Microsoft Corp.’s licensing agreements with European Union authorities gave the U.S. tech giant free rein to oversee data processing activities for more than 45,000 EU officials, the institution’s own privacy watchdog warned.

The EU’s in-house data protection regulator said in its findings of a probe that institutions’ lack of control “over which sub-processors Microsoft used and lack of meaningful audit rights also presented significant issues.”

EU institutions should “carefully consider any purchases of Microsoft products and services or new uses of existing products and services until after they have analyzed and implemented the recommendations” of the European Data Protection Supervisor, the watchdog said.

The staff and agencies using the products “had insufficient clarity as to the nature, scope and purposes of the processing and the risks to data subjects to be able to meet their transparency obligations,” the EDPS, which acts independently of the EU bodies it oversees, said in the 29-page report on its findings.

The criticism over the use of Microsoft products is an unusual step for the body, which keeps a far lower profile than EU data privacy authorities who police the bloc’s tough rules at national level.

Microsoft said in an emailed statement that the company is “focused on helping all of our customers meet or exceed their data privacy obligations.”

“We know that ensuring strong privacy protections in practice depends on tech companies, businesses, regulators and institutions all working together,” Microsoft said. “We’re listening to our customers and to regulators, and will continue to make adjustments as legal interpretations of European privacy laws evolve. This includes alignment with the recent law designed for EU institutions.”