This follows the EDPS’ Decision of 8 March 2024, which identified a number of infringements and imposed corrective measures on the Commission.

The key improvements and compliance measures applied by the Commission include:

• Purpose Limitation: The Commission has explicitly specified the types of personal data processed and the purposes of processing in its use of Microsoft 365.

• Transfers to Third Countries: The Commission has also determined the specific recipients and purposes for which personal data in its use of Microsoft 365 is allowed to be transferred, and ensured compliance with Article 47 of Regulation (EU) 2018/1725. This is complemented by technical and organisational measures implemented by the Commission and Microsoft, thereby reducing the possibility for transfers to third countries not covered by an adequacy decision to occur.

• Disclosures and Notifications: Additional contractual provisions ensure that only EU or Member State law may require that Microsoft or its sub-processors omit notification to the Commission of disclosure requests for personal data in the Commission’s use of Microsoft 365 processed within the EEA, or that they disclose such data.

Further information is to be found in the EDPS’s press release.