Visual Studio Family Data Subject Requests for the GDPR and CCPA
The European Union General Data Protection Regulation (GDPR) gives rights to people (known in the regulation as data subjects) to manage their personal data. Personal data is defined broadly under the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data subjects specific rights to their personal data; these rights include obtaining copies of personal data, requesting corrections to it, restricting the processing of it, deleting it, or receiving it in an electronic format. A formal request by a data subject to a data controller (an employer or other type of agency or organization that has control over personal data) to take an action on that data subject's personal data is called a data subject request or DSR.
Similarly, the California Consumer Privacy Act (CCPA), provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information. The CCPA also provides for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out/ opt-in" requirements for certain data transfers classified as "sales". Sales are broadly defined to include the sharing of data for a valuable consideration. For more information about the CCPA, see the California Consumer Privacy Act and the California Consumer Privacy Act FAQ.
For general information about GDPR, see the GDPR section of the Service Trust portal.
Products covered by this guide
This guide discusses how to use Microsoft tools to export or delete personal data collected during authenticated (signed-in) session usage of Visual Studio and Visual Studio for Mac and Microsoft extensions to them and to Visual Studio Code. This guide also covers how to make data subject requests for personal data collected when using Visual Studio Developer Community, NuGet.org, and the ASP.NET website. These products may enable the use of non-Microsoft tools and extensions, and Microsoft is not a data processor or controller for these tools and extensions. Users should contact the tool or extension provider to understand the personal data and collection policies for these tools and extensions.
Additional privacy information
The Microsoft Software License Terms accompanying the products, the Microsoft Privacy Statement, and Microsoft's GDPR Commitments describe our data processing practices.
Visual Studio, Visual Studio for Mac, and Visual Studio Code
Personal data we collect
As a data processor under the GDPR, Microsoft collects the data we need from users to provide experiences for and improve Visual Studio and Visual Studio for Mac and Microsoft extensions to them and to Visual Studio Code. There are two categories of data: customer data and system-generated logs. Customer data includes user-identifiable transactional and interactional data that these products need to perform the service they provide. For example, to provide users with personalized experiences such as roaming settings, we need to collect user account information and settings data. System-generated logs are usage or diagnostic data that are used to help identify and troubleshoot problems and improve our products and services, and may also contain identifiable information about end users, such as a user name. System-generated logs are retained for no more than 18 months. As an example, system-generated logs are aggregated for each day of product usage and include the usage date, the product used (for example, "Visual Studio 2017"), the action you took (for example, "vs/core/packagecostsummary/solutionload"), and the number of times the action was taken, as shown in this sample:
{Time":"2/23/2018 12:00:00 AM","AppName":"Visual Studio 2017","Action":"vs/core/packagecostsummary/solutionload","Target":"1 times",
"DevicePlatform":"Windows 10 Enterprise","IP":null,"InputMethod":null,
"SearchTerm":null,"SearchResult":null}
{Time":"2/23/2018 12:00:00 AM","AppName":"Visual Studio 2017","Action":"vs/ide/connected/accountmanagement/account","Target":"1 times",
"DevicePlatform": "Windows 10 Enterprise","IP":null,"InputMethod":null,
"SearchTerm":null,"SearchResult":null}
{"Time":"2/27/2018 12:00:00 AM","AppName":"Visual Studio 2017","Action":"vs/core/perf/satellitepagefileusage","Target":"23 times",
"DevicePlatform":"Windows 10 Enterprise","IP":null,"InputMethod":null,
"SearchTerm":null,"SearchResult":null}
For more information, see System-generated logs collected by Visual Studio.
Only personal data that is attached to authenticated identities can be serviced by a DSR. So, for example, because Visual Studio Code does not support sign-in, system-generated logs from it are not attached to an authenticated identity and cannot be serviced. However, some Microsoft extensions for Visual Studio Code may provide authenticated data, and this data can be serviced by a DSR. For more information, see GDPR and Visual Studio Code. In general, we do not store data for Visual Studio 2013 and earlier; however, certain extensions and components may provide data attached to authenticated identities and can be serviced by a DSR as outlined below.
How users can control personal data
Visual Studio 2015 and later, Visual Studio for Mac, and Visual Studio Code provide the following means for your users to stop data collection, and for you as controller to export, or delete data that has already been gathered.
In-app settings
Users can control the privacy settings for these products. For more information, see the following
- How to manage privacy settings in Visual Studio.
- How to manage privacy settings in Visual Studio for Mac.
- How to disable telemetry reporting in Visual Studio Code.
Exporting or deleting data
Controllers can manage customer data and system-generated logs collected from their data subjects by one of two methods, depending upon how their Visual Studio Family product or Microsoft extensions were registered. In some cases, both methods must be used. Both methods allow Controllers to download a copy of their activity history managed by that method. Closure of an AAD or MSA account deletes associated Visual Studio customer data, and anonymizes personally identifiable data in system-generated logs pertaining to these products. Anonymized system-generated logs are retained for no more than 18 months.
- Users that have registered a Visual Studio Family product by using an account that is backed by an Azure tenant, for example, AAD account or MSA account associated with an Azure subscription, can follow the instructions in Azure Data Subject Requests for the GDPR.
- Users that have registered a Visual Studio Family product without an account that is backed by an Azure tenant, for example many accounts using a Microsoft Account (MSA), can use the web-based Microsoft Privacy Response Center available through their Microsoft account to view, control, and delete activity data tied to their Microsoft account across multiple Microsoft services. In this scenario, the user is a controller for their own personal data.
Note
When an MSA account holder deletes their account, all their personally identifiable data pertaining to these products is deleted, whether the account is backed by an Azure tenant or not, and system-generated logs are anonymized.
For Visual Studio 2013, the data we collect is anonymized. For Visual Studio 2012 and prior releases, we immediately delete the data upon receipt. In both cases, there is nothing to view, export, or delete at a later time.
Visual Studio Developer Community
We support General Data Protection Regulation (GDPR) requests through the Developer Community website. You can View, Export, or Delete your feedback data.
Personal data we collect
Microsoft collects data to help us reproduce and troubleshoot issues you report with Visual Studio Family products. This data includes personal data and public feedback. Personal data includes:
- Your Developer Community profile information;
- Preferences and notifications;
- Attachments and system-generated logs you provided by reporting a problem in Visual Studio or through Developer Community;
- Your votes.
Public feedback includes: reported problems, comments, and solutions.
How users can control personal data
View
To View your feedback-related data, follow these steps:
- Sign into Developer Community. From the top-right corner, click on your profile and select Profile and Preferences.
- Click on any of the Profile, Notifications, Activity, and Attachments tabs to view the data submitted to the feedback systems.
- Profile refers to your Developer Community profile, including user name, email address, about, etc.
- **Notifications are how you control the email notifications you receive.
- Activity will give you the feedback items you have been active on (posted, commented, etc.), and the activities performed.
- Attachments is a list of your attachment history in a format like
FileName was attached to the problem "ProblemName" Tue, Apr 10, 18 2:27 PM
.
Export
You can export your feedback data as part of DSR. We will create one or more .zip archives that will include:
- Your Developer Community profile information;
- Preferences and notification settings;
- Attachments you provided by reporting a problem in Visual Studio or through Developer Community.
Note
We will exclude the following public feedback you have provided from your archive: comments, solutions, reported problems.
To start an Export, follow these steps:
- Sign into Developer Community. From the top-right corner, click on your profile and select Profile and Preferences.
- Click the Privacy tab, and then click Create an archive to request exporting your data.
- The Archive Status will update to show that we are preparing the data. The length of time before the data is available depends on the amount of data we need to export.
- Once the data is ready, we will send you an email.
- Click Download Archive in the email, or go back to the Privacy tab to download your data.
Note
- We will not send email if you chose not to receive notifications in the Notifications tab.
- If you request Export again, we will remove your old archive and create a new one.
Delete
Deleting will remove the following information about you from Developer Community:
- Profile information;
- Preferences and notification settings;
- Attachments you provided by reporting a problem in Visual Studio or through Developer Community.
- Your votes
Note
We will not delete, but will anonymize, the following public information: your comments, your solutions, problems that you reported.
Important
Delete of an AAD or MSA account triggers the Delete process for Developer Community.
To initiate a Delete, follow these steps:
- Sign into Developer Community. From the top-right corner, click on your profile and select Profile and Preferences.
- Click the Privacy tab, and then click Delete your data and account to start deleting your data.
- A confirmation screen will appear.
- Type "delete" in the box, and then click Delete my account.
Once you click Delete my account:
- We will sign you out.
- We will delete your Developer Community account, your personal data, and attachments.
- We will anonymize your public feedback. Your public feedback will remain available on Developer Community, and will be indicated as reported by an Anonymous user.
- We won't email you after we delete your account, because you will no longer be present in the system.
- If you report a new problem or log into Developer Community, you will be identified as a new user.
- If you delete your account from Developer Community, we will not delete it from other Microsoft services.
Xamarin Forums
Personal Data We Collect
Through the Xamarin Forums user community, Microsoft collects data you provide to help us reproduce and troubleshoot issues you may have with Microsoft products and services. This data includes personal data and public feedback. The personal data we collect is user account data (for example, user names and email addresses associated with your Xamarin Forums), and the public feedback we collect includes bugs, problems, comments, and solutions you provide via the Xamarin Forums.
How You Can Control Your Data
Xamarin Forums
View
Users with active Xamarin Forums accounts may view their personal data and public feedback (for example, all of their posted threads and posts) from their Xamarin Forums account page. Users may also edit their personal data through their account page.
Export
Xamarin Forums are hosted by a third party, Vanilla Forums. To request export of your public data, users should contact forums@xamarin.com (monitored by the Xamarin team). We will then work directly with Vanilla Forums to process this request.
Delete
Xamarin Forums are hosted by a third party, Vanilla Forums. To request deletion of your personal and public data, users should contact forums@xamarin.com (monitored by the Xamarin team). We will then manually service the user's personal data deletion request.
Note
Bugzilla for Xamarin no longer accepts new issues. Former Xamarin Bugzilla accounts holders can view an archive of all bugs they've reported and all comments they've added to bugs at https://xamarin.github.io/bugzilla-archives/. To request deletion of personal data contained in the archive, users can file and issue at https://github.com/xamarin/bugzilla-archives/issues/new/choose. Public feedback (for example, bugs, problems, comments, and solutions) that users have posted to the Xamarin Bugzilla will not be deleted after receipt of a delete request. Public feedback will instead be anonymized by removing the name and email address associated with any public feedback created by the user submitting the delete request.
NuGet
For more information on DSR for NuGet.org, see NuGet User Data Requests.
ASP.NET
For information on DSR for the ASP.NET website, see The ASP.NET Website and GDPR Data Subject Request processing.
IIS.NET
For information on DSR for the IIS.NET website, see The IIS.NET Website and GDPR Data Subject Request processing.
Other Visual Studio Family Services
Survey Monkey
From time to time, we invite customers to provide feedback on these products via Survey Monkey. This data is deleted from Survey Monkey within 28 days. Microsoft may retain this data internally for up to 18 months. If survey responses are authenticated, then we include them in export and delete data subject requests when servicing data subject requests for these products.