EU Commission found to have broken data protection rules with Microsoft software

By

Sharecast News | 11 Mar, 2024

The European Commission's use of Microsoft 365 was found to have infringed data protection law, according to a ruling announced on Monday by the continent's privacy watchdog.

The European Data Protection Supervisor (EDPS) said the EC had infringed "several provisions" of data protection laws for EU institutions, bodies, offices and agencies, including those on transfers of personal data outside the EU and European Economic Area.

"In particular, the Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA," the EDPS said in a statement.

The EC also didn't sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365.

The watchdog said the EC must suspend all data flows resulting from its use of Microsoft 365 to Microsoft before 9 December and bring its processes in line with EU regulations.

Wojciech Wiewiórowski, the head of the EDPS, said: “It is the responsibility of the EU institutions, bodies, offices and agencies to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures.

"This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI."

Last news