The European Medicines Agency (EMA) has published a record of data processing activity (EMA/188186/2023, version 2, 21 April 2026) for its use of Microsoft applications OneDrive, Outlook 365, Teams, and SharePoint. The document outlines purposes including collaboration, storage, electronic communications, telephone calls (PSTN), audio/video meetings with recording, and appointment booking. It affects EMA staff, contractors, national competent authorities, international partners, and experts.
Document Details and Scope The record, issued by the EMA's data protection office, is a mandatory transparency document under the EU Data Protection Regulation (EUDPR). It covers four Microsoft 365 services used daily by the agency. The document is a record of processing activity, not a new policy, but it provides the first consolidated public overview of data flows, retention rules, and safeguards for these tools.
Data Categories and Retention Periods Data categories include usernames, email addresses, IP addresses, profile photos, shared content, call recordings, chat transcripts, and diagnostic data. Retention periods vary: account data is deleted 30 days after deactivation (15 days for OneDrive), call recordings are retained 28 days, ad-hoc chats 6 months, and meeting recordings default to 30 days. Recipients include EMA administrators and Microsoft sub-processors (Databricks, Akamai, Scuba Analytics, contract staff) with pseudonymised data.
International Transfers and Safeguards Transfers outside the EU/EEA occur for security operations. Safeguards include the EU-U.S. Data Privacy Framework and Standard Contractual Clauses. Security measures include multi-factor authentication and encryption.
Impact on Stakeholders For EMA staff and external collaborators, the document clarifies data handling practices, enhancing transparency but also highlighting that call recordings and chat logs are retained for defined periods. National competent authorities and experts sharing data via these tools now have clearer visibility into processing. The record imposes no new obligations but serves as a reference for data protection officers auditing compliance. The trade-off is between operational efficiency (collaboration tools) and data minimisation (retention limits).
Institutional Follow-Up The EMA will update the record as processing changes. The European Data Protection Supervisor may review compliance. No further action is required from stakeholders, but the document supports accountability under EUDPR.
← Atlas › News › Digital & Communication