In March 2024, the European Data Protection Supervisor (EDPS) concluded an investigation into the European Commission's use of Microsoft 365, revealing multiple infringements of EU data protection laws. The EDPS found that the Commission failed to provide adequate safeguards for personal data transferred outside the EU/EEA, and its contract with Microsoft lacked specificity regarding the types of personal data collected and their explicit purposes. Consequently, the EDPS ordered the Commission to suspend all data flows to Microsoft and its affiliates in non-EU/EEA countries without an adequacy decision by December 9, 2024, and to bring its data processing operations into compliance with Regulation (EU) 2018/1725 by the same date. (edps.europa.eu)
By December 2024, the Commission submitted a compliance report to the EDPS, detailing measures taken to address the identified issues. The EDPS began reviewing this report to assess whether the Commission had met the requirements set forth in the March 2024 decision. (edps.europa.eu)
As of July 28, 2025, the EDPS has cleared the European Commission's use of Microsoft 365, indicating that the Commission has successfully implemented the necessary corrective measures to comply with EU data protection laws. However, the Commission remains concerned about its reliance on Microsoft 365, reflecting ongoing apprehensions about dependency on a single vendor for critical digital services.
This development underscores the importance of robust data protection practices and the challenges institutions face in balancing operational efficiency with compliance. It also highlights the need for continuous evaluation of vendor relationships to mitigate risks associated with over-reliance on specific service providers.
Source: Inbox.lv EU’s privacy supervisor clears Commission’s use of Microsoft
