Windows 365 Data Subject Requests for the GDPR and CCPA
The European Union General Data Protection Regulation (GDPR) gives rights to people (known in the regulation as data subjects) to manage the personal data that has been collected by an employer or other type of agency or organization (known as the data controller or just controller). Personal data is defined broadly under the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data subjects specific rights to their personal data; these rights include obtaining copies of personal data, requesting corrections to it, restricting the processing of it, deleting it, or receiving it in an electronic format so it can be moved to another controller. A formal request by a data subject to a controller to take an action on their personal data is called a Data Subject Request or DSR.
Similarly, the California Consumer Privacy Act (CCPA), provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information. The CCPA also provides for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out/ opt-in" requirements for certain data transfers classified as "sales". Sales are broadly defined to include the sharing of data for a valuable consideration. For more information about the CCPA, see the California Consumer Privacy Act and the California Consumer Privacy Act FAQ.
The guide discusses how to use Microsoft products, services, and administrative tools to help our controller customers find and act on personal data to respond to DSRs. Specifically, this guidance includes how to find, access, and act on personal data or personal information that reside in the Microsoft cloud. Here's a quick overview of the processes outlined in this guide:
- Discover: Use search and discovery tools to more easily find customer data that may be the subject of a DSR. Once potentially responsive documents are collected, you can perform one or more of the DSR actions described in the following steps to respond to the request. Alternatively, you may determine that the request doesn't meet your organization's guidelines for responding to DSRs.
- Access: Retrieve personal data that resides in the Microsoft cloud and, if requested, make a copy of it that can be available to the data subject.
- Rectify: Make changes or implement other requested actions on the personal data, where applicable.
- Restrict: Restrict the processing of personal data, either by removing licenses for various Azure services or turning off the desired services where possible. You can also remove data from the Microsoft cloud and retain it on-premises or at another location.
- Delete: Permanently remove personal data that resided in the Microsoft cloud.
- Export/Receive (Portability): Provide an electronic copy (in a machine-readable format) of personal data or personal information to the data subject. Personal information under the CCPA is any information relating to an identified or identifiable person. There is no distinction between a person's private, public, or work roles. The defined term "personal information" roughly aligns with "personal data" under GDPR. However, the CCPA also includes family and household data. For more information about the CCPA, see the California Consumer Privacy Act and the California Consumer Privacy Act FAQ.
Each section in this guide outlines the technical procedures that a data controller organization can take to respond to a DSR for personal data in the Microsoft cloud.
Terminology
The following list provides definitions of terms that are relevant to this guide.
- Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller, or the specific criteria for its nomination may be provided for by Union or Member State law.
- Personal data and data subject: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Processor: A natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller.
- Customer Data: All data, including all text, sound, video, or image files, and software, that are provided to Microsoft by, or on behalf of, a customer through use of the enterprise service. Customer Data includes both (1) identifiable information of end users (for example, user names and contact information in Microsoft Entra ID) and Customer Content that a customer uploads into or creates in specific services (for example, customer content in an Azure Storage account, customer content of an Azure SQL Database, or a customer's virtual machine image in Azure Virtual Machines).
- System-Generated Logs: Logs and related data generated by Microsoft that help Microsoft provide enterprise services to users. System-generated logs contain primarily pseudonymized data, such as unique identifiers—typically a number generated by the system that cannot on its own identify an individual person but is used to deliver the enterprise services to users. System-generated logs may also contain identifiable information about end users, such as a user name.
How to use this guide
This guide consists of two parts:
- Part 1: Responding to Data Subject Requests for Customer Data: Part 1 of this guide discusses how to access, rectify, restrict, delete, and export data from applications in which you have authored data. This section details how to execute DSRs against both Customer Content and also identifiable information of end users.
- Part 2: Responding to Data Subject Requests for System-Generated Logs: When you use Microsoft's enterprise services, Microsoft generates some information, known as System-Generated Logs, in order to provide the service. Part 2 of this guide discusses how to access, delete, and export such information for Azure.
Understanding DSRs for Microsoft Entra ID and Microsoft Windows 365
When considering services provided to enterprise customers, execution of DSRs must always be understood within the context of a specific Microsoft Entra tenant. Notably, DSRs are always executed within a given Microsoft Entra tenant. If a user is participating in multiple tenants, it is important to emphasize that a given DSR is only executed within the context of the specific tenant the request was received within. This context is critical to understand as it means the execution of a DSR by one enterprise customer will not impact the data of an adjacent enterprise customer.
The same also applies for Microsoft Windows 365 provided to an enterprise customer: execution of a DSR against a Windows 365 account associated with a Microsoft Entra tenant will only pertain to data within the tenant. In addition, it is important to understand the following when handling Windows 365 accounts within a tenant:
- If a Windows 365 user creates an Azure subscription, the subscription will be handled as if it were a Microsoft Entra tenant. Consequently, DSRs are scoped within the tenant as described previously.
- If an Azure subscription created via a Windows 365 account is deleted, it will not affect the actual Windows 365 account. Again, as noted previously, DSRs executing within the Azure subscription are limited to the scope of the tenant itself.
Part 1: DSR Guide for Customer Data
Executing DSRs against Customer Data
Microsoft provides the ability to access, delete, and export certain Customer Data through the Azure portal and also directly via pre-existing application programming interfaces (APIs) or user interfaces (UIs) for specific services (also referred to as in-product experiences). Details regarding such in-product experiences are described in the respective services' reference documentation.
Important
Services supporting in-product DSRs require direct usage of the service's application programming interface (API) or user interface (UI), describing applicable CRUD (create, read, update, delete) operations. Windows 365 cannot fully support direct usage of application programming interfaces (APIs) for DSRs, so requests must be submitted by opening a support case (see instructions below). Consequently, execution of DSRs within a given service must be done in addition to execution of a DSR within the Azure Portal in order to complete a full request for a given data subject. Please refer to specific services' reference documentation for further details.
Step 1: Discover
The first step in responding to a DSR is to find the personal data that is the subject of the request. This first step - finding and reviewing the personal data at issue - will help you determine whether a DSR meets your organization's requirements for honoring or declining a DSR. For example, after finding and reviewing the personal data at issue, you may determine the request doesn't meet your organization's requirements because doing so may adversely affect the rights and freedoms of others.
For Data Subject Requests specific to Windows 365 user data, tenant administrators will need to open a Microsoft support request to gain assistance with finding the personal data that is the subject of the DSR. We recommend you follow the instructions related to your Windows 365 subscription level.
Windows 365 Business
Access to help and support is provided through the Microsoft Admin Center. To open a support request for a DSR:
- Click on the Help icon in the Microsoft Admin Center banner or select Help & support on the bottom right side of the Microsoft Admin Center page.
- In the search field, type "Data Subject Request" or "DSR" and then click the Contact Support button.
- Complete the required information in the online service request and then select Contact me.
For instructions on how to get help and open a support ticket, see Get support for Microsoft 365 for business. Support is included as part of your Windows 365 subscription.
Windows 365 Enterprise
Access to help and support is provided through Microsoft Endpoint Manager. To open a support request for a DSR:
- Go to Troubleshooting + support on another node in the admin center and select Help and support to open a full screen experience of Help and support.
- Select Windows 365.
- In the search field, type "Data Subject Request" or "DSR" and then click the Contact Support button.
- Complete the required information in the online service request and then click Contact me.
For instructions on how to get help and open a support ticket, see How to get support in Microsoft Endpoint Manager. Support is included as part of your Windows 365 subscription.
Step 2: Access
After you've found Customer Data containing personal data that is potentially responsive to a DSR, it is up to you and your organization to decide which data to provide to the data subject. You can provide them with a copy of the actual document, an appropriately redacted version, or a screenshot of the portions you have deemed appropriate to share. For each of these responses to an access request, you will have to retrieve a copy of the document or other item that contains the responsive data.
When providing a copy to the data subject, you may have to remove or redact personal information about other data subjects and any confidential information.
Step 3: Rectify
If a data subject has asked you to rectify the personal data that resides in your organization's data, you and your organization will have to determine whether it's appropriate to honor the request. Rectifying the data may include taking actions such as editing, redacting, or removing personal data from a document or other type or item.
As a data processor, Microsoft does not offer the ability to correct system-generated logs as it reflects factual activities and constitutes a historical record of events within Microsoft services. With respect to Windows 365, admins can't update device or app-specific information. If an end user wants to correct any personal data (like the device name), they must do so directly on their device. Such changes are synchronized the next time they connect to Windows 365.
Step 4: Restrict
Data subjects may request that you restrict processing of their personal data. We provide both the Azure portal and pre-existing application programming interfaces (APIs) or user interfaces (UIs). These experiences provide the enterprise customer's tenant administrator the capability to manage such DSRs through a combination of data export and data deletion.
Step 5: Delete
The "right to erasure" by the removal of personal data from an organization's Customer Data is a key protection in the GDPR. Removing personal data includes removing all personal data and system-generated logs, except audit log information. Windows 365 defaults to Microsoft Endpoint Manager's standard practice to audit, export or delete personal data.
Part 2: System-Generated Logs
Audit logs provide tenant admins with a record of activities that generate a change in Microsoft Windows 365. Audit logs are available for many manage activities and typically create, update (edit), delete, and assign actions. Remote tasks that generate audit events can also be reviewed. These audit logs may contain personal data. Admins can't delete audit logs. For details, see Audit personal data.
If you require assistance with running an audit log, please follow the instructions outlined in Part 1 above.