5 tips for the use of Micro­soft 365 by public bodies in com­pli­ance with data pro­tec­tion laws

Word, Power­Point, Excel, Out­look and Teams – Microsoft’s appli­ca­ti­ons have incre­asing­ly moved to the cloud in recent years. The resul­ting “Micro­soft 365” now offers prac­ti­cal col­la­bo­ra­ti­on opti­ons in addi­ti­on to many other advan­ta­ges of the cloud. At the same time, howe­ver, num­e­rous data pro­tec­tion issues ari­se, espe­ci­al­ly when used by public agen­ci­es, becau­se per­so­nal data is pro­ces­sed in all appli­ca­ti­ons. Howe­ver, data protection-compliant use of Micro­soft 365 is also pos­si­ble for public agen­ci­es and insti­tu­ti­ons, such as schools, uni­ver­si­ties and public aut­ho­ri­ties, as examp­les from real world prac­ti­ce show: For exam­p­le, in a recent­ly published data pro­tec­tion impact assess­ment for uni­ver­si­ties, the Dutch Minis­try of Jus­ti­ce con­cluded that the­re are no “gre­at risks to data pro­ces­sing” after imple­men­ting cer­tain mea­su­res. And the Bava­ri­an Jus­ti­ce Admi­nis­tra­ti­on also reli­es on Micro­soft Teams to con­duct video hea­rings (only in Ger­man).

Hence, the focus of a data protection-compliant use of Micro­soft 365 is less on the “if” and more on the “how”. Below, we would like to pro­vi­de you with five tips for data protection-compliant use of Micro­soft 365 by public aut­ho­ri­ties, which we have gai­ned in num­e­rous imple­men­ta­ti­on pro­jects and in clo­se exch­an­ge with Micro­soft and the data pro­tec­tion super­vi­so­ry authorities:

1.    Con­duc­ting a data pro­tec­tion impact assessment

Data protection-compliant use of Micro­soft 365 by public aut­ho­ri­ties gene­ral­ly requi­res a data pro­tec­tion impact assess­ment pur­su­ant to Artic­le 35 GDPR. This is inten­ded to fur­ther inves­ti­ga­te pro­ces­sing ope­ra­ti­ons that are likely to pre­sent a high risk to the per­so­nal rights and free­doms of natu­ral per­sons pri­or to imple­men­ta­ti­on and to redu­ce such risks through miti­ga­ti­on measures.

2.    Iden­ti­fy­ing pro­ces­sing ope­ra­ti­ons and the respec­ti­ve pur­po­ses of processing

The respec­ti­ve pur­po­ses of use of Micro­soft 365 within a public body should be deter­mi­ned via the defi­ni­ti­on of “usa­ge sce­na­ri­os”. For exam­p­le, in the con­text of tea­ching at a uni­ver­si­ty or school, dif­fe­rent sce­na­ri­os can be distin­gu­is­hed, such as lec­tures or clas­ses, semi­nars, group work, exams, and many more. Here, it is neces­sa­ry to iden­ti­fy the groups of peo­p­le affec­ted in the con­text of the respec­ti­ve sce­na­ri­os (for exam­p­le, stu­dents, employees, tea­chers) and to deter­mi­ne the spe­ci­fic per­so­nal data affec­ted in each case via data cate­go­ries. In addi­ti­on to prac­ti­cal usa­ge sce­na­ri­os, an over­view of the con­tracts and licen­ses with Micro­soft should also be obtai­ned, and it should also be che­cked whe­ther it is neces­sa­ry to con­clude addi­tio­nal (data pro­tec­tion) agreements.

3.    Iden­ti­fy­ing the legal bases for the pro­ces­sing purposes

Buil­ding on the pre­vious step, iden­ti­fy the respec­ti­ve legal bases for the spe­ci­fic pur­po­ses of the pro­ces­sing. This is becau­se pro­ces­sing of per­so­nal data is only lawful if at least one of the con­di­ti­ons of Artic­le 6(1), Sen­tence 1, Lite­ri a) – f) GDPR is met. When allo­ca­ting legal bases, care should be taken to dif­fe­ren­tia­te as pre­cis­e­ly as pos­si­ble bet­ween the spe­ci­fic purposes.

4.    Asses­sing the risks to the rights and free­doms of data subjects

Based on the pur­po­ses of use, the risks to data sub­jects should also be weig­hed. Risks in public insti­tu­ti­ons may include, for exam­p­le, the (acci­den­tal) dis­clo­sure of per­so­nal data or unlawful access to per­so­nal data by third par­ties. In this con­text, spe­cial atten­ti­on must also be paid to the spe­ci­fic groups of peo­p­le affec­ted: For exam­p­le, per­so­nal data of minors is pro­ces­sed at schools, which is a group of peo­p­le that requi­res spe­cial pro­tec­tion. A spe­cial risk assess­ment must also be car­ri­ed out for judi­cial aut­ho­ri­ties with regard to the pro­ces­sing of per­so­nal data on cri­mi­nal con­vic­tions and cri­mi­nal offenses.

5.    Reme­di­al mea­su­res to address risks

Once the respec­ti­ve risks have been iden­ti­fied, the task is to imple­ment sui­ta­ble reme­di­al mea­su­res. The­se can be both tech­ni­cal and orga­ni­sa­tio­nal in natu­re. One tech­ni­cal work­around is the use of spe­cial func­tions pro­vi­ded by Micro­soft such as “Cus­to­mer Lock­box” or “Hold Your Own Key”. An aut­ho­ri­sa­ti­on con­cept that con­trols the access rights of all users to data within an insti­tu­ti­on can also be tech­ni­cal­ly imple­men­ted in Micro­soft 365. In addi­ti­on to other orga­ni­sa­tio­nal mea­su­res, such as gui­de­lines for using Micro­soft 365 and employee trai­ning, an era­su­re con­cept should also be crea­ted to mini­mi­se data and limit storage.


Due to its tech­ni­cal struc­tu­re and num­e­rous legal requi­re­ments, using Micro­soft 365 in a man­ner that com­pli­es with data pro­tec­tion regu­la­ti­ons is com­plex. Howe­ver, with a data pro­tec­tion impact assess­ment and sui­ta­ble tech­ni­cal and orga­ni­sa­tio­nal mea­su­res to redu­ce risks within the frame­work of the inten­ded usa­ge sce­na­ri­os, com­pli­ant use is ulti­m­ate­ly pos­si­ble for public bodies too.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.