Proceedings closed: EU Commission fulfills data requirements for Microsoft 365
The EU Commission may use Microsoft 365, the data protection concerns have been resolved. The decisive factor is the EU data border.
(Image: iX)
- Stefan Hessel
The EU Data Protection Supervisor has officially ended the long-running enforcement proceedings against the EU Commission over data protection concerns regarding the use of Microsoft 365. In a letter signed on July 11, 2025, EU Data Protection Supervisor WiewiĂłrowski stated that the EU Commission had remedied all data protection deficiencies identified in March 2024. This means that the relevant requirements of the Data Protection Regulation for the EU institutions have been met.
After intensive negotiations and several improvements to the data protection clauses in the license agreement with Microsoft, the EU Commission now has sufficient control over the processing of personal data in the context of Microsoft 365, according to WiewiĂłrowski. In particular, the purposes of data processing have been specified, international data transfers have been restricted and clear contractual requirements for dealing with requests from authorities have been defined.
Data border works
According to the EU Data Protection Supervisor, the EU Data Boundary, which Microsoft has now implemented, is a key step forward. This is intended to minimize the transfer of personal data to third countries outside the European Economic Area (EEA). Furthermore, Microsoft may only disclose personal data to the EU Commission that is processed in the EEA without notification if this is expressly permitted under EU law or the law of the member states. Data processed outside the EEA may be disclosed if the third country offers an equivalent level of data protection.
Videos by heise
WiewiĂłrowski praises the constructive cooperation of all parties involved, including Microsoft. The procedure has led to a significant improvement in data protection when using Microsoft 365. The EU Data Protection Supervisor therefore calls on other EU institutions using or planning to use Microsoft 365 to follow the example of the EU Commission and take comparable measures. These are necessary in order to comply with data protection requirements.
(olb)
