EU’s data protection watchdog found that the European Commission (EC) infringes on several key data protection regulations when using Microsoft 365. As the data flows and is processed outside of the EU, the European Data Protection Supervisor (EDPS) ordered the Commission to “demonstrate compliance.”
The EU’s data protection law restricts transfers of personal data outside the EU and European Economic Area (EEA).
The EDPS investigation, which opened in May 2021, reveals that the European Commission does not comply with “several key data protection” regulations of the European Union.
The EC has failed to provide appropriate safeguards to ensure that transferred personal data is protected on an equivalent level.
“In its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365. The Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf,” the EDPS press release reads.
EDPS also noted the impact “on a large number of individuals.”
The watchdog has ordered EC to suspend all inadequately protected data flows resulting from its use of Microsoft 365 and bring the processing operations into compliance with the regulation.
“The Commission must demonstrate compliance with both orders by 9th December 2024,” EDPS said and considered the corrective measures to be appropriate, necessary, and proportionate “in light of the seriousness and duration of the infringements found.”
“It is the responsibility of the EU institutions, bodies, offices, and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI,” Wojciech Wiewiórowski, the European Data Protection Supervisor, said.
The supervisor said he allowed “appropriate time” not to compromise the EC’s ability to carry out its tasks in the public interest.
Your email address will not be published. Required fields are markedmarked