Auditors ✓ Lawyers ✓ Tax advisors ✓ and business consultants ✓ : Four perspectives. One solution. Worldwide. Learn …
Auditing and audit-related advice for companies ✓ Experienced auditors ✓ Excellent advice ✓ Tailor-made solutions » …
Our clients entrust us with their most important legal matters. Learn more about our legal services!
Tax laws are complex and dynamic. We face the challenge of tax law together with you - find out more.
Business consulting for companies ✓ Experienced consultants ✓ Excellent advice ✓ Tailor-made solutions » more
In-house or outsourcing? Strategic decisions in accounting
Avoid shareholder conflicts: Structure instead of ambiguity
How far can the rights of a criminal defense insurer extend?
EU “Omnibus” Package: Less effort for sustainability reporting?
Baker Tilly starts the year 2025 with 23 new Directors
Challenges in corporate finance: Baker Tilly at Structured FINANCE 2024
Pay slips are purely information documents
Financing and funding: realignment in the coalition agreement
Accounting in corporate groups: Standardized structures instead of isolated solutions
Survey: Two thirds of German automotive suppliers anticipate a market shakeout
Public procurement: Legally compliant procurement of cyber insurance
Countdown to September – The EU Data Act and its implications
Cross-industry expertise for individual solutions ✓ Our interdisciplinary teams combine expertise & market …
Baker Tilly advises biotech startup Real Collagen GmbH investment by US investor
Energy study: Uncertainty slows down investments by industry and utilities in Germany
Risk management ✓ Compliance and controls ✓ Increase and ensure security & conformity ✓ more»
Baker Tilly offers a wide range of individual and innovative consulting services. Find out more!
In November 2022, the Conference of Independent Federal and State Data Protection Supervisory Authorities (“DSK”) determined that Microsoft’s standard data processing agreement (hereinafter: “DPA”) for the use of “Microsoft 365” does not comply with the legal requirements. Several data protection supervisory authorities have now jointly drawn up a guideline for data controllers, thereby enabling them to adapt the DPA by means of supplementary agreements and thus ensure data protection-compliant use.
In particular, the guideline instructs the controller to do the following:
Furthermore, the guidelines require the controller to operate Microsoft 365 on its own IT structures in order to prevent the transfer of personal data to Microsoft for its own purposes. It is also recommended to use pseudonymous email addresses/accounts and to prohibit the use of private Microsoft accounts.
Conclusion
The guidelines have a number of deficiencies. In particular, the instructions to use pseudonymous email addresses or to prohibit the use of private Microsoft accounts hardly seem practical. It also remains to be seen whether Microsoft is actually prepared to negotiate and conclude additional contracts with the individual companies. This guideline is not legally binding for companies, as the Data Protection Conference has no legislative powers. In any case, a data protection impact assessment is recommended when using MS 365. We can also help you to operate MS 365 in the best possible data protection-compliant manner by reducing the unnecessary transfer of data to Microsoft.
Further information is available here ››
View all news