Data protection supervisory authorities to publish “practical tips”
At the end of September 2023, the State Commissioner for Data Protection of Lower Saxony (Landesbeauftragter für den Datenschutz Niedersachsen), together with six other data protection supervisory authorities, published a “Handreichung für die Verantwortlichen zum Abschluss einer Auftragsverarbeitungsvereinbarung gem. Art. 28 Abs. 3 DSGVO mit Microsoft für den Einsatz von Microsoft 365″ (Guidelines for data controllers on the conclusion of a data processing agreement with Microsoft for the use of Microsoft 365 in accordance with Art. 28 (3) GDPR). These guidelines are intended to provide “practical tips” for contracts with Microsoft, in particular the Products and Services Data Protection Addendum (DPA). In this article, we explain the implications of the guidelines and why the “practical tips” are not very practical in fact.
The discussion about Microsoft 365 is still ongoing. In order to bridge the time until the Data Protection Conference (DSK) reassesses the factual and legal situation, the data protection supervisory authorities of the German federal states of Lower Saxony, Bavaria, Hesse, North Rhine-Westphalia, Rhineland-Palatinate, Schleswig-Holstein and Thuringia have drawn up guidelines for Microsoft 365. In addition to examining the permissibility of using Microsoft 365 in specific individual cases, it is recommended that data controllers conclude a “supplementary agreement to the DPA” in order to fulfil their accountability obligation under Art. 5 (2) GDPR. The guidelines basically contain six “to-dos” that relate to the desired contract negotiations with Microsoft with regard to the criticisms made by the DSK in November 2022. In particular, the following contract amendments are called for:
- Detailed description of the processing operations, e. g. by means of a table to be filled in by the data controller;
- Enhanced transparency and contractual agreements on processing by Microsoft for its own purposes;
- Strict obligation to abide by instructions and restrictions on the disclosure of data by Microsoft;
- Detailed specification of the technical and organisational measures and the associated processing operations;
- Shortening of the periods until deletion and limiting the exceptions to Microsoft’s deletion obligations;
- More detailed information on sub-processors and agreeing on proactive notification of changes.
A final point of action contains general recommendations, including the operation of Microsoft 365 on the company’s own IT structures, the use of pseudonymous email addresses and a ban on private use (BYOD). The issue of data transfer to the USA, including the question of extraterritorial application of US laws and the evaluation of the technical functions of Microsoft 365, is expressly not part of the guidelines
“Practical tips” are outdated and not very practical in fact
Most of the to-dos from the guidelines show that the data protection supervisory authorities deal with the issue of data protection-compliant use of Microsoft 365 from a purely theoretical perspective and have largely lost touch with practice. In addition to the fact that many points tend to reflect the wishes of the data protection supervisory authorities, but are not required by law, it should be noted that some aspects cannot be implemented at all in practice. For example, the operation of Microsoft 365 on the company’s own IT structure is no longer offered on the market. It also seems questionable whether Microsoft will negotiate its contracts with all customers and conclude the recommended supplementary agreements. This is all the more true as the guidelines are based on the DSK’s assessment from September 2022 and therefore on an outdated factual and legal situation. Although the guidelines refer to the current DPA of January 2023, individual to-dos recommend measures which Microsoft has already sufficiently implemented with the last update of its DPA
Our one-pager on data protection compliance with Microsoft 365 is available here.back