Dear Sir or Madam,
Our company advises clients from the public and non-public sectors worldwide in the areas of data protection and IT security, for example service companies, hospitals, charities and associations, as well as public administration.
The Conference of the Independent Data Protection Authorities of the Federal Republic and the States (DSK) stated in its determination of November 25, 2022 on the DSK Working Group "Microsoft Online Services" that the proof of data controllers to operate Microsoft 365 in compliance with data protection law cannot be provided on the basis of the "Data Protection Addendum of September 15, 2022" provided by Microsoft. In particular, this data protection addendum, which Microsoft offers to its customers as a standard order processing agreement as part of the commissioning of products and services of the "Microsoft 365" product family, does not meet the requirements of Article 28 (3) of the General Data Protection Regulation (GDPR) (see summary of the report of the Working Party on Data Protection and Privacy "Microsoft Online Services" and final report of the Working Party on Data Protection and Privacy "Microsoft Online Services").
The State Commissioner for Data Protection of Lower Saxony (LfD), together with six other data protection supervisory authorities, recently developed a handout on how to deal with Microsoft's standard order processing agreement for the use of "Microsoft 365". For the sake of completeness, we have attached this handout to this e-mail, but your company is probably already familiar with it. In particular, the supervisory authorities recommend that data protection officers conclude a supplementary agreement to the DPA.
Our clients would like to continue using the products of the Microsoft 365 family as usual. Nevertheless, it is our task as data protection consultants and external data protection officers to work towards the implementation of recommendations made by the supervisory authorities.
On behalf of our clients, we would therefore like to kindly ask you to let us know whether you could provide us with a corresponding supplementary agreement to the DPA that addresses the content recommended by the supervisory authorities, or whether such an agreement is being developed by your side in perspective.
If this is not the case, we would draft a supplementary agreement based on the attached handout and recommend our clients to conclude it with your company.
Best regards
Alexander Bugl
Datenschutzbeauftragter (FH)
Datenschutzauditor TÜV Cert
LEAD Auditor ISO 27001 TÜV Cert
pers Cert ISO/IEC 17024
Informationssicherheitsbeauftragter acc to ISO 27001/2014 Member of GDD/BvD e.V.
| Bugl & Kollegen Gesellschaft für |
Tel. |
+49 941 630 49 789 |
| Datenschutz und Informationssicherheit mbH |
Mobil. |
+49 176 103 126 88 |
| Eifelstraße 55 |
E-Mail. |
******@buglundkollegen.de |
| 93057 Regensburg |
Web. |
www.buglundkollegen.de |
| Registergericht Regensburg HRB 14353 |
| USt-IdNr. DE296995560 |
| Geschäftsführer Alexander Bugl, Martina Bugl |
| _Unsere Hinweise zur Verarbeitung Ihrer personenbezogenen Daten finden Sie unter www.buglundkollegen.de/datenschutzhinweis/_| |
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 40%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 17%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYJ%3C/text%3E%3C/svg%3E)