Microsoft’s flagship Office suite has been gathering user data in violation of the European Union’s GDPR, Dutch regulators have determined.

Telemetry information harvested from versions of Office 2016 and Office 365 (including the web-based version) included content from documents and email subject lines, and was sent without informing or receiving consent from EU-based users to US-based servers. The potential for the collection and storage of confidential data was of grave concern to the Dutch government, which uses Microsoft’s applications.

The collection of information for diagnostic purposes is widespread by software developers, typically for functional purposes. While this was Microsoft’s stated claim as the need for the data collection singled out by the Dutch regulators, the Ministry of Justice found that the “[d]ata provided by and about users was being gathered… and stored in a database in the U.S. in a way that posed major risk to users’ privacy.”

The audit found Microsoft’s data collection to be problematic on several fronts, including “unlawful collection and storage of sensitive/classified/special categories of data,” as well as “indefinite retention period of diagnostic data.” Both of these are strictly forbidden by the GDPR and carry a potential fine of up to 2% of Microsoft’s worldwide annual revenue.

Microsoft has agreed to work with regulators to stay within the GDPR’s set of rules, and released a statement, saying: “We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.

We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns.”