Update: Data pro­tec­tion with Micro­soft 365

On 25 Novem­ber 2022, the Ger­man Data Pro­tec­tion Con­fe­rence (Daten­schutz­kon­fe­renz, DSK), the body of inde­pen­dent Ger­man fede­ral and sta­te data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, published an opi­ni­on on Micro­soft 365, resul­ting in a deter­mi­na­ti­on by the DSK that “it is not pos­si­ble to demons­tra­te that data con­trol­lers ope­ra­te Micro­soft 365 in com­pli­ance with data pro­tec­tion law […]” Micro­soft reac­ted to the DSK assess­ment on the same day by publi­shing its own state­ment. In this artic­le, we out­lined the main points of con­ten­ti­on and com­pared and legal­ly eva­lua­ted the posi­ti­ons of the play­ers invol­ved. Micro­soft has done a lot sin­ce then. It’s now time for an update!

Micro­soft 365 pri­va­cy update

After the DSK had initi­al­ly only published a sum­ma­ry of its state­ment, the final report of the DSK “Micro­soft Online Ser­vices” working group was sub­se­quent­ly also made available. The final report enables a detail­ed dis­cus­sion of the indi­vi­du­al points of cri­ti­cism made by the aut­ho­ri­ties. In addi­ti­on, some Ger­man data pro­tec­tion super­vi­so­ry aut­ho­ri­ties have announ­ced that they will now approach data con­trol­lers in public bodies and com­pa­nies to check com­pli­ance with data pro­tec­tion requi­re­ments when using Micro­soft 365. Micro­soft has published a new Pro­ducts and Ser­vices Data Pro­tec­tion Adden­dum (DPA) and an updated list of sub-processors used, effec­ti­ve 1 Janu­ary 2023. In addi­ti­on, Micro­soft has laun­ched the EU Data Boun­da­ry for the Micro­soft Cloud, a Euro­pean cloud solu­ti­on for public agen­ci­es and enter­pri­ses, sin­ce the begin­ning of this year. The details of what has chan­ged and how the­se chan­ges affect the ques­ti­on of a data-protection-compliant use of Micro­soft 365 can be found here.


For the time being, whe­ther and how the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties will react to Microsoft’s impro­ve­ments remains to be seen. With com­pre­hen­si­ve docu­men­ta­ti­on and assess­ment of risks, as well as appro­pria­te miti­ga­ti­on mea­su­res, GDPR-compliant use of Micro­soft 365 can be well jus­ti­fied for both public bodies and enter­pri­ses. Con­tro­ver­si­al dis­cus­sions with the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties will then not have to be feared by data controllers.

You can find our one-page report on data pro­tec­tion com­pli­ance with Micro­soft 365 here.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.