Using Microsoft 365 in a privacy-compliant way?

The data protection risks of Microsoft 365 have long been known. Nevertheless, many companies continue to use the software service. Find out what the DSK's "Working Group for Microsoft Online Services" has come up with on this topic here.

DSK on Microsoft 365

The Data Protection Conference (DSK) created a working group called the Microsoft Online Services Working Group in September 2020. This published its findings in November 2022. The goal was to find a practical solution for using Microsoft 365 in a privacy-compliant manner. To this end, the working group held 14 meetings lasting several hours with representatives from Microsoft.

The main point of criticism that was identified is the processing of personal data for Microsoft's own and non-legitimate purposes. The deletion of this data also does not appear to be in compliance with data protection laws. Microsoft's contracts with the respective customers also lack clarification on the types and purposes of data processing.

In addition, Microsoft did not sufficiently protect the data during international transfers (see Schrems II decision). The technical and organizational measures offered by Microsoft were also insufficient.

Likewise, the contractual provisions for notifying the customer of new subcontractors were insufficient.

The results of the DSK can be found in the detailed form also here and here read up.

Reaction from Microsoft

Simultaneously with the publication of the DSK's findings, Microsoft published a counterstatement. This is entitled "Microsoft meets and exceeds European data protection laws". As the title indicates, Microsoft does not share the DSK's view. The software service provider considers its products to be in compliance with European data protection law and justifies the DSK's contradictory findings by saying that changes already made were not adequately taken into account and that the way the services work was misunderstood.

You can download the detailed rebuttal from Microsoft here read up.

And now?

From the conflicting accounts of Microsoft and DSK, one can see how a long overdue debate is unfolding. Individual voices are also coming forward to criticize the DSK's actions. For example, a vote in the consistency procedure with the involvement of the European Data Protection Board was not held, which could have led to better results.

In any case, the results of the DSK should be understood as an appeal to Microsoft to deal more with the topic of data protection. Companies in the EU must also once again address the issue of third-country transfers and data protection.

So far, there have been no known measures taken by supervisory authorities in Germany with regard to the use of Microsoft 365. However, this is now set to change. At least, this is what individual data protection officers have already indicated. As a company, it is now important to plan enough time and resources for an analysis of the existing risks for the use of Microsoft 365 on the basis of actual use.

Do you need support with data privacy risk assessments or other topics related to data privacy and data security? Our team of experts is ready to assist you. We will also be happy to provide you with an external data protection officer. Contact us without obligation here.