The European Commission violates GDPR rules
An investigation conducted by the EDPS (European Data Protection Supervisor) points out certain shortcomings of the European Commission. It has violated several data protection rules in its use of Microsoft 365 (a suite of Microsoft office software). Corrective measures have been addressed to the Commission.
Context of the Investigation
EU bodies and institutions, like private actors, are subject to the obligations of the GDPR (General Data Protection Regulation).
On May 27, 2021, following the Schrems II decision, the EDPS launched two investigations:
- One targeting the Cloud services of Microsoft and Amazon used by EU bodies and institutions.
- The other focusing on the use of Microsoft 365 by the European Commission.
The goal of these investigations: to ensure compliance of these institutions with the requirements of the Schrems II ruling. Particularly regarding the transfer of personal data outside the European Union, given that the examined services are provided by companies based in the United States.
Identified Violations
In a press release on February 11, 2024, the EDPS concluded that the use of Microsoft 365 by the European Commission was not compliant with data protection requirements.
The EDPS identified that:
- The Commission did not provide adequate guarantees for data transfers outside the EU in the context of using Microsoft 365.
- The contract between the Commission and Microsoft did not specify what types of personal data were collected, and for what purposes.
As a result, the Commission has until December 9, 2024, to suspend all transfers of personal data to Microsoft and its subsidiaries located in non-EU countries that are not compliant with the GDPR. It is also required to bring all data processing resulting from its use of the Microsoft 365 suite into compliance.
References:
- European Data Protection Supervisor - European Commission’s use of Microsoft 365 infringes data protection law for EU institutions and bodies
- Reuters - EU Commission's use of Microsoft software breached privacy rules
[Photo Credit: Christophe Licoppe - European Commission]
Support us by sharing the article: