The data supervisor has ordered the Commission to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and its affiliates and sub-processors located in countries outside the EU/EEA not covered by an EU adequacy decision on data transfers - again, with a deadline of December 9 for this. On data transfers, the EDPS found the Commission failed to ensure adequate safeguards were applied to these data exports to ensure essentially equivalent protections for data were in place once it left the bloc. Yet use of Microsoft 365 routinely results in data flowing back to Microsoft’s servers in the U.S. But for much of the period the EDPS was investigating the Commission’s use of Microsoft 365 there was no deal in place covering data transfers from the EU to the U.S. Privacy Shield in July 2020.Ī new transatlantic data transfer agreement was subsequently agreed and adopted, thee years later ( July 2023). When the EDPS opened the investigation there was also no data transfer agreement in place between the bloc and the U.S., following the striking down of the EU-U.S. EU regulators have been flagging concerns about this for years, including in relation to the legal basis Microsoft claims for processing data a lack of clarity and precision in the wording of its contracts for the product and no technical safeguards being applied to ensure data is only being used for providing and maintaining the service. cloud services back in May 2021.Īt issue is how Microsoft processes the data of users of its cloud service. The regulator, which oversees’ EU institutions’ compliance with data protection rules, opened a probe of the Commission’s use of Microsoft 365 and other U.S. But at the time of writing neither had responded. ![]() Microsoft and the Commission were contacted for a response to the EDPS’ findings. ![]() ![]() The EDPS has imposed corrective measures requiring the Commission to address the compliance problems it has identified by December 9 2024, assuming it continues to use Microsoft’s cloud suite. “The Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365,” the data supervisor, Wojciech Wiewiórowski, wrote, adding: “The Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.” A lengthy investigation into the European Union’s use of Microsoft 365 has found the Commission breached the bloc’s data protection rules through its use of the cloud-based productivity software.Īnnouncing its decision in a press release today, the European Data Protection Supervisor (EDPS) said the Commission infringed “several key data protection rules when using Microsoft 365”.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |