/1725 (essentially the GDPR as it applies to EU institutions) through its use of the Microsoft 365 product, including by failing to provide appropriate safeguards for trans-border flows of personal data.
The EDPS also found that the data processing agreement (DPA) between the European Commission and Microsoft failed to sufficiently specify the types of personal data to be processed by Microsoft and the specific purposes for the transfer. It should come as a reminder for all entities subject to the GDPR (either directly or as a processor) to ensure that the specificity requirements of the DPA and standard contractual clauses’ are met, and not to leave high-level statements such as “as required to provide the services.”
As a result of the violations, the EDPS has ordered the European Commission to suspend all data flows to Microsoft related to the use of Microsoft 365 to be processed in countries without an adequacy decision effective December 9, 2024, giving the European Commission an opportunity to comply with a list of corrective measures outlined by the EDPS, which include performing a transfer-mapping exercise and fully complying with the processor contractual requirements of EU Regulation 2018/1725.
Following its investigation, the EDPS has found that the European Commission (Commission) has infringed several key data protection rules when using Microsoft 365. In its decision, the EDPS imposes corrective measures on the Commission.
View referenced article
Wojciech Wiewiórowski, EDPS, said: “It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI.”