MS 365 data protection – new DPA for 2023 published!
At the beginning of the year, Microsoft released a new version of its Product and Services Data Protection Addendum (DPA). The company is thus once again responding with action to criticism from data protection supervisory authorities. The new DPA makes it easier for customers using Microsoft 365 to prove their data protection compliance. We present the changes below.
Background: Importance and criticism of the DPA
The DPA serves, among other things, as an order processing agreement in accordance with the General Data Protection Regulation (GDPR), regulating the processing of personal data between customers and Microsoft. The DPA is repeatedly in the crossfire of criticism from data protection supervisory authorities. Most recently, for example, the German Data Protection Conference (Datenschutzkonferenz, DSK) came to the conclusion that data controllers could not prove that they were using Microsoft 365 in compliance with data protection law on the basis of the old DPA.
The key changes in the new DPA
With the new DPA, Microsoft is making further improvements to data protection and increasing the transparency of data flows. The new DPA includes the following five key changes:
- More support for compliance
Annex 1 of the DPA now states that Microsoft will assist customers in fulfilling their accountability obligations under Article 5(2) GDPR and will provide customers with the documents necessary to do so. This makes it easier for customers to prove that they are using Microsoft 365 in a privacy-compliant manner (see our one-page report on privacy compliance at Microsoft 365 (PDF)) .
- Telecommunications data
For personal data that Microsoft collects as a provider of telecommunications services and that is not subject to the GDPR, it is clarified that Microsoft implements the relevant legal requirements. In particular, this includes the secrecy of telecommunications (§ 3 TTDSG).
- Data processing in Europe
The EU Data Boundary is implemented in the new DPA, clearly stating that Microsoft will only store and process customer data in the EU if it is covered by the EU Data Boundary. The European Microsoft Cloud has a lot of potential for companies and public authorities.
- More data security
Microsoft already ensures a high level of security and holds virtually all relevant cybersecurity certifications. The new DPA clarifies on a contractual level that Microsoft also implements the technical and organisational measures from the standard contractual clauses between Microsoft Ireland and Microsoft USA. Controllers can thus more easily comply with their secondary verification obligation for data that is not exclusively processed in the EU.
- Extended scope of application
The new DPA applies not only to customers with volume license agreements, but to all customers with an existing product and service agreement.
Conclusion and practical tip
By way of the new DPA, Microsoft is continuing the trend of raising the level of data protection in response to criticism from regulators. This provides clarity and more support for data protection compliance for data controllers using MS 365. Regardless of whether the new DPA fully convinces data protection regulators, data controllers should seek to conclude the new DPA and reflect this in their data protection documentation.back