The European Commission violated EU data protection rules by using Microsoft 365

The European Commission violated EU data protection rules by using Microsoft 365

The European Commission, the regulator of the European Union, which often initiates investigations into large IT companies, found itself on the other side of the barrier. The regulator used Microsoft 365 in its work, which, according to the European Data Protection Supervisor (EDPS), violated “several key data protection rules”, reports TechCrunch.

According to the EDPS, the EC “insufficiently specified what types of personal data and for what purposes are collected when using Microsoft 365”. The Commission is also accused of failing to ensure that data Microsoft sends outside the EU is as securely protected as it is inside the EU.

The EDPS requires the Commission to amend its contracts with Microsoft and include clauses setting out specific purposes and criteria for the collection of personal data. The contracts must also ensure that there is no further processing of the data, and that the data itself is processed by Microsoft or its affiliates and subcontractors only “in accordance with the Commission’s documented instructions.”

The EDPS requires the EC to change its use of Microsoft 365 by 9 December 2024. The European Commission said that the regulator complies with “the applicable data protection rules both de facto and by law” and that “various improvements” have already been made to the EC’s work as a result of the EDPS investigation.

In July 2023, the EC started an investigation against Microsoft, the reason for which was Salesforce’s complaint about the integration of Teams software with Microsoft 365. After announcing the start of the investigation, Microsoft said that it will offer Teams as a separate service from Microsoft 365 in the EU and Switzerland from October 1, 2023 The investigation is still ongoing.

Related posts