Deploy­ment of Micro­soft 365 by public agencies

How to deal with data flows to Microsoft?

If public aut­ho­ri­ties, uni­ver­si­ties, schools or other public bodies use Micro­soft 365, they assu­me the role of a con­trol­ler with regard to the pro­ces­sing of per­so­nal data under the GDPR. Howe­ver, Micro­soft also pro­ces­ses data for its own pur­po­ses to a small ext­ent. Data pro­ces­sing acti­vi­ties are limi­t­ed to the fol­lo­wing pur­po­ses under Microsoft’s cur­rent DPA:

  • bil­ling and account management;
  • com­pen­sa­ti­on such as cal­cu­la­ti­on of employee com­mis­si­ons and part­ner incentives;
  • inter­nal report­ing and busi­ness mode­ling such as fore­cas­ting, reve­nue, capa­ci­ty plan­ning, and pro­duct stra­tegy; and
  • finan­cial reporting. 

    Is the­re any data dis­clo­sure to Microsoft?

    Micro­soft its­elf is respon­si­ble under data pro­tec­tion law for the pro­ces­sing of data for its own pur­po­ses. In this respect, Micro­soft is respon­si­ble for com­pli­ance with the requi­re­ments of the GDPR. Howe­ver, it is some­ti­mes argued that Microsoft’s pro­ces­sing is pre­ce­ded by a trans­fer or dis­clo­sure by the public enti­ty. This exces­si­ve inter­pre­ta­ti­on of the term “dis­clo­sure” must be rejec­ted, howe­ver, in view of the role of Micro­soft 365 with the employ­ing public body, sin­ce a mere oppor­tu­ni­ty to pro­cess data does not yet con­sti­tu­te dis­clo­sure or trans­fer in the terms of data pro­tec­tion law. Ger­man and Euro­pean data pro­tec­tion super­vi­so­ry aut­ho­ri­ties have dif­fe­rent views on this.

    Legal basis for data processing

    If one nevert­hel­ess assu­mes a dis­clo­sure or trans­fer of the cor­re­spon­ding data to Micro­soft, a legal basis is requi­red for this. In this respect, com­pa­nies and other non-public enti­ties can gene­ral­ly invo­ke a legi­ti­ma­te inte­rest. Howe­ver, pur­su­ant to Artic­le 6(1), Sen­tence 2 GDPR, this legal basis does not app­ly to pro­ces­sing car­ri­ed out by public bodies in the per­for­mance of their tasks. This is also the opi­ni­on of the Sta­te Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on of Baden-Württemberg (LfDI BW) in a recom­men­da­ti­on on the use of Micro­soft Office 365 in schools:

    “The­re are no legal bases for some pro­ces­sing ope­ra­ti­ons for ope­ra­ti­ons at a school, par­ti­cu­lar­ly for trans­fers to Micro­soft for its own busi­ness acti­vi­ties or busi­ness inte­rests. Schools are sub­ject to much tigh­ter legal requi­re­ments in this area than com­pa­nies that use Micro­soft products”.

    By way of § 25(2)2 of the Ger­man Fede­ral Data Pro­tec­tion Act and com­pa­ra­ble regu­la­ti­ons in the respec­ti­ve sta­te data pro­tec­tion laws, howe­ver, the legis­la­tu­re has crea­ted a basis for the trans­fer of per­so­nal data by public bodies to non-public bodies if “the third par­ty to whom the data is trans­fer­red cre­di­bly demons­tra­tes a legi­ti­ma­te inte­rest in kno­wing the data to be trans­fer­red and the data sub­ject has no inte­rest wort­hy of pro­tec­tion in the exclu­si­on of the transfer”.

    § 25(2)2 of the Ger­man Fede­ral Data Pro­tec­tion Act (BDSG)

    Howe­ver, the­re are some doubts as to the com­pa­ti­bi­li­ty of § 25(2)2 BDSG with Euro­pean law. Artic­le 6(2) of the GDPR is only inten­ded to pro­vi­de an ope­ning clau­se for pro­ces­sing ope­ra­ti­ons car­ri­ed out to com­ply with a legal requi­re­ment or a task in the public inte­rest, but not for a legi­ti­ma­te inte­rest. To sol­ve this awk­ward situa­ti­on, seve­ral voices in legal lite­ra­tu­re and rulings sug­gest with good argu­ments that public bodies can invo­ke a legi­ti­ma­te inte­rest in this case (if neces­sa­ry by ana­lo­gy). The fact that this does not actual­ly app­ly to public bodies, inso­far as the public body is per­forming a public task with the trans­fer, should be non-detrimental in this case, as § 25(2)1 BDSG can be used as an ele­ment of per­mis­si­on in this respect. In view of the vehe­ment cri­ti­cism level­led at the use of Micro­soft 365 by some Ger­man data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, it is more than sur­pri­sing that no public state­ment has yet been made on this issue.


    The pro­ces­sing of data by Micro­soft for its own pur­po­ses remains con­tro­ver­si­al under data pro­tec­tion law. Assum­ing dis­clo­sure or trans­fer, com­pa­nies and other non-public enti­ties may cla­im a legi­ti­ma­te inte­rest. This is not direct­ly pos­si­ble for aut­ho­ri­ties and other public bodies. Indi­rect­ly, howe­ver, public bodies may very well take into account a legi­ti­ma­te inte­rest of Micro­soft. Public bodies that want to use Micro­soft 365 in a privacy-compliant man­ner (five tips for this here) should include this con­side­ra­ti­on in their legal assessment.


    Stay up-to-date

    We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.