EDPS closes case: Commission and Microsoft 365 under EU rules
On 11 July 2025 the European Data Protection Supervisor (EDPS) closed enforcement proceedings against the European Commission over Microsoft 365. The Commission had remedied breaches of EU institutions’ data rules — especially transfers of personal data outside the European Economic Area.
In short: Not “SCCs are enough”. Purpose limitation, restricted transfers, notice of data access requests.
What the dispute was about
In March 2024 EDPS found gaps: unclear processing purposes, third-country transfers without adequate safeguards, and weak control over who could request access. The fix involved tighter Microsoft contracts and technical limits — not standard contractual clauses on paper alone.
Lessons for your organisation
If you use US SaaS, ask the same questions: where data lives, who holds keys, what happens on third-country access requests, whether you have audit logs. For many teams, European storage (e.g. Nextcloud) plus limited use of global suites where it fits is the sensible mix.