The use of Micro­soft Teams in public administration

A big step for IT in public admi­nis­tra­ti­on: the sta­te of Lower Sax­o­ny recent­ly con­cluded a con­tract with Micro­soft for the use of Micro­soft Teams, which over­co­mes the con­cerns of the respon­si­ble data pro­tec­tion super­vi­so­ry aut­ho­ri­ty. The results achie­ved ser­ve as a blue­print for the use of Micro­soft Teams by public aut­ho­ri­ties. Howe­ver, tho­se respon­si­ble must ful­fil cer­tain requirements.

Requi­re­ments for the use of Micro­soft Teams

Step 1: Data pro­tec­tion impact assessment

A pre­re­qui­si­te for the use of Micro­soft Teams in public admi­nis­tra­ti­on is the imple­men­ta­ti­on of an indi­vi­du­al data pro­tec­tion impact assess­ment (DPIA). Among other things, the DPIA must descri­be the usa­ge sce­na­ri­os for Micro­soft Teams as well as pos­si­ble risks and reme­di­al measures.

Step 2: EU data boundary

Micro­sof­t’s decis­i­on to pro­cess the data exclu­si­ve­ly in Euro­pe (EU Data Boun­da­ry) was decisi­ve for the data protection-compliant use of Micro­soft Teams in Lower Sax­o­ny. If data con­ti­nues to be trans­fer­red to third count­ries, the con­trol­ler must assess the admis­si­bi­li­ty under data pro­tec­tion law in a trans­fer impact assess­ment (TIA).

Step 3: Data minimisation

Data con­trol­lers must ensu­re an appro­pria­te level of data pro­tec­tion through tech­ni­cal and orga­ni­sa­tio­nal mea­su­res (TOM) and regu­lar­ly review the effec­ti­ve­ness of the measures.

Step 4: Data pro­tec­tion measures

Data con­trol­lers must ensu­re an appro­pria­te level of data pro­tec­tion through tech­ni­cal and orga­ni­sa­tio­nal mea­su­res (TOM) and regu­lar­ly review the effec­ti­ve­ness of the measures.

Step 5: Data Pro­tec­tion Addendum

If the­re are still data pro­tec­tion con­cerns after che­cking and imple­men­ting the other steps, data con­trol­lers can request the Lower Sax­o­ny Data Pro­tec­tion Adden­dum (DPA) from Micro­soft. As the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) has resul­ted in the full har­mo­ni­sa­ti­on of data pro­tec­tion law, the adapt­ed DPA should also con­vin­ce the data pro­tec­tion offi­cers of the fede­ral govern­ment and the other fede­ral states.

360° sup­port

We pro­vi­de com­pre­hen­si­ve advice on the data protection-compliant use of Micro­soft 365 by public bodies and are hap­py to sup­port you with data pro­tec­tion advice on the intro­duc­tion of Micro­soft Teams.

 

Down­load

reuschlaw Onepager Microsoft 365 Lower Saxony

reusch­law One­pager Micro­soft 365 Lower Saxony

back

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.