MS 365 data protection

MS 365 data pro­tec­tion – new DPA for 2023 published!

At the begin­ning of the year, Micro­soft released a new ver­si­on of its Pro­duct and Ser­vices Data Pro­tec­tion Adden­dum (DPA). The com­pa­ny is thus once again respon­ding with action to cri­ti­cism from data pro­tec­tion super­vi­so­ry aut­ho­ri­ties. The new DPA makes it easier for cus­to­mers using Micro­soft 365 to pro­ve their data pro­tec­tion com­pli­ance. We pre­sent the chan­ges below.

Back­ground: Importance and cri­ti­cism of the DPA

The DPA ser­ves, among other things, as an order pro­ces­sing agree­ment in accordance with the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR), regu­la­ting the pro­ces­sing of per­so­nal data bet­ween cus­to­mers and Micro­soft. The DPA is repea­ted­ly in the cross­fi­re of cri­ti­cism from data pro­tec­tion super­vi­so­ry aut­ho­ri­ties. Most recent­ly, for exam­p­le, the Ger­man Data Pro­tec­tion Con­fe­rence (Daten­schutz­kon­fe­renz, DSK) came to the con­clu­si­on that data con­trol­lers could not pro­ve that they were using Micro­soft 365 in com­pli­ance with data pro­tec­tion law on the basis of the old DPA.

The key chan­ges in the new DPA

With the new DPA, Micro­soft is making fur­ther impro­ve­ments to data pro­tec­tion and incre­asing the trans­pa­ren­cy of data flows. The new DPA includes the fol­lo­wing five key changes:

  1. More sup­port for com­pli­ance
    Annex 1 of the DPA now sta­tes that Micro­soft will assist cus­to­mers in ful­fil­ling their accoun­ta­bi­li­ty obli­ga­ti­ons under Artic­le 5(2) GDPR and will pro­vi­de cus­to­mers with the docu­ments neces­sa­ry to do so. This makes it easier for cus­to­mers to pro­ve that they are using Micro­soft 365 in a privacy-compliant man­ner (see our one-page report on pri­va­cy com­pli­ance at Micro­soft 365 (PDF)) .
  2. Tele­com­mu­ni­ca­ti­ons data
    For per­so­nal data that Micro­soft coll­ects as a pro­vi­der of tele­com­mu­ni­ca­ti­ons ser­vices and that is not sub­ject to the GDPR, it is cla­ri­fied that Micro­soft imple­ments the rele­vant legal requi­re­ments. In par­ti­cu­lar, this includes the sec­re­cy of tele­com­mu­ni­ca­ti­ons (§ 3 TTDSG).
  3. Data pro­ces­sing in Euro­pe
    The EU Data Boun­da­ry is imple­men­ted in the new DPA, cle­ar­ly sta­ting that Micro­soft will only store and pro­cess cus­to­mer data in the EU if it is cover­ed by the EU Data Boun­da­ry. The Euro­pean Micro­soft Cloud has a lot of poten­ti­al for com­pa­nies and public authorities.
  4. More data secu­ri­ty
    Micro­soft alre­a­dy ensu­res a high level of secu­ri­ty and holds vir­tual­ly all rele­vant cyber­se­cu­ri­ty cer­ti­fi­ca­ti­ons. The new DPA cla­ri­fies on a con­trac­tu­al level that Micro­soft also imple­ments the tech­ni­cal and orga­ni­sa­tio­nal mea­su­res from the stan­dard con­trac­tu­al clau­ses bet­ween Micro­soft Ire­land and Micro­soft USA. Con­trol­lers can thus more easi­ly com­ply with their secon­da­ry veri­fi­ca­ti­on obli­ga­ti­on for data that is not exclu­si­ve­ly pro­ces­sed in the EU.
  5. Exten­ded scope of appli­ca­ti­on
    The new DPA appli­es not only to cus­to­mers with volu­me licen­se agree­ments, but to all cus­to­mers with an exis­ting pro­duct and ser­vice agreement.

Con­clu­si­on and prac­ti­cal tip

By way of the new DPA, Micro­soft is con­ti­nuing the trend of rai­sing the level of data pro­tec­tion in respon­se to cri­ti­cism from regu­la­tors. This pro­vi­des cla­ri­ty and more sup­port for data pro­tec­tion com­pli­ance for data con­trol­lers using MS 365. Regard­less of whe­ther the new DPA ful­ly con­vin­ces data pro­tec­tion regu­la­tors, data con­trol­lers should seek to con­clude the new DPA and reflect this in their data pro­tec­tion documentation.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.