On March 24, 2024, the European Data Protection Supervisor (EDPS) confirmed that the European Commission has breached data protection provisions of the Regulation (EU) 2018/1725 when using the Microsoft 365.

The breaches were identified based on information provided by Microsoft Ireland Operations Limited, and include failure to provide adequate safeguards to ensure that personal data transferred outside the European Union received a level of protection equivalent to that guaranteed in the EU/EEA. Another violation was a lack of specification in the use of Microsoft 365 as to the types of personal data to be collected and the explicit and specific purposes for which they would be used.

Thus, the EDPS ordered the European Commission to suspend, as of December 9, 2024, all data flows arising from the use of Microsoft 365 to Microsoft and its affiliates and subcontractors located in countries outside the EU/EEA that are not covered by an adequacy decision. In addition, the EDPS has ordered the Commission to ensure that the processing operations resulting from the use of Microsoft 365 comply with Regulation (EU) 2018/1725. The Commission has until December 9, 2024, to demonstrate compliance with both orders.

To access the decision in full, click HERE.

❮ Back to the bulletin LGDP Express no. 05/24