European Commission brings use of Microsoft 365 into compliance with data protection rules for EU institutions and bodies
Following enforcement proceedings by the European Data Protection Supervisor (EDPS), the European Commission has demonstrated compliance with Regulation (EU) 2018/1725 in relation to its use of Microsoft 365 as examined by the EDPS. This follows the EDPS’ Decision of 8 March 2024, which identified a number of infringements and imposed corrective measures on the Commission.
After receiving a compliance report in December 2024, the EDPS held several discussions with the Commission services to obtain necessary clarifications. On that basis, and in particular following the Commission’s letter of 3 July 2025 on additional measures implemented and scheduled by the Commission and Microsoft, the EDPS has concluded in his letter of 11 July that the infringements identified in the EDPS’ 2024 Decision have been remedied.
Wojciech Wiewiórowski, Supervisor, said: “Thanks to our thorough investigation, and the Commission’s follow-up, we have jointly contributed to a significant improvement of data protection compliance in the Commission’s use of Microsoft 365. We also acknowledge and appreciate Microsoft’s efforts to align with the Commission’s requirements stemming from the EDPS decision of March 2024. This is a meaningful and shared success, and a strong signal of what can be achieved through constructive cooperation and effective supervision.”
