A big step for IT in public administration: the state of Lower Saxony recently concluded a contract with Microsoft for the use of Microsoft Teams, which overcomes the concerns of the responsible data protection supervisory authority. The results achieved serve as a blueprint for the use of Microsoft Teams by public authorities. However, those responsible must fulfil certain requirements.
Requirements for the use of Microsoft Teams
Step 1: Data protection impact assessment
A prerequisite for the use of Microsoft Teams in public administration is the implementation of an individual data protection impact assessment (DPIA). Among other things, the DPIA must describe the usage scenarios for Microsoft Teams as well as possible risks and remedial measures.
Step 2: EU data boundary
Microsoft’s decision to process the data exclusively in Europe (EU Data Boundary) was decisive for the data protection-compliant use of Microsoft Teams in Lower Saxony. If data continues to be transferred to third countries, the controller must assess the admissibility under data protection law in a transfer impact assessment (TIA).
Step 3: Data minimisation
Data controllers must ensure an appropriate level of data protection through technical and organisational measures (TOM) and regularly review the effectiveness of the measures.
Step 4: Data protection measures
Data controllers must ensure an appropriate level of data protection through technical and organisational measures (TOM) and regularly review the effectiveness of the measures.
Step 5: Data Protection Addendum
If there are still data protection concerns after checking and implementing the other steps, data controllers can request the Lower Saxony Data Protection Addendum (DPA) from Microsoft. As the General Data Protection Regulation (GDPR) has resulted in the full harmonisation of data protection law, the adapted DPA should also convince the data protection officers of the federal government and the other federal states.
360° support
We provide comprehensive advice on the data protection-compliant use of Microsoft 365 by public bodies and are happy to support you with data protection advice on the introduction of Microsoft Teams.