EDPS - 2021-0518
EDPS reprimands EU Commission over Microsoft 365 data processing violations and suspends third-country data flows.
Summary
The European Data Protection Supervisor (EDPS) issued a reprimand against the European Commission for non-compliant processing of personal data through Microsoft 365. The decision found that Microsoft's 'EU storage guarantee' and 'EU Data Boundary' contain numerous exceptions allowing data access from third countries, and that the Commission failed to ensure proper data transfer safeguards under GDPR articles. The EDPS suspended data flows to countries without adequacy decisions effective December 9, 2024.
Full text
Help EDPS - 2021-0518: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 15:26, 22 July 2024 view sourceLm (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators364 editsmTag: Visual edit← Older edit Latest revision as of 12:54, 17 July 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators216 editsm Tag: Visual edit Line 41: Line 41: |GDPR_Article_Link_6=|GDPR_Article_Link_6= |EU_Law_Name_1= Article 9 of Regulation (EU) 2018/1725 as specific rule for EU institutions|EU_Law_Name_1= Article 9 Regulation (EU) 2018/1725 |EU_Law_Link_1=https://eur-lex.europa.eu/eli/reg/2018/1725/oj|EU_Law_Link_1=https://eur-lex.europa.eu/eli/reg/2018/1725/oj |EU_Law_Name_2=Articles 4(1)b, 6, 29 and 48 of Regulation (EU) 2018/1725 corresponding to the above articles of the GDPR|EU_Law_Name_2=Article 4(1)b Regulation (EU) 2018/1725 |EU_Law_Link_2=https://eur-lex.europa.eu/eli/reg/2018/1725/oj|EU_Law_Link_2=https://eur-lex.europa.eu/eli/reg/2018/1725/oj |EU_Law_Name_3=Articles 4(2), 26(1) and 46 of Regulation (EU) 2018/1725|EU_Law_Name_3=Article 4(2) Regulation (EU) 2018/1725 |EU_Law_Link_3=https://eur-lex.europa.eu/eli/reg/2018/1725/oj|EU_Law_Link_3=https://eur-lex.europa.eu/eli/reg/2018/1725/oj |EU_Law_Name_4=|EU_Law_Name_4=Article 6 Regulation (EU) 2018/1725 |EU_Law_Link_4=|EU_Law_Link_4=https://eur-lex.europa.eu/eli/reg/2018/1725/oj |EU_Law_Name_5=|EU_Law_Name_5=Article 29 Regulation (EU) 2018/1725 |EU_Law_Link_5=|EU_Law_Link_5=https://eur-lex.europa.eu/eli/reg/2018/1725/oj |National_Law_Name_1=|National_Law_Name_1= Line 71: Line 71: |Initial_Contributor=lszabo|Initial_Contributor=lszabo || }}|EU_Law_Name_6=Article 48 Regulation (EU) 2018/1725|EU_Law_Link_6=https://eur-lex.europa.eu/eli/reg/2018/1725/oj|EU_Law_Name_7=Article 26(1) Regulation (EU) 2018/1725|EU_Law_Link_7=https://eur-lex.europa.eu/eli/reg/2018/1725/oj|EU_Law_Name_8=Article 46 Regulation (EU) 2018/1725|EU_Law_Link_8=https://eur-lex.europa.eu/eli/reg/2018/1725/oj}} The EDPS reprimanded the Commission and ordered to bring processing related to use of Microsoft 365 in line with EU data protection rules and suspended the data flows to countries for which there is no adequacy decision with effect 9th December 2024The EDPS reprimanded the Commission and ordered to bring processing related to use of Microsoft 365 in line with EU data protection rules and suspended the data flows to countries for which there is no adequacy decision with effect 9th December 2024 Line 112: Line 112: Another issue was that the “EU storage guarantee” offered by Microsoft did not cover all types of data. Some data may be accessible to recipients in third countries. The “EU Data Boundary” also has numerous exceptions and exclusions which cover customer data, service generated data, diagnostic data and professional services data.Another issue was that the “EU storage guarantee” offered by Microsoft did not cover all types of data. Some data may be accessible to recipients in third countries. The “EU Data Boundary” also has numerous exceptions and exclusions which cover customer data, service generated data, diagnostic data and professional services data. <u>Further unauthorised disclosure or personal data:</u> A specific reference was made to Article 9, which concerns transmission of personal data by EU institutions to recipients established in the EU. According to the EDPS, this article is also applicable to transmission of personal data to processors of EUIs. Therefore all transmission of personal data should be in the public interest and if the data subject’s legitimate interests may be prejudiced, the controller has to weigh the competing interests and establish that it is proportionate to transmit the personal data. The purpose of management and functioning of the Commission, use of products the staff is familiar with etc. was not found to be the purpose of processing of the personal data by MS. As long as the purposes are not specified, specific and explicit, it is not possible to do this balancing. <u>Further unauthorised disclosure or personal data:</u> A specific reference was made to Article 9 Regulation (EU) 2018/1725, which concerns transmission of personal data by EU institutions to recipients established in the EU. According to the EDPS, this article is also applicable to transmission of personal data to processors of EUIs. Therefore all transmission of personal data should be in the public interest and if the data subject’s legitimate interests may be prejudiced, the controller has to weigh the competing interests and establish that it is proportionate to transmit the personal data. The purpose of management and functioning of the Commission, use of products the staff is familiar with etc. was not found to be the purpose of processing of the personal data by MS. As long as the purposes are not specified, specific and explicit, it is not possible to do this balancing. In addition, the EDPS found that the Commission did not ensure that transfers take place “solely to allow tasks within the competence of the controller to be carried out”.In addition, the EDPS found that the Commission did not ensure that transfers take place “solely to allow tasks within the competence of the controller to be carried out”. Line 121: Line 121: == Comment ==== Comment == Although reference to the limitation of transmission of personal data to recipients subject to the GDPR, based on Article 9 EUDPR is specific to EU institutions, there are points of general interest:Although reference to the limitation of transmission of personal data to recipients subject to the GDPR, based on Article 9 Regulation (EU) 2018/1725 is specific to EU institutions, there are points of general interest: - precise definition of data transmitted to or accessed by processors and the purposes for which they are used- precise definition of data transmitted to or accessed by processors and the purposes for which they are used - processors should only use data for the purposes of the controller even when improving services or ensuring security, if this is not the case, they are controllers- processors should only use data for the purposes of the controller even when improving services or ensuring security, if this is not the case, they are controllers Latest revision as of 12:54, 17 July 2026 EDPS - 2021-0518 Authority: EDPS Jurisdiction: European Union Relevant Law: Article 5(1)(b) GDPR Article 6(4) GDPR Article 28 GDPR Article 46 GDPR Article 9 Regulation (EU) 2018/1725Article 4(1)b Regulation (EU) 2018/1725Article 4(2) Regulation (EU) 2018/1725Article 6 Regulation (EU) 2018/1725Article 29 Regulation (EU) 2018/1725Article 48 Regulation (EU) 2018/1725Article 26(1) Regulation (EU) 2018/1725Article 46 Regulation (EU) 2018/1725 Type: Investigation Outcome: Violation Found Started: 12.05.2021 Decided: 08.03.2024 Published: 08.03.2024 Fine: n/a Parties: European Commission National Case Number/Name: 2021-0518 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): English Original Source: EDPS decision (in EN) Initial Contributor: lszabo The EDPS reprimanded the Commission and ordered to bring processing related to use of Microsoft 365 in line with EU data protection rules and suspended the data flows to countries for which there is no adequacy decision with effect 9th December 2024 Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Following an investigation in 2019-2020, the EDPS issued recommendations and the Commission modified the ILA. The EDPS investigated whether these modifications were sufficient to bring processing in compliance with data protection requirements and found infringements. Data accessed by Microsoft include identity and contact data of users (when signing on to the service and when check