Microsoft 365 (formerly Office 365) is one of the most frequently used software solutions for German companies and numerous public authorities. The service offers your company or authority a variety of applications or apps that can help you to make communication and work in your teams, divisions or departments easier, faster and more convenient. However, using the service can be associated with various challenges, as the German data protection supervisory authorities have expressed criticism regarding its data protection-compliant use. This is due, among other things, to the fact that Microsoft is an American company and the national laws in the USA do not currently provide personal data protection comparable to that of EU law. We can advise you in connection with data protection for Microsoft 365 and help you with data protection-compliant integration in your company or authority.

Why is Microsoft 365 not unproblematic in terms of data protection law?

From a data protection perspective, the use of Microsoft 365 entails certain risks for companies and authorities, which is why the use of the software has already been increasingly criticized. For example, an assessment report (from 11/2022) by the independent German data protection supervisory authorities of the federal and state governments (DSK) expresses concerns about the application’s data protection compliance. In view of the ongoing criticism from the data protection supervisory authorities, Microsoft has repeatedly made changes to its contracts and the design of its services, but these have not yet softened the authorities' concerns. The main data protection risk to which your company or authority may be exposed is a GDPR breach. Such a breach can result in the risk of warnings and fines.

Learn more about the EU standard data protection clause for the international transfer of data and about legal protection in the event of surveillance mechanisms by US security authorities (only available in German).

As a company or public authority in Germany, it is therefore not easy for you to use Microsoft 365 in compliance with data protection regulations and to provide your employees with the market-leading applications or apps.

Using Microsoft 365 in compliance with data protection regulations?

Microsoft 365 offers your company or public authority a wide range of applications or apps that can help you to make communication and work in your teams, divisions or departments easier, faster and more convenient. However, in order to come closer to the German requirements regarding the handling of personal data, the American company has to repeatedly make changes to its own data protection regulations. Here, Microsoft provides a statement on what personal data is collected by Microsoft devices, software and services and how and for what purpose the company stores it. It has not yet been legally clarified whether these measures can eliminate the uncertainties in connection with data transfers between Europe and the USA.

Why do you need data protection advice on Microsoft 365?

Microsoft 365 is a fixed standard for office activities in Germany, but is not easily GDPR-compliant in terms of data protection law. There are no sufficient recommendations from the supervisory authorities on how Microsoft 365 can be used in compliance with data protection law, as GDPR-compliant use always depends on the individual case. A GDPR-compliant implementation of the application can be highly complex, depending on the company.

Leave this task to us. We help you to use Microsoft 365 services for your business as securely and in compliance with data protection regulations as possible so that you can classify unnecessary risks and reduce them through technical and organizational measures.

Our services for you so that your company or public authority can use Microsoft 365 in compliance with data protection regulations in Germany

Our experienced lawyers will show you quick and uncomplicated ways to use Microsoft 365 in compliance with data protection regulations:

  • Comprehensive advice on technical data protection-friendly integration in cooperation with our IT experts
  • Review of the contracts provided by Microsoft 
  • Implementation of data protection impact assessments
  • Drafting the entry of processing activities for your directory so that you fully comply with your accountability and documentation obligations
  • Preparation of legal opinions, e.g., for submission to your works council
  • Support in responding to official inquiries regarding the use of Microsoft 365

Your benefits:

  • Fast, pragmatic and direct advice Individually tailored to your company’s needs in close cooperation with our IT experts
  • Experienced team with longstanding expertise
Dr. Christian Engelhardt, LL.M.

Dr. Christian Engelhardt, LL.M.

Partner

Attorney-at-Law (Rechtsanwalt)

Data protection problem?

Get in contact with us

Contact now

Further services in the field of Data Protection Law

Companies with 20 or more employees are required to appoint a data protection officer. As an external data protection officer, we support you with our expertise in all data protection issues.

The appointment of an external data protection officer has various advantages for companies:

  • No costs and time spent on the necessary qualification
    As external data protection officers, we already have the legal and technical knowledge to perform this role.
  • No protection against dismissal
    Internal data privacy officers enjoy protection against dismissal comparable to that of a works council
  • No organizational blindness
    The external data protection officer can assess data protection in your company without bias.
  • Personnel resources
    Your employees do not have to be removed from their actual jobs for data protection officer tasks.
  • A wealth of experience
    As an external data protection officer, we can draw on a wealth of experience from our ongoing data protection consulting.
  • Independence
    As an external data protection officer, we are perceived as independent both internally and externally by data protection authorities.
  • Neutral position
    The data protection officer can mediate between the company, the works council and the employees.
  • Unification
    We can provide data protection officers throughout the Group. This standardizes processes and helps you keep an overview.
  • Wide reach
    We can even provide data protection officers throughout the EU.

As data protection officers, we support you in setting up and implementing a GDPR-compliant data protection organization in your company. All of our consultants are licensed attorneys who additionally practice in labor law or IT law, two areas of law with the greatest points of contact with data protection law.

  • Data protection audit
    At the beginning of our work, we conduct a detailed data protection audit at your company and draw up a list of measures. The audit includes an on-site inspection of the company and a review of the technical and organizational measures.
  • Ongoing consulting
    As part of ongoing consulting, we work with you to implement the list of measures and support you in all data protection issues.
  • Review of websites and online shops
    We check your websites and online shops for data protection compliance and inform you about changes relevant to you.
  • Control of processors
    Anyone who uses processors in the company must monitor them accordingly. As data protection officers, we conduct the initial check for you and, if necessary, all further checks, including on-site checks.
  • Employee data protection
    In the employment relationship, further regulations on employee data protection apply in addition to the general data protection regulations. Here, too, we provide you with the relevant templates, fact sheets or checklists.

Since the introduction of the GDPR in May 2018, controllers have been subject to a large number of documentation and verification obligations. As external data protection officers, we support you in creating and updating the documents relevant to you: 

  • Data protection concept
  • Processing lists, retention and deletion concepts, IT usage guidelines
  • Data protection impact assessments (e.g., for video surveillance)
  • Fact sheets in the area of personnel data processing

We offer training for employees and managers that is tailored specifically to your company and your needs. Training courses can be held annually or on an as-needed basis. We will be happy to coordinate the specific content of the training with you. Possible topics include:

  • General employee training
    Create a basic understanding of data protection, related requirements and best practices among all your employees for a consistently high level of data protection in your company.
  • IT department
    Employees in IT departments are often involved with data protection issues. Topics of training include data protection through technical and organizational measures, data protection-friendly settings of programs and authorization concepts. Dealing with data breaches can also be the subject of training.
  • Human resources department
    The HR department also encounters data protection issues on an ongoing basis. Sensitive personal data in particular, such as health data (e.g., severe disability or sick leave) or trade union membership, are repeatedly the subject of processing in the HR department. Due to the amount and type of data processed, it makes sense to train employees on a regular basis.
  • Works Council
    As part of its participation rights, the works council has comprehensive access rights to employee data and may also use this data for its own purposes, however, the employer remains the controller. It therefore makes sense for companies to offer regular training in data protection issues to works council members.