Micro­soft 365 Respon­se and pre­ven­ti­on to requests from authorities

So far, a broad-based cam­paign by data pro­tec­tion super­vi­so­ry aut­ho­ri­ties with ques­ti­on­n­aires on the use of Micro­soft 365 has fai­led to mate­ria­li­se. Howe­ver, a recent let­ter from the data pro­tec­tion super­vi­so­ry aut­ho­ri­ty in Thu­rin­gia sug­gests that a chan­ge of tac­tics might take place in the near future. Irre­spec­ti­ve of this, data con­trol­lers alre­a­dy nor­mal­ly recei­ve ques­ti­on­n­aires about Micro­soft 365 when com­plaints are recei­ved from data sub­jects. Based on our expe­ri­ence from the admi­nis­tra­ti­ve pro­cee­dings we have accom­pa­nied, we would like to pro­vi­de an over­view below, inclu­ding the respon­se to ques­ti­on­n­aires on Micro­soft 365 and pos­si­bi­li­ties for prevention.

Con­tent of the known admi­nis­tra­ti­ve requests

Most of the ques­ti­on­n­aires we know of take an infor­ma­tio­nal approach and aim at a joint elu­ci­da­ti­on of the fac­tu­al and legal situa­ti­on. In part, the sur­veys are based on a ques­ti­on­n­aire from the Ham­burg data pro­tec­tion super­vi­so­ry aut­ho­ri­ty from 2021. In addi­ti­on to a detail­ed descrip­ti­on of the spe­ci­fic use of Micro­soft 365, the aut­ho­ri­ties regu­lar­ly requi­re a sub­mis­si­on of all com­pli­ance docu­ments rela­ting to Micro­soft 365. This includes the fol­lo­wing infor­ma­ti­on in particular:

  • Extra­ct from the pro­ces­sing directory
  • Data pro­tec­tion impact assessment
  • Data pro­tec­tion information
  • Legal assess­ment of third coun­try transfers
  • Any decla­ra­ti­ons of consent

Reac­tion: How should data con­trol­lers deal with requests from authorities?

Data con­trol­lers do not have to fear a dis­cus­sion on the data-protection-compliant use of Micro­soft 365. Regard­less of the fact that much of the legal reaso­ning of the Data Pro­tec­tion Con­fe­rence is uncon­vin­cing, Micro­soft has made num­e­rous other data pro­tec­tion impro­ve­ments with the new Janu­ary 2023 DPA. Our prac­ti­cal expe­ri­ence shows that a lot can usual­ly be achie­ved with a detail­ed respon­se to the aut­ho­ri­ties’ inquiry and open communication.

Befo­re respon­ding, data con­trol­lers should con­sider the fol­lo­wing aspects in particular:

  • Con­tent of the request: Is this an appeal hea­ring or a strict­ly infor­ma­tio­nal inquiry?
  • Con­text of inquiry: Is the let­ter based on a com­plaint from a data sub­ject? If so, is it pos­si­ble to reme­dy the com­plaint wit­hout red tape?
  • Pro­vi­si­on of docu­ments: Are all rele­vant docu­ments up to date or should updates be made befo­re respon­ding to the request?
  • Expe­ri­ence deal­ing with super­vi­so­ry agen­ci­es: Has the enter­pri­se had expe­ri­ence deal­ing with the reques­t­ing agen­cy or even a pre­vious histo­ry of using Micro­soft 365?

Pre­ven­ti­on How can data con­trol­lers prepa­re themselves?

Data con­trol­lers who have not (yet) recei­ved a request from the aut­ho­ri­ties should take advan­ta­ge of the cur­rent brea­ther and use the fami­li­ar ques­ti­on­n­aires to check how good their own com­pli­ance is when using Micro­soft 365. Our expe­ri­ence to date from admi­nis­tra­ti­ve pro­cee­dings on Micro­soft 365 shows how important it is to have good docu­men­ta­ti­on on data pro­tec­tion with Micro­soft 365. In addi­ti­on to content-related aspects, data con­trol­lers should check the level of matu­ri­ty alre­a­dy rea­ched in respon­ding to requests from aut­ho­ri­ties. In addi­ti­on, sound manage­ment of data sub­jects’ rights can make com­plaints about Micro­soft 365 super­fluous from the out­set and help to ensu­re that the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties will not have to take action at all.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.