EMA Publishes Data Protection Notice for Microsoft 365 Apps, Detailing Cross-Border Data Transfers

The European Medicines Agency (EMA) has published a data protection notice (EMA/188185/2023 Rev.2) detailing the processing of personal data when using Microsoft applications: OneDrive, Outlook 365, Teams, and SharePoint. The document, released on 28 April 2026, outlines EMA's compliance with Regulation (EU) 2018/1725 (EUDPR) and aims to inform users about data processing for collaboration, communication, and storage purposes within the European medicines regulatory network.

The notice specifies that data processed includes usernames, emails, IP addresses, profile photos, chat messages, call recordings, and customer data. The legal basis for processing is Article 5(1)(a) EUDPR, which covers tasks carried out in the public interest. Data is stored primarily in the EU/EEA but may be transferred to the UK, US, Israel, India, and Australia under safeguards such as the EU-U.S. Data Privacy Framework and Standard Contractual Clauses.

The notice primarily affects EMA staff, contractors, and external experts who use Microsoft 365 tools. For these users, the notice provides transparency on data handling and cross-border transfers, which may raise privacy concerns due to transfers to non-EU countries. However, the safeguards in place aim to mitigate risks. The notice does not impose new obligations but clarifies existing practices, ensuring compliance with EU data protection rules.

As a regulatory notice, no immediate institutional follow-up is expected. The EMA will likely update the notice if data processing practices or legal frameworks change. The document serves as a reference for data subjects to exercise their rights under the EUDPR.