European Union: European Data Protection Supervisor closed compliance review of order concerning the European Commission's use of Microsoft 365

On 11 July 2025, the European Data Protection Supervisor (EDPS) concluded its compliance review of the order concerning the European Commission's use of Microsoft 365. The EDPS identified three contractual, technical, and organisational changes that bring the Commission’s use of the service into compliance with data protection rules. First, the Commission clarified the specific categories of personal data processed through Microsoft 365 and the purposes of the processing. Second, it identified the recipients in third countries to whom personal data may be transferred and issued binding instructions to Microsoft regarding such transfers. Third, the Commission amended its contract with Microsoft to ensure that personal data processed within the EEA can only be disclosed if required by EU or member state law. For data processed outside the EEA, only equivalent legal requirements in third countries may justify disclosure. The Commission has confirmed that Microsoft and its sub-processors are prohibited from disclosing personal data unless legally required under these conditions.