The European Data Protection Supervisor (EDPS) today (11 March) found that the European Commission violated data protection rules in its use of Microsoft 365.
The EDPS is an independent authority for personal data protection in EU institutions.
Go deeper with GlobalData
The EDPS claims the Commission infringed the EU’s data protection law by not ensuring protection for personal data transferred outside the EU.
The Commission’s contract with Microsoft lacked specificity on the types of personal data collected and its purpose.
The EDPS has ordered the Commission to halt data to Microsoft 365 and its affiliates in non-EU countries. The Commission has until December 2024, to bring its operations into compliance.
Corrective measures include ensuring explicit data collection purposes, and compliance with data protection regulations.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataThe investigation, which began in May 2021, focuses on the Commission’s compliance with EDPS recommendations on Microsoft’s products and services.
The corrective measures include suspension of data flows, bringing processing into compliance, and issuing a reprimand to the Commission for various infringements.
EDPS says the Commission failed to ensure purpose limitation, proper safeguarding of data transfers outside the EU, and prevention of unauthorised disclosures of personal data.
