Breakth­rough in the data protection-compliant use of Micro­soft 365

It’s a big move for IT in public admi­nis­tra­ti­on: Lower Sax­o­ny has signed a con­tract with Micro­soft for the use of Micro­soft Teams, which over­co­mes the con­cerns of the Ger­man data pro­tec­tion aut­ho­ri­ties! The results achie­ved ser­ve as a blue­print for the use of Micro­soft 365 by public aut­ho­ri­ties. A data pro­tec­tion impact assess­ment (DPIA) remains a pre­re­qui­si­te for data pro­tec­tion compliance. 

The impro­ve­ments to Microsoft’s Data Pro­tec­tion Adden­dum (DPA) were nego­tia­ted in clo­se con­sul­ta­ti­on with the Sta­te Com­mis­sio­ner for Data Pro­tec­tion in Lower Sax­o­ny. All key requi­re­ments of the sta­te of Lower Sax­o­ny were taken into account and the cri­ti­cal “big points” in terms of data pro­tec­tion were cla­ri­fied. Microsoft’s decis­i­on to store and pro­cess the data in Euro­pe (“EU boun­da­ry”) was decisi­ve for GDPR compliance.

With its decis­i­on in favour of Micro­soft Teams, the sta­te of Lower Sax­o­ny is con­ti­nuing its cloud stra­tegy. The roll­out of Micro­soft Teams is sche­du­led to begin in the second quar­ter of 2024. Once the roll­out has been suc­cessful­ly com­ple­ted, the appli­ca­ti­on will be available for around 13,500 work­sta­tions over the cour­se of the year. The next steps into the cloud are alre­a­dy being examined.

Micro­soft has sta­ted that it will also take the data pro­tec­tion regu­la­ti­ons agreed with the sta­te of Lower Sax­o­ny into account for other public admi­nis­tra­ti­on cus­to­mers in Ger­ma­ny. Howe­ver, it is unclear whe­ther all sta­te data pro­tec­tion com­mis­sio­ners share Lower Saxony’s assess­ment. Ham­burg and Saar­land have recent­ly signal­led other­wi­se. It the­r­e­fo­re remains to be seen how the indi­vi­du­al sta­te aut­ho­ri­ties will assess the latest amend­ments to the DPA.

It is high­ly wel­co­med that, for the first time, con­tracts have been nego­tia­ted with Micro­soft that meet the strict requi­re­ments of the Data Pro­tec­tion Con­fe­rence. Howe­ver, the adapt­a­ti­on of the DPA is not a car­te blan­che. The pre­re­qui­si­te for the data protection-compliant use of Micro­soft Teams in Lower Sax­o­ny was the imple­men­ta­ti­on of a data pro­tec­tion impact assess­ment inclu­ding a risk assess­ment and various tech­ni­cal and orga­ni­sa­tio­nal mea­su­res to be imple­men­ted. Com­pa­nies and public bodies that use Micro­soft 365 must the­r­e­fo­re con­ti­nue to take action themselves.


reuschlaw Onepager Microsoft 365

reusch­law One­pager Micro­soft 365


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.