The European Commission (EC) has violated several key data protection rules in its use of Microsoft 365 regarding the transfer of people's personal data from Europe to other regions not covered by EU data-protection laws, a key European privacy watchdog found.

The European Data Protection Supervisor (EDPS) on Tuesday chastized the EC after finding it did not take proper protective measures when sending personal data outside the EU and European Economic Area (EEA) when using the cloud-based app.

In addition, the EC failed to specify in its contract with Microsoft "what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365," according to an EDPS statement.

The findings - the result of a three-year investigation that began in 2021 - suggest like tech giants, even trusted government entities that should have data privacy as a top priority don't necessarily keep the data they collect safe.  

"It is the responsibility of the EU institutions, bodies, offices, and  agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures," EDPS Supervisor Wojciech Wiewi