European Union citizens, luckily for us, have European Data Protection Supervisorand the European Commission ensures that what is set out in this legal framework is strictly adhered to and relies on the EDPS to verify that there are no breaches in this regard. Regulators, as you know, are watching all the time (or at least they should) and in every direction. Not for nothing, one of the ways to call them in the Anglo-Saxon world is guard dogsi.e. guard dogs.

Well, here we have news that is both good and bad, depending on the interpretation we want to make of it. The positive reading is that the EDPS has shown enough evidence that he does not limit his duties, even if this could be interpreted as biting the hand that feeds him, a real example worthy of emulation. The bad news according to the regulator itself is that The European Commission has violated the Data Protection Act for EU bodies and institutions.

The problem stems from the fact that the European Commission uses Microsoft 365, a set of tools that, although fully adapted to the GDPR, has some shortcomings in relation to the regulations it specifically regulates. , the level of protection of all entities associated with the EU. AND However, it is important to focus on this pointbecause the European Union introduces stricter regulations for its addictions than the general ones.

The problem, according to the investigation carried out by the EDPS, is that the European Commission has violated several provisions of Regulation (EU) 2018/1725, of which those related to transfers of personal data outside the EU, an issue that, as you know, has been upsetting American tech companies for quite a few years now. And in this sense, the regulations require that these transfers of community data be guaranteed the same level of protection that data enjoys in the common space. Here’s how it’s explained in the official statement:

«In particular, the Commission has not provided adequate safeguards to ensure that personal data transferred outside the EU/EEA receives a level of protection that is in principle equivalent to the level of protection guaranteed in the EU/EEA. In addition, the Commission did not sufficiently specify in its contract with Microsoft what types of personal data should be collected and for what explicit and specific purposes when using Microsoft 365. The infringements by the Commission as a data controller also relate to data processing, including the transfer of personal data , carried out in her own name.»

The European Data Protection Supervisor therefore obliges the European Commission to suspend all data flows resulting from your use of Microsoft 365 to Microsoft and its subsidiaries located in non-EU countries that are not covered by the adequacy decision, that is, they do not guarantee an adequate level of protection. Of course, the regulator granted a deadline of December 9, 2024so that they can carry out all the necessary tasks to solve the problem without affecting the work of the Commission.