The European Commission’s usage of Microsoft 365 is in breach of EU privacy rules, the European Data Protection Supervisor (EDPS) said on Monday.

In a statement, the EDPS said that it had found that the commission had infringed several parts of the EU’s data protection law for EU institutions, bodies, offices and agencies (EUIs), including those on transfers of personal data outside the EU/European Economic Area (EEA).

It said that the commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA, and that it failed to specify what types of data are to be collected and for what purpose in the commission’s contract with Microsoft.

The European Commission has been ordered to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision, and to bring processing operations resulting from its use of Microsoft 365 into compliance. The EU has adequacy agreements with 16 countries including the UK and US.

The commission has been given a 9 December deadline to demonstrate compliance with both orders.

Wojciech Wiewiórowski, EDPS, said: “It is the responsibility of the EUIs to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI.”

---