EC's Microsoft 365 Use Now Complies with Privacy Law, Says Supervisor
The European Commission has cleaned up its act protecting data related to its use of Microsoft 365, the European Data Protection Supervisor (EDPS) announced Monday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
In March 2024, the EDPS found the EC guilty of several infringements of Regulation (EU) 2018/1725 in its use of Microsoft 365 and ordered corrective action. The regulation sets rules for processing personal data by EU institutions and bodies.
After discussions with the EC, and a December 2024 compliance report from it, the EDPS notified the EC July 11 that the issues were remedied.
Among other things, the EC specified what types of personal data it processes with Microsoft 365 and why, the EDPS said.
The EC also determined the recipients and purposes for which personal data it uses in Microsoft 365 is allowed to be transferred to third countries, reducing the chance those transfers go to third countries not covered by adequacy decisions.
The EDPS closed its enforcement proceedings. It noted that the EC has made its improvements available to other EU agencies and bodies that use Microsoft 365 under the same contract, and it urged those bodies to implement similar measures.
Closure of the investigation doesn't mean that the EDPS has confirmed the EC's overall compliance with the regulation, the watchdog noted.