The EDPS opened an investigation in April to assess whether contracts between Microsoft and EU institutions such as the European Commission fully complied with the bloc’s data protection rules.

“Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services”, the EDPS says in a statement.

The EU introduced new rules on data protection in 2018, known as GDPR, applicable to all companies operating in the bloc and designed to give individuals more control over their data and to create a more level playing field for businesses.

Microsoft said it was committed to helping customers comply with GDPR, Regulation 2018/1725 and other applicable laws.

“We are in discussions with our customers in the EU institutions and will soon announce contractual changes that will address concerns such as those raised by the EDPS.”

The EDPS has worked with the Dutch ministry of justice, which carried out risk assessments last June and found that public authorities in member states face similar issues

The two have since set up a forum designed to set up fair rules for public administrations.

The EDPS said there is “significant scope” for improvement of contracts with influential software developers and that contractual terms and technical safeguards agreed between the Dutch ministry and Microsoft were a positive step forward.

The EDPS said such solutions should be extended to all public and private bodies in the EU and also to individuals.