The European Commission has announced that they have brought their Microsoft 365 system into compliance with the EU data protection rules, specifically Regulation (EU) 2018/1725. This significant achievement follows enforcement proceedings and a thorough investigation by the European Data Protection Supervisor (EDPS).
The EDPS had previously identified several legal infringements in March 2024, and the Commission has stated it has implemented key improvements:
- Clearly defining the purposes for processing personal data.
- Ensuring that Microsoft handles data solely based on documented instructions.
- International data transfers are now strictly controlled, limiting transfers outside the EU/EEA to countries with equivalent protection or under specific public interest derogations.
- Furthermore, enhanced contractual provisions ensure the Commission is properly notified of any data disclosure requests.
EDPS Supervisor Wiewiórowski commended the joint effort, highlighting it as a "meaningful and shared success." This compliance sets a strong precedent, and the EDPS urges other EU institutions using Microsoft 365 to adopt similar robust data protection measures.