So far, a broad-based campaign by data protection supervisory authorities with questionnaires on the use of Microsoft 365 has failed to materialise. However, a recent letter from the data protection supervisory authority in Thuringia suggests that a change of tactics might take place in the near future. Irrespective of this, data controllers already normally receive questionnaires about Microsoft 365 when complaints are received from data subjects. Based on our experience from the administrative proceedings we have accompanied, we would like to provide an overview below, including the response to questionnaires on Microsoft 365 and possibilities for prevention.
Content of the known administrative requests
Most of the questionnaires we know of take an informational approach and aim at a joint elucidation of the factual and legal situation. In part, the surveys are based on a questionnaire from the Hamburg data protection supervisory authority from 2021. In addition to a detailed description of the specific use of Microsoft 365, the authorities regularly require a submission of all compliance documents relating to Microsoft 365. This includes the following information in particular:
- Extract from the processing directory
- Data protection impact assessment
- Data protection information
- Legal assessment of third country transfers
- Any declarations of consent
Reaction: How should data controllers deal with requests from authorities?
Data controllers do not have to fear a discussion on the data-protection-compliant use of Microsoft 365. Regardless of the fact that much of the legal reasoning of the Data Protection Conference is unconvincing, Microsoft has made numerous other data protection improvements with the new January 2023 DPA. Our practical experience shows that a lot can usually be achieved with a detailed response to the authorities’ inquiry and open communication.
Before responding, data controllers should consider the following aspects in particular:
- Content of the request: Is this an appeal hearing or a strictly informational inquiry?
- Context of inquiry: Is the letter based on a complaint from a data subject? If so, is it possible to remedy the complaint without red tape?
- Provision of documents: Are all relevant documents up to date or should updates be made before responding to the request?
- Experience dealing with supervisory agencies: Has the enterprise had experience dealing with the requesting agency or even a previous history of using Microsoft 365?
Prevention How can data controllers prepare themselves?
Data controllers who have not (yet) received a request from the authorities should take advantage of the current breather and use the familiar questionnaires to check how good their own compliance is when using Microsoft 365. Our experience to date from administrative proceedings on Microsoft 365 shows how important it is to have good documentation on data protection with Microsoft 365. In addition to content-related aspects, data controllers should check the level of maturity already reached in responding to requests from authorities. In addition, sound management of data subjects’ rights can make complaints about Microsoft 365 superfluous from the outset and help to ensure that the data protection supervisory authorities will not have to take action at all.back