EU data protection authorities are investigating whether the European Commission and other EU institutions comply with the bloc's strict data privacy rules in their software deals with Microsoft.
The 28-country European Union adopted the landmark General Data Protection Regulation (GDPR) about a year ago, giving Europeans more control over their online information and privacy enforcers the power to impose hefty fines.
The European Data Protection Supervisor (EDPS), which monitors the bloc's 70 institutions on their GDPR compliance, launched its investigation on Monday.
The probe will look into the Microsoft products and services used by the institutions and whether the contractual agreements between them and the U.S. software company are GDPR-compliant.
"When relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf," said Assistant EDPS Wojciech Wiewiorowski.
"They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks," he said.
The EDPS can impose fines up to 50,000 euros for each infringement.
Microsoft said it was ready to assist its customers in the EDPS investigation.
"We are committed to helping our customers comply with GDPR, Regulation 2018/1725, and other applicable laws and are confident that our contractual arrangements allow customers to do so," Microsoft said.
The EDPS said some of the data protection worries could be similar to Dutch concerns raised in November about the data collected through Microsoft ProPlus, which includes popular software such as Microsoft Word writing software and Microsoft Outlook email.
The concern related to information stored in a database in the United States in a way that the Netherlands said posed major risks to users' privacy. The company subsequently made some changes to comply with EU rules.
(Reporting by Francesco Guarascio; Editing by Alissa de Carbonnel, Susan Fenton and Frances Kerry)