The European Data Protection Supervisor (EDPS) is examining the European Commission’s compliance with its decision of 8 March 2024 regarding the use of Microsoft 365.
Under the decision, the European Commission had until yesterday, 9 December 2024, to demonstrate compliance with EDPS orders. On 6 December 2024, the Commission submitted to the EDPS a report on compliance with the EDPS decision of 8 March 2024.
Wojciech Wiewiórowski, EDPS, said: “The EDPS is currently reviewing the information provided to assess whether the European Commission has complied with the decision of March 2024. Given the extensive scope of the information and the complexity of the processing operations involved, this analysis will require careful consideration and will be conducted thoroughly within an appropriate timeframe.”
Following its investigation, the EDPS had found that the European Commission infringed several provisions of Regulation (EU) 2018/1725, the EU’s data protection law for EU institutions, bodies, offices and agencies (EUIs), including those on transfers of personal data outside the EU/European Economic Area (EEA).
In its decision of 8 March 2024, the EDPS ordered the European Commission to:
- suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors, located in countries outside the EU/EEA not covered by an adequacy decision (‘suspension order’);
- bring processing operations resulting from its use of Microsoft 365 into compliance by taking specified actions (‘compliance order’).
Given the ongoing court proceedings in which the EDPS decision is contested (Cases T-262/24 and T-265/24), the EDPS will not provide more comments. The EDPS reiterates that the decision of 8 March 2024 remains fully applicable.
Background information
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
About the EDPS: The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
About the EDPS’ investigation into the Commission’s use of Microsoft 365: This investigation was opened in May 2021 following the Schrems II judgment. Its aim was to verify the Commission’s compliance with the Recommendations previously issued by the EDPS on the use of Microsoft’s products and services by EU institutions and bodies. This investigation is part of the EDPS’ actions in the context of the EDPS’ participation in the 2022 Coordinated Enforcement Action of the EDPB. For more information, please read the EDPB Report on the 2022 Coordinated Enforcement Action. In March 2024, the EDPS issued its decision on the Commission’s use of Microsoft 365.
About EDPS Investigations: For more information on the EDPS’ investigation process, please find the EDPS Investigation Policy, EDPS Investigation Factsheet, on the EDPS Website.
The European Data Protection Supervisor (EDPS) is the independent supervisory authority for the protection of personal data and privacy and promoting good practice in the EU institutions and bodies.
He does so by:
- monitoring the EU administration’s processing of personal data;
- monitoring and advising technological developments on policies and legislation that affect privacy and personal data protection;
- carrying out investigations, including in the form of data protection audits/inspections;
- cooperating with other supervisory authorities to ensure consistency in the protection of personal data
EDPS – The EU’s Independent Data Protection Authority