© 2025 CoolTechZone - Latest tech news,
product reviews, and analyses.

EDPS will check whether the European Commission’s use of Microsoft 365 is compliant with regulation


The European Data Protection Supervisor (EDPS) is going to investigate whether the European Commission’s use of Microsoft 365 is compliant with Regulation 2018/1725.

In March of this year, the independent supervisory authority ruled that the European Commission’s use of Microsoft 365 violated the privacy laws for institutions in the European Union.

According to the EDPS, the Commission didn’t provide sufficient guarantees that personal data sent outside the EU was as well protected as within the EU. Furthermore, in the contract with Microsoft on the use of Microsoft 365, the European Commission hadn’t made it sufficiently clear what personal data Microsoft was allowed to collect and for what purposes.

“It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures,” the EDPS stated at the time.

The European Commission was instructed to stop using Microsoft’s productivity software as of December 9, 2024, and stop all data flows to Microsoft, its partners and sub-processors located outside the EU that don’t offer the same level of protection compared to the EU. Lastly, the Commission was directed to bring the use of Microsoft 365 into compliance by taking specified actions.

On December 6, the European Commission submitted a report to the EDPS on compliance with the supervisor’s decision of last March. Currently, the EDPS can’t say for sure that the European Commission’s use of Microsoft 365 is compliant.

“The EDPS is currently reviewing the information provided to assess whether the European Commission has complied with the decision of March 2024. Given the extensive scope of the information and the complexity of the processing operations involved, this analysis will require careful consideration and will be conducted thoroughly within an appropriate timeframe,” European Data Protection Supervisor Wojciech Wiewiórowski says in a press release.

In March, both Microsoft and the European Commission objected to the EDPS’ decision. Legal proceedings on the matter are ongoing.


Leave a Reply

Your email address will not be published. Required fields are marked