FAQ about tele­me­try and dia­gno­stic data in Micro­soft 365

When it comes to data pro­tec­tion with Micro­soft 365, in addi­ti­on to data trans­fers to the USA , the pro­ces­sing of tele­me­try and dia­gno­stic data is often cri­ti­cis­ed. Occa­sio­nal­ly, it is even clai­med that data pro­tec­tion law pro­hi­bits Micro­soft from using data for its own busi­ness pur­po­ses. The­se FAQs are inten­ded to dis­pel such myths and sup­port respon­si­ble par­ties who use Micro­soft 365 or are plan­ning to intro­du­ce it in a privacy-compliant man­ner.

  1. What is tele­me­try and dia­gno­stic data?
    Tele­me­try data are any data coll­ec­ted by tele­me­try that, despi­te pseud­ony­mi­sa­ti­on, may con­tain infor­ma­ti­on that iden­ti­fies an indi­vi­du­al user. The­r­e­fo­re, tele­me­try data are at least par­ti­al­ly per­so­nal data. Part of tele­me­try data is dia­gno­stic data, which con­ta­ins infor­ma­ti­on about the devices used and the per­for­mance of the appli­ca­ti­ons used. A distinc­tion must be made bet­ween optio­nal and essen­ti­al dia­gno­stic data. While the pro­ces­sing of optio­nal dia­gno­stic data can be dis­ab­led by the cus­to­mer, this is not pos­si­ble for the dia­gno­stic data neces­sa­ry for essen­ti­al ser­vices. Neces­sa­ry dia­gno­stic data in par­ti­cu­lar are the­r­e­fo­re the focus of cri­ti­cism under data pro­tec­tion law.
  2. For what pur­po­ses does Micro­soft pro­cess the­se data?
    In accordance with the Data Pro­tec­tion Adden­dum (DPA) , Micro­soft pro­ces­ses data for its own busi­ness acti­vi­ties . This includes, in par­ti­cu­lar, bil­ling and account manage­ment, com­pen­sa­ti­on, inter­nal report­ing and busi­ness mode­ling, com­ba­ting fraud, cyber­crime or cyber­at­tacks, impro­ving core ser­vice func­tion­a­li­ty, and finan­cial report­ing and com­pli­ance with legal obli­ga­ti­ons. In a state­ment dated 11 August 2022 , Micro­soft expli­cit­ly cla­ri­fies: “Dia­gno­stic data are neces­sa­ry to keep pro­ducts and ser­vices run­ning safe­ly and stably.”
  3. Does Micro­sof­t’s data pro­ces­sing vio­la­te data pro­ces­sing agree­ments?
    No. The data pro­ces­sing when using Micro­soft 365 and the data pro­ces­sing for Microsoft’s own busi­ness acti­vi­ties are sepa­ra­te pro­ces­sing ope­ra­ti­ons that must be con­side­red indi­vi­du­al­ly accor­ding to the legal rulings of the ECJ. With the DPA, the par­ties cla­ri­fy that Micro­soft acts as a con­trol­ler with respect to pro­ces­sing for its own busi­ness acti­vi­ties and that this pro­ces­sing ope­ra­ti­on is not part of job data pro­ces­sing. The DPA is not a mere data pro­ces­sing agree­ment, but also con­ta­ins fur­ther infor­ma­ti­on and decla­ra­ti­ons on data pro­tec­tion. In our view, Micro­soft is thus also taking into account the cri­ti­cism of the Ger­man Data Pro­tec­tion Con­fe­rence (Daten­schutz­kon­fe­renz, DSK) regar­ding unclear respon­si­bi­li­ties under data pro­tec­tion law and pre­ven­ting pos­si­ble misunderstandings.
  4. Is Micro­soft sole­ly respon­si­ble or is the­re joint respon­si­bi­li­ty?
    Pre­re­qui­si­te for joint respon­si­bi­li­ty is the joint deter­mi­na­ti­on of the pur­po­ses and means of a pro­ces­sing ope­ra­ti­on, which is affirm­ed in part on the basis of the DPA agree­ment. Publicly, this view has so far only been adopted in the June 2019 Data Pro­tec­tion Impact Assess­ment (DSFA) on Office 365 Pro­Plus by the Dutch Minis­try of Jus­ti­ce regar­ding lega­cy Micro­soft con­tracts. Howe­ver, in the 2022 DSFA on Micro­soft Teams, One­Dri­ve, Share­Point, and Azu­re AD , the Dutch Minis­try of Jus­ti­ce takes this view only in a signi­fi­cant­ly wea­k­en­ed form. The DSK, on the other hand, affirms Micro­sof­t’s sole respon­si­bi­li­ty in its 2020 posi­ti­on paper . Micro­sof­t’s sole respon­si­bi­li­ty is also sup­port­ed by a gui­de­line issued by the data pro­tec­tion aut­ho­ri­ty of North Rhine-Westphalia on online exami­na­ti­ons at uni­ver­si­ties . In it, the aut­ho­ri­ty argues that the pro­ces­sing of trans­port and meta­da­ta in so-called “mixed ser­vices” (e.g., video con­fe­ren­cing ser­vices with a docu­ment manage­ment sys­tem) is not job data pro­ces­sing, but is the sole respon­si­bi­li­ty of the ser­vice pro­vi­der and sub­ject to tele­com­mu­ni­ca­ti­ons sec­re­cy. In a sam­ple let­ter from the Baden-Württemberg data pro­tec­tion aut­ho­ri­ty on Micro­soft Office 365, the aut­ho­ri­ty expli­cit­ly lea­ves the ques­ti­on of respon­si­bi­li­ties open. A uni­form line of the Ger­man and Euro­pean data pro­tec­tion super­vi­so­ry aut­ho­ri­ties is curr­ent­ly not perceptible.
  5. Is the­re any data dis­clo­sure to Micro­soft?
    This is also con­tro­ver­si­al. In some cases, howe­ver, it is argued that dis­clo­sure should alre­a­dy exist becau­se cus­to­mers do not pre­vent Micro­soft from pro­ces­sing data, thus pas­si­ve­ly ope­ning an oppor­tu­ni­ty for Micro­soft to coll­ect the data. This line of argu­ment seems to be fol­lo­wed, albeit wit­hout fur­ther jus­ti­fi­ca­ti­on, by the model let­ter of the data pro­tec­tion super­vi­so­ry aut­ho­ri­ty of Baden-Württemberg and the posi­ti­on paper of the DSK . The pre­fer­red view, howe­ver, is that dis­clo­sure requi­res posi­ti­ve action by the con­trol­ler, so the mere oppor­tu­ni­ty for data coll­ec­tion by Micro­soft does not estab­lish dis­clo­sure by cus­to­mers. The con­cept of data pro­ces­sing by omis­si­on is ali­en to the GDPR and must be rejec­ted as con­tra­ry to the system.
  6. Assum­ing dis­clo­sure, what is the legal basis?
    While com­pa­nies and other non-public enti­ties could base dis­clo­sure on a legi­ti­ma­te inte­rest, public enti­ties are bar­red from doing so. The lat­ter can at most refer to the per­for­mance of a neces­sa­ry task that is in the public inte­rest. Regu­la­tors tend to dis­miss this with a blan­ket refe­rence to all Micro­soft busi­ness acti­vi­ties iden­ti­fied in the DPA. More cor­rect­ly, howe­ver, dif­fe­ren­tia­ted advice must be given with regard to spe­ci­fic busi­ness activities.

Prac­ti­cal recommendation

Micro­soft 365 is tech­ni­cal­ly extre­me­ly com­plex and offers a wide ran­ge of opti­ons for pro­ces­sing per­so­nal data. A blan­ket state­ment on data pro­tec­tion com­pli­ance is the­r­e­fo­re not pos­si­ble. Ins­tead, depen­ding on the spe­ci­fic use, it must be exami­ned for which pur­po­ses per­so­nal data are pro­ces­sed with Micro­soft 365 and what legal bases can be used for the pro­ces­sing in each case. Based on the spe­ci­fic use, pos­si­ble risks to data pri­va­cy and appro­pria­te reme­di­al mea­su­res should also be iden­ti­fied and imple­men­ted. We have had very good expe­ri­ence with this approach in num­e­rous imple­men­ta­ti­on projects.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.