Data Subject Requests and the GDPR and CCPA

The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located. Additional details can be found in the GDPR Summary topic.

Similarly, the California Consumer Privacy Act (CCPA), provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information. The CCPA also provides for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out/ opt-in" requirements for certain data transfers classified as "sales". This document guides you to information on the completion of Data Subject Requests (DSRs) under the GDPR and CCPA using Microsoft products and services.


Helpful definitions for GDPR terms used in this document:

  • Data Controller (Controller): A legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Personal data and data subject: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly.
  • Processor: A natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller.
  • Customer Data: Data produced and stored in the day-to-day operations of running your business.

What is a DSR?

The General Data Protection Regulation (GDPR) gives rights to people (known in the regulation as data subjects) to manage the personal data that has been collected by an employer or other type of agency or organization (known as the data controller or just controller). The GDPR gives data subjects specific rights to their personal data; these rights include obtaining copies of it, requesting changes to it, restricting the processing of it, deleting it, or receiving it in an electronic format so it can be moved to another controller.

California Consumer Privacy Act (CCPA) provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information.

As a controller, you are obligated to promptly consider each DSR and provide a substantive response either by taking the requested action or by providing an explanation for why the DSR cannot be accommodated by the controller. A controller should consult with its own legal or compliance advisers regarding the proper disposition of any given DSR.

Several processes may be involved completing a DSR, subject to your organization's GDPR-compliance rules.

  • Discovery. The process of determining what data is needed to complete a DSR.
  • Access. Retrieval and potential transmission to the data subject of discovered information.
  • Rectify. Implement changes or other requested personal data changes.
  • Restrict. Changing the access or processing of persona data by restricting access, or removing data from the Microsoft cloud.
  • Export. Providing a "structured, commonly used, machine-readable format" of personal data to the data subject, as provided by the GDPR's "right of data portability."
  • Delete. Permanent removal of personal data from the Microsoft cloud.

Specific DSR Considerations

Insights generated by Microsoft Products or Services

Insights may be generated by services (Viva Personal Insights, etc.) Office 365 includes online services that provide insights to users and organizations that use them. Data generated by these services may produce personal data relevant to a DSR. Follow the link in the list below for details regarding service-specific DSR processes.

DSRs for system-generated logs

Logs and related data generated by Microsoft may contain data deemed personal under GDPR's definition of "personal data." Restricting or rectifying data in system-generated logs is not supported. Data in system-generated logs constitutes factual actions conducted within the Microsoft cloud and diagnostic data; modifications would compromise the historical record of actions and increase fraud and security risks. Microsoft provides the ability to access, export, and delete system-generated logs that may be necessary to complete a DSR. Examples of such data may include:

  • Product and service usage data such as user activity logs
  • User search requests and query data
  • Data generated by product and services resulting from system functionality and interaction by users or other systems.

Viva Engage and Kaizala

Deleting a user's account will not remove system-generated logs for Viva Engage and Kaizala. To remove the data from these applications, see one of the following resources:

National Clouds

In some national clouds, a global IT Administrator needs to delete system-generated logs.

Microsoft Services

If your organization or users engage with Microsoft to receive, support related to Microsoft products and services some of this data may contain personal data. For more information, see Microsoft Support and Professional Services Data Subject Requests for the GDPR.

Microsoft Controller Products

In some circumstances, your organization's users may access Microsoft products or services for which Microsoft is the data controller. In those cases, your users need to initiate their own DSRs directly to Microsoft, and Microsoft fulfills the requests directly to the user.

Third-party Products

For third-party products and services accessed through Microsoft account authentication, any data subject requests should be directed to the applicable third party.

Data Subject Request admin tools

Learn more