German authorities continue to rely on Microsoft 365 despite data protection concerns. The question of GDPR compliance remains open, while companies and authorities are heavily dependent on non-European IT providers. This particularly affects software and applications in the area of Cloud computing.
A survey shows that around 80% of companies feel dependent on non-European providers for key digital technologies. This situation raises questions about Data security and Compliance especially with regard to the Authorities Microsoft Cloud data protection risks.
The use of Microsoft 365 in almost all companies illustrates the dominance of the provider. As early as 2018, a German data protection impact assessment (DPIA) found that the use of Office 365 was not compatible with data protection law. Nevertheless, the dependency has not diminished.
Important findings
- German authorities use Microsoft 365 despite data protection concerns
- Around 80% of companies feel dependent on non-European IT providers
- A DSFA from 2018 declared Office 365 as not compliant with data protection
- The GDPR compliance of Microsoft 365 remains controversial
- Lack of European alternatives increases dependency
Authorities Microsoft Cloud data protection risks: Current situation
The use of Microsoft cloud services in German authorities is increasing despite data protection concerns. At least six federal states are planning to introduce these services in their administration. The Risk management is facing major challenges.
Dependence of German authorities on cloud services
Lower Saxony and Bavaria are pioneers in the use of Teams and Microsoft 365. Hamburg plans to equip 8,000 to 10,000 administrative workstations with Microsoft 365 by the end of the year. North Rhine-Westphalia and Bremen will follow in 2025. This development shows the growing dependence on cloud services in the public sector.
Lack of European alternatives
The lack of European alternatives is driving the use of Microsoft services. The German government is planning to offer Microsoft 365 via the SAP subsidiary Delos in order to Privacy policy to be complied with. Some states, such as Baden-Württemberg, prefer this solution. OpenDesk, an open source alternative, is being developed but has met with a limited response.
Technical superiority of American suppliers
The technical superiority of American providers is undisputed. However, serious security incidents at Microsoft Azure The risks in 2021 and 2022. Chinese hackers gained access to numerous email accounts, including those of US government employees. As a result, the Cybersecurity and Infrastructure Security Agency (CISA) obliged US authorities to take protective measures. Dealing with Authority data requires the highest safety standards.
The increasing dependence on Microsoft services coupled with security concerns presents authorities with a dilemma between efficiency and data protection.
Data processing in Microsoft 365: Basic aspects
Microsoft 365 is designed as Software-as-a-Service (SaaS) and includes programs such as Word, Excel and PowerPoint. The data processing in this Hybrid cloud-environment is complex and raises data protection issues.
Office 365 processes various types of data. This includes functional data, content data, diagnostic data and data from Connected Experiences. Depending on the category and purpose, Microsoft takes on different roles - as a processor or independent controller.
The German Data Protection Conference (DSK) has determined that it is not possible to prove that Microsoft 365 operates in compliance with data protection regulations. Despite adjustments to the Data Protection Addendum (DPA), personal data continues to be transferred to the USA.
Microsoft plans to introduce an EU Data Boundary by 2024 to ensure the processing of personal data in European data centers. This is intended to address concerns regarding the Azure-infrastructure.
Windows and Office 365 users should note that diagnostic data is collected in order to fix problems and improve the system. A unique advertising ID is also used for personalized advertising.
Data processing in Microsoft 365 remains a complex issue with challenges for data protection and privacy. Compliance.
Functional and content data for Microsoft cloud services
Various types of data are generated when using Microsoft cloud services. These can be divided into functional and content data. Each category plays an important role for the Cloud computing and the Data security.
Definition and types of functional data
Functional data is essential for the operation of cloud services. It includes technical information such as location data for time synchronization or connection details. This data enables the smooth functioning of Microsoft services and contributes to the Compliance with.
Processing of content data
Content data is user-generated information such as texts in Word documents or emails in Outlook. Microsoft acts as a processor here and uses this data exclusively to provide the services. Processing takes place under strict data protection guidelines.
Data protection classification
The legal assessment varies depending on the type of data and processing purpose. A data protection impact assessment revealed 8 problem areas in the use of Office 365, with Microsoft only being able to satisfactorily minimize the risks in 2 areas. Especially with Outlook and Teams, the Data security a critical factor.
| Data type | Processing | Relevance to data protection |
|---|---|---|
| Functional data | Technical operation | Medium |
| Content data | Service provision | High |
| Diagnostic data | Analysis and improvement | Very high |
Users should activate privacy-friendly settings and configure the telemetry functions to limit data collection. House rules for Microsoft 365 use can help to regulate the handling of sensitive data and increase data security.
Diagnostic data and its significance for data security
Diagnostic data plays an important role in the Risk management of the Microsoft cloud. They provide insights into the functioning and security of the systems. The handling of this data is particularly sensitive for public authorities, as it often contains confidential information. Authority data process.
Required diagnostic data
This category includes basic information such as device data and error reports. They are essential for the smooth operation of the applications. Microsoft has severely restricted the processing of this data in order to protect the Privacy policy to comply.
Optional diagnostic data
Optional diagnostic data provides additional insights for product improvement. However, their use can be problematic under data protection law. Authorities should carefully consider which of this data they release.
Storage and processing
The storage and processing of diagnostic data is subject to strict security measures. Microsoft has introduced additional contractual protective measures and has included metadata and diagnostic data as the subject of order processing.
| Data type | Processing | Relevance to data protection |
|---|---|---|
| Required diagnostic data | Severely restricted | Low |
| Optional diagnostic data | Extended | Potentially high |
For secure handling of diagnostic data, we recommend deactivating telemetry or diagnostic data transmission. Particularly sensitive data should be backed up in encrypted storage services. These measures support authorities in complying with strict Privacy policy.
Connected experiences and their data protection implications
Connected Experiences in Office 365 offer additional functions that require an internet connection. These services enable collaboration on OneDrive documents or translations in Word, for example. However, they also raise questions about data protection.
The use of connected experiences in a Hybrid cloud-environment can be problematic. Data processing cannot simply be justified with Microsoft as the processor. Instead, a joint controllership agreement may be required.
Current statistics show the explosive nature of the issue:
- 90% of companies consider GDPR compliance essential for cloud solutions
- 79% demand transparency in the security architecture
- 67% attach importance to the location of the cloud provider
These figures illustrate the high demands placed on data protection and security, to which Azure and Office 365. Companies should carefully consider the use of Connected Experiences and, if necessary, consider alternative solutions in order to retain control over their data.
| Aspect | Requirement | Relevance for connected experiences |
|---|---|---|
| GDPR compliance | 90% | High |
| Security transparency | 79% | Medium |
| Location of the provider | 67% | High |
Assessment by German data protection authorities
The national data protection conference took a close look at the data protection provisions of Microsoft 365. The results of this investigation were presented in a comprehensive 60-page report.
Position of DSK
The data protection conference emphasizes the responsibility of companies to use Microsoft 365 in compliance with data protection law. There was neither a product warning nor a ban, but companies must nevertheless be informed about data flows and take their data protection responsibility seriously.
Critical assessments
The main points of criticism when using Microsoft 365 are the transmission of Authority data to the USA, a lack of transparency in data processing and insufficient opportunities for the client to intervene. The supervisory authorities examine deficits in data protection and give those responsible the opportunity to rectify them.
Legal consequences
The Berlin Court of Appeal clarified that expert opinions from data protection supervisory authorities merely represent a legal opinion to which courts are not bound. Data protection-compliant use of Microsoft 365 is possible, but requires specific compliance measures. These can have an impact on day-to-day work, such as slower performance or restricted use of certain features.
| Aspect | Requirement | Possible impact |
|---|---|---|
| Data transmission | Data traffic redirection | Slower performance |
| Transparency | Pseudonymous e-mail addresses | More difficult data exchange |
| Telemetry | Setting the data transmission | Limited troubleshooting |
| Updates | Monitoring of product updates | Additional administrative work |
International perspectives: Dutch DSFA assessment
The Dutch government has conducted a groundbreaking Data Protection Impact Assessment (DPIA) for Microsoft Office 365. This assessment provides important insights for the Cloud computing and data security in Europe.
Initially, the use of Office 365 was classified as non-compliant with data protection regulations. After intensive negotiations and adjustments by Microsoft, version 1905 of Office 365 ProPlus was deemed permissible. This shows how important effective Risk management in the area of cloud computing.
A more recent DPIA on Microsoft Teams, OneDrive, SharePoint and Azure AD came to a positive conclusion. The assessment revealed that there are no high data protection risks, provided that recommended measures are implemented. This assessment underlines the importance of data security and proactive risk management when using cloud services.
The Dutch DSFA assessment shows that cloud computing solutions can be data protection compliant if implemented and monitored correctly.
These findings are highly relevant for German authorities. They show that secure use of cloud services is possible if the necessary precautions are taken. However, the continuous review and adaptation of data security measures remains a central task in risk management in the public sector.
Technical and organizational measures taken by Microsoft
Microsoft has taken extensive steps to improve data protection and compliance requirements for its cloud services. These measures are aimed at optimizing risk management and complying with data protection regulations.
Data protection measures
The tech giant has restricted the processing of diagnostic data and increased transparency. As a data processor, Microsoft supports organizations in complying with GDPR requirements, including processing requests from data subjects. The Purview Compliance Manager offers functions for assessing compliance status and reducing risk.
Security concepts
Microsoft's security concepts include the secure processing of customer data in accordance with documented instructions. This includes activities such as billing, compensation and internal reporting. Microsoft emphasizes that customer data or information derived from it is not used for profiling, advertising or similar commercial purposes.
Compliance requirements
Despite these efforts, according to the Data Protection Conference (DSK), legal uncertainties remain in the implementation of technical and organizational measures. The design of the return and erasure obligations does not fully comply with the requirements of Art. 28 GDPR. It is also criticized that information about new sub-processors is not detailed enough, which could impair compliance efforts.
English 
Deutsch 
Español 
Français 
Polski