Gui­de­lines for Micro­soft 365

Data pro­tec­tion super­vi­so­ry aut­ho­ri­ties to publish “prac­ti­cal tips”

At the end of Sep­tem­ber 2023, the Sta­te Com­mis­sio­ner for Data Pro­tec­tion of Lower Sax­o­ny (Lan­des­be­auf­trag­ter für den Daten­schutz Nie­der­sach­sen), tog­e­ther with six other data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, published a “Hand­rei­chung für die Ver­ant­wort­li­chen zum Abschluss einer Auf­trags­ver­ar­bei­tungs­ver­ein­ba­rung gem. Art. 28 Abs. 3 DSGVO mit Micro­soft für den Ein­satz von Micro­soft 365″ (Gui­de­lines for data con­trol­lers on the con­clu­si­on of a data pro­ces­sing agree­ment with Micro­soft for the use of Micro­soft 365 in accordance with Art. 28 (3) GDPR). The­se gui­de­lines are inten­ded to pro­vi­de “prac­ti­cal tips” for con­tracts with Micro­soft, in par­ti­cu­lar the Pro­ducts and Ser­vices Data Pro­tec­tion Adden­dum (DPA). In this artic­le, we explain the impli­ca­ti­ons of the gui­de­lines and why the “prac­ti­cal tips” are not very prac­ti­cal in fact.

Gui­de­lines for Micro­soft 365

The dis­cus­sion about Micro­soft 365 is still ongo­ing. In order to bridge the time until the Data Pro­tec­tion Con­fe­rence (DSK) reas­ses­ses the fac­tu­al and legal situa­ti­on, the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties of the Ger­man fede­ral sta­tes of Lower Sax­o­ny, Bava­ria, Hes­se, North Rhine-Westphalia, Rhineland-Palatinate, Schleswig-Holstein and Thu­rin­gia have drawn up gui­de­lines for Micro­soft 365. In addi­ti­on to exami­ning the per­mis­si­bi­li­ty of using Micro­soft 365 in spe­ci­fic indi­vi­du­al cases, it is recom­men­ded that data con­trol­lers con­clude a “sup­ple­men­ta­ry agree­ment to the DPA” in order to ful­fil their accoun­ta­bi­li­ty obli­ga­ti­on under Art. 5 (2) GDPR. The gui­de­lines basi­cal­ly con­tain six “to-dos” that rela­te to the desi­red con­tract nego­tia­ti­ons with Micro­soft with regard to the cri­ti­cisms made by the DSK in Novem­ber 2022. In par­ti­cu­lar, the fol­lo­wing con­tract amend­ments are cal­led for:

  1. Detail­ed descrip­ti­on of the pro­ces­sing ope­ra­ti­ons, e. g. by means of a table to be fil­led in by the data controller;
  2. Enhan­ced trans­pa­ren­cy and con­trac­tu­al agree­ments on pro­ces­sing by Micro­soft for its own purposes;
  3. Strict obli­ga­ti­on to abide by ins­truc­tions and rest­ric­tions on the dis­clo­sure of data by Microsoft;
  4. Detail­ed spe­ci­fi­ca­ti­on of the tech­ni­cal and orga­ni­sa­tio­nal mea­su­res and the asso­cia­ted pro­ces­sing operations;
  5. Shor­tening of the peri­ods until dele­ti­on and limi­ting the excep­ti­ons to Microsoft’s dele­ti­on obligations;
  6. More detail­ed infor­ma­ti­on on sub-processors and agre­e­ing on proac­ti­ve noti­fi­ca­ti­on of changes.

A final point of action con­ta­ins gene­ral recom­men­da­ti­ons, inclu­ding the ope­ra­ti­on of Micro­soft 365 on the company’s own IT struc­tures, the use of pseud­ony­mous email addres­ses and a ban on pri­va­te use (BYOD). The issue of data trans­fer to the USA, inclu­ding the ques­ti­on of extra­ter­ri­to­ri­al appli­ca­ti­on of US laws and the eva­lua­ti­on of the tech­ni­cal func­tions of Micro­soft 365, is express­ly not part of the guidelines

“Prac­ti­cal tips” are out­da­ted and not very prac­ti­cal in fact

Most of the to-dos from the gui­de­lines show that the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties deal with the issue of data protection-compliant use of Micro­soft 365 from a purely theo­re­ti­cal per­spec­ti­ve and have lar­ge­ly lost touch with prac­ti­ce. In addi­ti­on to the fact that many points tend to reflect the wis­hes of the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, but are not requi­red by law, it should be noted that some aspects can­not be imple­men­ted at all in prac­ti­ce. For exam­p­le, the ope­ra­ti­on of Micro­soft 365 on the company’s own IT struc­tu­re is no lon­ger offe­red on the mar­ket. It also seems ques­tionable whe­ther Micro­soft will nego­tia­te its con­tracts with all cus­to­mers and con­clude the recom­men­ded sup­ple­men­ta­ry agree­ments. This is all the more true as the gui­de­lines are based on the DSK’s assess­ment from Sep­tem­ber 2022 and the­r­e­fo­re on an out­da­ted fac­tu­al and legal situa­ti­on. Alt­hough the gui­de­lines refer to the cur­rent DPA of Janu­ary 2023, indi­vi­du­al to-dos recom­mend mea­su­res which Micro­soft has alre­a­dy suf­fi­ci­ent­ly imple­men­ted with the last update of its DPA

Our one-pager on data pro­tec­tion com­pli­ance with Micro­soft 365 is available here.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.