- Reading time 3 Minutes
In November 2022, the Conference of Independent Federal and State Data Protection Supervisory Authorities (“DSK”) determined that Microsoft’s standard data processing agreement (hereinafter: “DPA”) for the use of “Microsoft 365” does not comply with the legal requirements. Several data protection supervisory authorities have now jointly drawn up a guideline for data controllers, thereby enabling them to adapt the DPA by means of supplementary agreements and thus ensure data protection-compliant use.
In particular, the guideline instructs the controller to do the following:
- The information “categories of personal data” and “categories of data subjects” should be specifically entered in the DPA, e.g., by including the list of processing activities, and it should be possible to assign them to the type and purposes of processing.
- The use of Microsoft 365 for Microsoft’s business purposes is only permitted if there is a legal basis. However, the controller cannot specify this legal basis due to ambiguities in the processing purposes and the data collected. The controller should therefore clarify which processing of which personal data is performed to what extent for Microsoft’s purposes and whether there is a legal basis for this. All processing purposes for which no legal basis can be identified should be contractually excluded and technically prevented.
- It should be contractually stipulated that personal user data may only be disclosed by Microsoft if there is a legal obligation to do so.
- The controller should check whether the measures already provided for the appropriate protection of the processing of its personal data by Microsoft are sufficient and – if necessary – also contractually agree any additional mandatory measures. Any unlawful, unnecessary or disproportionate processing of data should be contractually excluded and technically prevented.
- The deletion periods listed in the DPA should be contractually adapted, i.e., generally shortened. The exceptions to the deletion obligation should be restricted and further specified.
Furthermore, the guidelines require the controller to operate Microsoft 365 on its own IT structures in order to prevent the transfer of personal data to Microsoft for its own purposes. It is also recommended to use pseudonymous email addresses/accounts and to prohibit the use of private Microsoft accounts.
The guidelines have a number of deficiencies. In particular, the instructions to use pseudonymous email addresses or to prohibit the use of private Microsoft accounts hardly seem practical. It also remains to be seen whether Microsoft is actually prepared to negotiate and conclude additional contracts with the individual companies. This guideline is not legally binding for companies, as the Data Protection Conference has no legislative powers. In any case, a data protection impact assessment is recommended when using MS 365. We can also help you to operate MS 365 in the best possible data protection-compliant manner by reducing the unnecessary transfer of data to Microsoft.
Further information is available here ››