Data pro­tec­tion with Micro­soft 365

Regu­la­tors and Micro­soft express their views

On 25 Novem­ber 2022, the Data Pro­tec­tion Con­fe­rence (DSK), the body of inde­pen­dent Ger­man fede­ral and sta­te data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, published an opi­ni­on on Micro­soft 365. The opi­ni­on is the result of a series of joint dis­cus­sions bet­ween DSK and Micro­soft, fol­lo­wing DSK’s initi­al assess­ment of Micro­soft Office 365 (now: Micro­soft 365). After DSK came to the con­clu­si­on in 2020 that “no use of Micro­soft Office 365 is pos­si­ble under data pro­tec­tion law”, only “minor impro­ve­ments” are now said to be dis­cer­ni­ble. In this artic­le, we pre­sent and eva­lua­te the main points of con­ten­ti­on. At the end, you can down­load a detail­ed com­pa­ri­son of the posi­ti­ons and our assessment.

Eva­lua­ti­on by DSK

The basis of DSK’s cur­rent assess­ment is the Micro­soft Pro­ducts and Ser­vices Data Pro­tec­tion Adden­dum (“DPA”) as amen­ded on 15 Sep­tem­ber 2022. DSK empha­si­s­es that, in addi­ti­on to the eva­lua­ti­on of the con­trac­tu­al frame­work, no tech­ni­cal exami­na­ti­on of the pro­ces­sing ope­ra­ti­ons or eva­lua­ti­on of the imple­men­ta­ti­on of the con­trac­tu­al arran­ge­ments has taken place. The main points of cri­ti­cism include non-transparent pro­ces­sing of data by Micro­soft for its own pur­po­ses in the view of the DSK, as well as the trans­fer of data to the United Sta­tes, wher­eby the new Exe­cu­ti­ve Order of the US Pre­si­dent of 7 Octo­ber 2022 has express­ly not yet found its way into the assessment.

State­ment by Microsoft

Micro­soft alre­a­dy reac­ted to the DSK assess­ment on the same day by publi­shing its own state­ment. In it, the com­pa­ny sta­tes that Micro­soft 365 pro­ducts “not only meet, but often exceed, strict EU data pro­tec­tion laws”. Accor­ding to the com­pa­ny, the con­cerns expres­sed by DSK do not ade­qua­te­ly take into account the chan­ges alre­a­dy made and are based on seve­ral misun­derstan­dings regar­ding the func­tio­ning of the services.

Com­pa­ri­son of the main statements

Here you can find our initi­al assess­ment of the DSK’s state­ment. In this report, we came to the con­clu­si­on that it is still pos­si­ble to use Micro­soft 365 in a man­ner that com­pli­es with data pro­tec­tion requi­re­ments. The fol­lo­wing com­pa­ri­son of the main diver­ging state­ments from the two opi­ni­ons is also inten­ded to pro­vi­de gui­dance for the (legal) eva­lua­ti­on of the use of Micro­soft 365. You can find our one-page report on data pro­tec­tion com­pli­ance with Micro­soft 365 here.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.