EDPS decision poses challenges for the use of cloud services

UK organisations that are directly subject to the EU GDPR need to be aware of this position as it may be replicated by some EU DPAs. By Emma Erskine-Fox of TLT.

It is not often that the EU institutions, themselves tasked with legislating for data protection, come under fire for their data protection practices. But on 11 March 2024, the European Data Protection Supervisor (EDPS) issued a decision (the Decision) imposing corrective measures on the European Commission (EC). An investigation found that the EC had infringed several provisions of Regulation (EU) 2018/1725 (the Regulation) in its use of Microsoft 365. The Regulation is the EU institutions’ version of the General Data Protection Regulation (GDPR); it is the data protection law that applies to EU institutions, bodies, offices and agencies. Many of the substantive obligations are broadly equivalent to their GDPR (and, by extension, UK GDPR) parallels.

Continue Reading

UK Report subscribers, please login to access the full article


If you wish to subscribe, please see our subscription information.