Microsoft 365 – controversial under data protection law
Not only in the private sphere, but also in many companies and public authorities, Microsoft products are part of the standard equipment and are repeatedly scrutinised by data protection authorities.
They are controversial in terms of data protection law, with the authorities not yet having issued any uniform recommendations and/or prohibitions.
Microsoft 365 usage in schools
Only a few weeks ago, the data protection authority (dpa) Baden-Württemberg published a critical note on the use of Microsoft 365 by schools and a FAQ on Microsoft Office 365 on its website. The dpa provides a summary about the data protection issues and risks associated with the use of Microsoft 365.
Transfer of personal data to the US – third country data transfer
As is well known, the company’s headquarters are in the US. From there, Microsoft operates data centres all over the world, controlled by Office 365. In order to comply with the General Data Protection Regulation (GDPR) in the European economic area, Microsoft also offers operating major services in European data centres. However, this does not apply to services that ensure the operation of Office 365. User identities and associated meta-data are transferred from the EU to the US. This what data protection experts call third country transfer.
The issue is the classification of the US as a third country without adequate data protection guarantees. We have already reported in detail on the causes and effects of the so-called Schrems II ruling. From a purely legal point of view, data transfer to the US has since been prohibited or only permitted under certain conditions.
Keyword: EU standard contractual clauses. Although these are now part of the Microsoft licence agreement, they are still not sufficient for some German supervisory authorities.
Measures for data protection compliant operation
In order to avoid fines and to ensure a data protection compliant operation of Microsoft 365, those responsible in the company must take risk-minimising measures. These include various data protection-relevant default settings and configurations. Important keywords: Connected Experiences/Services, Diagnostic Data, Telemetry Level, LinkeIn and many more.
According to the GDPR, there is the possibility of processing on the basis of a data protection impact assessment (DPIA) pursuant to Article 35 of the GDPR. This offers the opportunity to take measures that increase the level of data protection as required (risk assessment).
In any case, a functioning data protection management system should be installed. It fulfils the documentation and verification obligations according to the GDPR and documents the implementation of the risk assessment within a data protection impact assessment.
Please feel free to contact us for more detailed information on DPIA according to Art. 35 DSGVO.