How to deal with data flows to Microsoft?
If public authorities, universities, schools or other public bodies use Microsoft 365, they assume the role of a controller with regard to the processing of personal data under the GDPR. However, Microsoft also processes data for its own purposes to a small extent. Data processing activities are limited to the following purposes under Microsoft’s current DPA:
- billing and account management;
- compensation such as calculation of employee commissions and partner incentives;
- internal reporting and business modeling such as forecasting, revenue, capacity planning, and product strategy; and
- financial reporting.
Is there any data disclosure to Microsoft?
Microsoft itself is responsible under data protection law for the processing of data for its own purposes. In this respect, Microsoft is responsible for compliance with the requirements of the GDPR. However, it is sometimes argued that Microsoft’s processing is preceded by a transfer or disclosure by the public entity. This excessive interpretation of the term “disclosure” must be rejected, however, in view of the role of Microsoft 365 with the employing public body, since a mere opportunity to process data does not yet constitute disclosure or transfer in the terms of data protection law. German and European data protection supervisory authorities have different views on this.
Legal basis for data processing
If one nevertheless assumes a disclosure or transfer of the corresponding data to Microsoft, a legal basis is required for this. In this respect, companies and other non-public entities can generally invoke a legitimate interest. However, pursuant to Article 6(1), Sentence 2 GDPR, this legal basis does not apply to processing carried out by public bodies in the performance of their tasks. This is also the opinion of the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (LfDI BW) in a recommendation on the use of Microsoft Office 365 in schools:
“There are no legal bases for some processing operations for operations at a school, particularly for transfers to Microsoft for its own business activities or business interests. Schools are subject to much tighter legal requirements in this area than companies that use Microsoft products”.
By way of § 25(2)2 of the German Federal Data Protection Act and comparable regulations in the respective state data protection laws, however, the legislature has created a basis for the transfer of personal data by public bodies to non-public bodies if “the third party to whom the data is transferred credibly demonstrates a legitimate interest in knowing the data to be transferred and the data subject has no interest worthy of protection in the exclusion of the transfer”.
§ 25(2)2 of the German Federal Data Protection Act (BDSG)
However, there are some doubts as to the compatibility of § 25(2)2 BDSG with European law. Article 6(2) of the GDPR is only intended to provide an opening clause for processing operations carried out to comply with a legal requirement or a task in the public interest, but not for a legitimate interest. To solve this awkward situation, several voices in legal literature and rulings suggest with good arguments that public bodies can invoke a legitimate interest in this case (if necessary by analogy). The fact that this does not actually apply to public bodies, insofar as the public body is performing a public task with the transfer, should be non-detrimental in this case, as § 25(2)1 BDSG can be used as an element of permission in this respect. In view of the vehement criticism levelled at the use of Microsoft 365 by some German data protection supervisory authorities, it is more than surprising that no public statement has yet been made on this issue.
The processing of data by Microsoft for its own purposes remains controversial under data protection law. Assuming disclosure or transfer, companies and other non-public entities may claim a legitimate interest. This is not directly possible for authorities and other public bodies. Indirectly, however, public bodies may very well take into account a legitimate interest of Microsoft. Public bodies that want to use Microsoft 365 in a privacy-compliant manner (five tips for this here) should include this consideration in their legal assessment.back