5 tips for the use of Micro­soft 365 by public bodies in com­pli­an­ce with data pro­tec­tion laws

Word, Power­Point, Excel, Out­look and Teams – Microsoft’s app­li­ca­ti­ons have incre­a­singly moved to the cloud in recent years. The resul­ting “Micro­soft 365” now offers prac­ti­cal col­la­bo­ra­ti­on opti­ons in addi­ti­on to many other advan­ta­ges of the cloud. At the same time, howe­ver, nume­rous data pro­tec­tion issu­es ari­se, espe­cial­ly when used by public agen­ci­es, becau­se per­so­nal data is pro­ces­sed in all app­li­ca­ti­ons. Howe­ver, data protection-compliant use of Micro­soft 365 is also pos­si­ble for public agen­ci­es and insti­tu­ti­ons, such as schools, uni­ver­si­ties and public aut­ho­ri­ties, as examp­les from real world prac­ti­ce show: For examp­le, in a recent­ly publis­hed data pro­tec­tion impact assess­ment for uni­ver­si­ties, the Dut­ch Minis­try of Jus­ti­ce con­clu­ded that the­re are no “gre­at risks to data pro­ces­sing” after imple­men­ting cer­tain mea­su­res. And the Bava­ri­an Jus­ti­ce Admi­nis­tra­ti­on also reli­es on Micro­soft Teams to con­duct video hea­rings (only in Ger­man).

Hence, the focus of a data protection-compliant use of Micro­soft 365 is less on the “if” and more on the “how”. Below, we would like to pro­vi­de you with five tips for data protection-compliant use of Micro­soft 365 by public aut­ho­ri­ties, which we have gai­ned in nume­rous imple­men­ta­ti­on pro­jects and in clo­se exchan­ge with Micro­soft and the data pro­tec­tion super­vi­so­ry authorities:

1.    Con­duc­ting a data pro­tec­tion impact assessment

Data protection-compliant use of Micro­soft 365 by public aut­ho­ri­ties gene­ral­ly requi­res a data pro­tec­tion impact assess­ment pur­suant to Arti­cle 35 GDPR. This is inten­ded to fur­ther inves­ti­ga­te pro­ces­sing ope­ra­ti­ons that are likely to pre­sent a high risk to the per­so­nal rights and free­doms of natu­ral per­sons pri­or to imple­men­ta­ti­on and to redu­ce such risks through miti­ga­ti­on measures.

2.    Iden­ti­fy­ing pro­ces­sing ope­ra­ti­ons and the respec­ti­ve pur­po­ses of processing

The respec­ti­ve pur­po­ses of use of Micro­soft 365 wit­hin a public body should be deter­mi­ned via the defi­ni­ti­on of “usa­ge sce­n­a­ri­os”. For examp­le, in the con­text of tea­ching at a uni­ver­si­ty or school, dif­fe­rent sce­n­a­ri­os can be dis­tin­guis­hed, such as lec­tures or clas­ses, semi­nars, group work, exams, and many more. Here, it is necessa­ry to iden­ti­fy the groups of peop­le affec­ted in the con­text of the respec­ti­ve sce­n­a­ri­os (for examp­le, stu­dents, employees, tea­chers) and to deter­mi­ne the spe­ci­fic per­so­nal data affec­ted in each case via data cate­go­ries. In addi­ti­on to prac­ti­cal usa­ge sce­n­a­ri­os, an over­view of the con­tracts and licen­ses with Micro­soft should also be obtai­ned, and it should also be che­cked whe­ther it is necessa­ry to con­clu­de addi­tio­nal (data pro­tec­tion) agreements.

3.    Iden­ti­fy­ing the legal bases for the pro­ces­sing purposes

Buil­ding on the pre­vious step, iden­ti­fy the respec­ti­ve legal bases for the spe­ci­fic pur­po­ses of the pro­ces­sing. This is becau­se pro­ces­sing of per­so­nal data is only law­ful if at least one of the con­di­ti­ons of Arti­cle 6(1), Sen­tence 1, Lite­ri a) – f) GDPR is met. When allo­ca­ting legal bases, care should be taken to dif­fe­ren­tia­te as pre­cise­ly as pos­si­ble bet­ween the spe­ci­fic purposes.

4.    Asses­sing the risks to the rights and free­doms of data subjects

Based on the pur­po­ses of use, the risks to data sub­jects should also be weig­hed. Risks in public insti­tu­ti­ons may inclu­de, for examp­le, the (acci­den­tal) dis­clo­sure of per­so­nal data or unlaw­ful access to per­so­nal data by third par­ties. In this con­text, spe­cial atten­ti­on must also be paid to the spe­ci­fic groups of peop­le affec­ted: For examp­le, per­so­nal data of minors is pro­ces­sed at schools, which is a group of peop­le that requi­res spe­cial pro­tec­tion. A spe­cial risk assess­ment must also be car­ri­ed out for judi­cial aut­ho­ri­ties with regard to the pro­ces­sing of per­so­nal data on cri­mi­nal con­vic­tions and cri­mi­nal offenses.

5.    Reme­di­al mea­su­res to address risks

Once the respec­ti­ve risks have been iden­ti­fied, the task is to imple­ment sui­ta­ble reme­di­al mea­su­res. The­se can be both tech­ni­cal and orga­ni­sa­tio­nal in natu­re. One tech­ni­cal work­around is the use of spe­cial func­tions pro­vi­ded by Micro­soft such as “Cus­to­mer Lock­box” or “Hold Your Own Key”. An aut­ho­ri­sa­ti­on con­cept that con­trols the access rights of all users to data wit­hin an insti­tu­ti­on can also be tech­ni­cal­ly imple­men­ted in Micro­soft 365. In addi­ti­on to other orga­ni­sa­tio­nal mea­su­res, such as gui­de­li­nes for using Micro­soft 365 and employee trai­ning, an era­su­re con­cept should also be crea­ted to mini­mi­se data and limit storage.


Due to its tech­ni­cal struc­tu­re and nume­rous legal requi­re­ments, using Micro­soft 365 in a man­ner that com­plies with data pro­tec­tion regu­la­ti­ons is com­plex. Howe­ver, with a data pro­tec­tion impact assess­ment and sui­ta­ble tech­ni­cal and orga­ni­sa­tio­nal mea­su­res to redu­ce risks wit­hin the frame­work of the inten­ded usa­ge sce­n­a­ri­os, com­pli­ant use is ulti­mate­ly pos­si­ble for public bodies too.


Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.