It’s a big move for IT in public administration: Lower Saxony has signed a contract with Microsoft for the use of Microsoft Teams, which overcomes the concerns of the German data protection authorities! The results achieved serve as a blueprint for the use of Microsoft 365 by public authorities. A data protection impact assessment (DPIA) remains a prerequisite for data protection compliance.
The improvements to Microsoft’s Data Protection Addendum (DPA) were negotiated in close consultation with the State Commissioner for Data Protection in Lower Saxony. All key requirements of the state of Lower Saxony were taken into account and the critical “big points” in terms of data protection were clarified. Microsoft’s decision to store and process the data in Europe (“EU boundary”) was decisive for GDPR compliance.
With its decision in favour of Microsoft Teams, the state of Lower Saxony is continuing its cloud strategy. The rollout of Microsoft Teams is scheduled to begin in the second quarter of 2024. Once the rollout has been successfully completed, the application will be available for around 13,500 workstations over the course of the year. The next steps into the cloud are already being examined.
Microsoft has stated that it will also take the data protection regulations agreed with the state of Lower Saxony into account for other public administration customers in Germany. However, it is unclear whether all state data protection commissioners share Lower Saxony’s assessment. Hamburg and Saarland have recently signalled otherwise. It therefore remains to be seen how the individual state authorities will assess the latest amendments to the DPA.
It is highly welcomed that, for the first time, contracts have been negotiated with Microsoft that meet the strict requirements of the Data Protection Conference. However, the adaptation of the DPA is not a carte blanche. The prerequisite for the data protection-compliant use of Microsoft Teams in Lower Saxony was the implementation of a data protection impact assessment including a risk assessment and various technical and organisational measures to be implemented. Companies and public bodies that use Microsoft 365 must therefore continue to take action themselves.