Can Microsoft 365 be used in compliance with data protection regulations?

In particular, the guideline instructs the controller to do the following:

1. The information “categories of personal data” and “categories of data subjects” should be specifically entered in the DPA, e.g., by including the list of processing activities, and it should be possible to assign them to the type and purposes of processing.
2. The use of Microsoft 365 for Microsoft’s business purposes is only permitted if there is a legal basis. However, the controller cannot specify this legal basis due to ambiguities in the processing purposes and the data collected. The controller should therefore clarify which processing of which personal data is performed to what extent for Microsoft’s purposes and whether there is a legal basis for this. All processing purposes for which no legal basis can be identified should be contractually excluded and technically prevented.
3. It should be contractually stipulated that personal user data may only be disclosed by Microsoft if there is a legal obligation to do so.
4. The controller should check whether the measures already provided for the appropriate protection of the processing of its personal data by Microsoft are sufficient and – if necessary – also contractually agree any additional mandatory measures. Any unlawful, unnecessary or disproportionate processing of data should be contractually excluded and technically prevented.
5. The deletion periods listed in the DPA should be contractually adapted, i.e., generally shortened. The exceptions to the deletion obligation should be restricted and further specified.

Furthermore, the guidelines require the controller to operate Microsoft 365 on its own IT structures in order to prevent the transfer of personal data to Microsoft for its own purposes. It is also recommended to use pseudonymous email addresses/accounts and to prohibit the use of private Microsoft accounts.

Conclusion

The guidelines have a number of deficiencies. In particular, the instructions to use pseudonymous email addresses or to prohibit the use of private Microsoft accounts hardly seem practical. It also remains to be seen whether Microsoft is actually prepared to negotiate and conclude additional contracts with the individual companies. This guideline is not legally binding for companies, as the Data Protection Conference has no legislative powers. In any case, a data protection impact assessment is recommended when using MS 365. We can also help you to operate MS 365 in the best possible data protection-compliant manner by reducing the unnecessary transfer of data to Microsoft.

Further information is available here ››