Blog
Microsoft 365 vs HubSecure: What Spanish CTOs Need to Know About Data Sovereignty
Post-Schrems II, the AEPD has flagged US cloud provider transfers as a compliance concern. Spanish companies relying on Microsoft 365 for regulated operations are carrying more risk than they realise.
Microsoft 365 is the default enterprise productivity suite for thousands of Spanish companies. It works. The integration across email, calendaring, document storage, and video calls is genuinely useful. And for a large proportion of what most organisations do—internal communication, document collaboration, project tracking—it is a reasonable choice.
The problem is not Microsoft 365 as a productivity tool. The problem is using it as a compliance control plane for regulated operations in Spain—specifically for the processing of personal data subject to GDPR, sector-specific Spanish regulations, and the AEPD’s increasingly detailed guidance on international data transfers.
This article is not a takedown of Microsoft. It is an honest assessment of where Microsoft 365 creates structural compliance risk for Spanish organisations, and what a different approach looks like.
The Schrems II problem has not gone away
In July 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield framework in the Schrems II ruling. The ruling found that US surveillance laws—specifically the CLOUD Act and FISA Section 702—create structural risk for personal data stored with US cloud providers, because those providers are legally compelled to provide access to US government agencies regardless of where the data is physically stored.
Since Schrems II, the EU-US Data Privacy Framework (DPF) was adopted in July 2023 as a successor mechanism. Microsoft and other major US providers have certified under the DPF. On the surface, this resolves the Schrems II problem for data transfers from the EU to DPF-certified US providers.
On the surface.
In practice, the DPF faces multiple legal challenges before the CJEU, lodged by privacy advocates including Max Schrems. The Irish DPC and the European Data Protection Board have both indicated that reliance on the DPF alone carries forward-looking risk if it is invalidated by a third Schrems ruling. Spanish legal advisers increasingly flag DPF-reliant transfers as a risk that needs to be actively managed rather than assumed to be resolved.
What the AEPD has said
The AEPD published guidance on international data transfers following Schrems II that is more prescriptive than the baseline recommendations from the EDPB. Spanish data controllers were advised to conduct a documented assessment of transfers to the US, considering whether the transferred data would be subject to US surveillance programme access.
For personal data categories that the AEPD considers high-sensitivity—health records, financial data, data relating to minors, special categories under Article 9 GDPR—the AEPD has signalled that reliance on Standard Contractual Clauses or the DPF alone, without a transfer impact assessment demonstrating adequacy, is insufficient.
The practical upshot: Spanish companies processing high-sensitivity personal data in Microsoft 365 without having conducted and documented a transfer impact assessment are in a compliance position that a competent AEPD inspector could challenge.
The five specific gaps in Microsoft 365 for Spanish regulated businesses
Gap 1: Transfer impact assessment documentation. Microsoft 365 provides DPA documentation and publishes its privacy practices. It does not produce a Transfer Impact Assessment customised to your processing activities, your data categories, and the specific AEPD guidance applicable to your sector. That assessment is your responsibility.
Gap 2: LOPDGDD-specific requirements. Spain’s Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales supplements GDPR with additional obligations—including employee monitoring restrictions, obligations toward data subjects in specific contexts, and enhanced requirements for certain sectors. Microsoft 365 does not configure itself to meet LOPDGDD-specific requirements. Your administrators must implement those configurations, and most have not done so systematically.
Gap 3: Audit evidence in regulatory format. When the AEPD requests evidence during an investigation, it requests specific documentation: consent records, rights response timelines, retention enforcement records, processor agreements with specific clauses. Microsoft 365’s audit logs and admin exports were not designed to produce AEPD-ready evidence packages. Producing them requires technical effort that most organisations cannot complete under the timelines of a regulatory investigation.
Gap 4: Retention enforcement. GDPR requires that personal data be deleted when it is no longer necessary for its collection purpose. Microsoft 365’s retention policies can be configured to manage this—but the configuration is non-trivial, the defaults are not GDPR-optimised, and the evidence of deletion produced is an admin log rather than a verifiable deletion certificate. Many Spanish companies using Microsoft 365 have never configured retention policies at all.
Gap 5: ENS compliance for public sector suppliers. Spanish companies providing services to public administration are increasingly required to achieve ENS certification. Microsoft 365 itself holds ENS certification for its infrastructure. Your use of Microsoft 365 does not make your organisation ENS-certified. The ENS controls covering access management, incident response, and audit logging must be implemented by your organisation, whether or not Microsoft is the underlying platform.
What the comparison looks like in practice
| Capability | Microsoft 365 | HubSecure |
|---|---|---|
| Data residency configuration | EU region available, default varies | Documented per-jurisdiction control |
| Transfer impact assessment support | Vendor publishes DPA; TIA is customer responsibility | Built-in transfer mapping and documentation |
| AEPD-ready evidence export | Admin logs require extraction and formatting | Structured audit exports in regulatory format |
| Retention enforcement | Configurable but complex; requires admin expertise | Policy-driven with deletion certificates |
| Data subject rights management | No native rights workflow | Structured rights request process with audit trail |
| ENS control mapping | Platform holds ENS cert; customer controls are separate | Controls map to ENS requirements |
| Post-quantum encryption | Roadmap; not yet default | ML-KEM-768 deployed |
| Consent management | Not included | Native consent capture and record |
The right architecture for Spanish organisations
The organisations managing this well have not replaced Microsoft 365. They have separated their infrastructure by function:
Microsoft 365 for productivity. Email, calendar, internal team collaboration, Office document editing. Low-sensitivity internal communications. This use case does not create significant regulatory risk and Microsoft 365 handles it well.
HubSecure for regulated operations. Customer data, GDPR-sensitive personal information, AML files, legal documents, HR records, financial client data, any data subject to AEPD enforcement interest. This layer has explicit transfer controls, structured audit trails, retention enforcement with deletion certificates, and rights management workflows.
This separation also simplifies your relationship with the AEPD. The compliance control plane—the system that generates the evidence—is separate from the productivity tooling. When a complaint investigation begins, the evidence comes from HubSecure, not from a Microsoft admin console that requires a support ticket to navigate.
The honest bottom line
If your Spanish company uses Microsoft 365 exclusively, you are not automatically non-compliant. The framework permits use of US cloud providers under the DPF with appropriate safeguards. Many Spanish companies are managing this reasonably well.
But if you are processing significant volumes of personal data, operating in a regulated sector, subject to AEPD enforcement interest, a supplier to Spanish public administration, or processing data categories the AEPD treats as high-sensitivity—the question is not whether Microsoft 365 can be made to work. The question is whether the compliance posture it enables is the one your organisation actually needs.
For regulated operations, the answer is almost always that a separate, compliance-native platform is not a luxury. It is the only way to generate the evidence that makes regulatory examinations straightforward rather than stressful.