O365 backups and right to be forgotten

Question

Hello, We are a small company but our clients are big companies and their security requirements are very demanding. I would like to ask the following question:

We have a client that in order to sign the contract with us they need the procedures of deleting their data not only from live environments but from backups as well. We use Micsoroft O365, Azure and Dynamics. I am not sure how easy would be to granularly search those backups for the specific clients data when the time comes to ask to be forgotten.

Does O365 automatically backs up data every 12 hours and keeps it for 14 days ? If that's the case then by manually erasing all live data, everything would be erased from rolling backups after 14 days?

So would the following statements be true in the case we can't search and erase client's data?

"While an erasure request can be instantly fulfilled in live systems, the data will remain within the cloud backup environment for a certain period until it is overwritten."

"Backup data will be put ‘beyond use’. This means that we guarantee we will not use the data within the backup for any other purpose. The data is merely held on the systems until it is replaced in line with an established scheduled backup and it will the information will be permanent deleted when it becomes possible."

Retention periods:

I am not sure about the default retention periods of data. We don't use any custom retention periods and I kneed to check if the following defaults are valid.

• Email: After 30 days (or 5 years?) after emails are deleted form recycle bin they are permanently deleted. Data are transferred to archive after two years.
• Sharepoint: Deleted items are permanently deleted after 5 years
• Teams: When a message is deleted it remains for 22 days
• Azure: 31 days of retention

Kind regards

Answer 1

Hi @Efstratios Stratis ，

Welcome to the Microsoft Q&A platform!

I noticed that your question includes several different Microsoft products, and here are my thoughts on the Exchange online tag used in your issue:

By default, when a mail item is deleted, it is moved to a folder (Recoverable Items > Deleted) and retained for 14 days. You can change the retention period for items up to 30 days.

To retain deleted items for more than 30 days, place the mailbox on In-Place Hold or Litigation Hold. This is because when a mailbox is placed on hold, deleted items are retained and the deleted item retention settings are ignored.

More information can be found at this link：Change how long permanently deleted items are kept for an Exchange Online mailbox in Exchange Online | Microsoft Learn

 

By default, the default MRM policy in Exchange online is automatically applied to new users in Exchange Online.

If the mailbox has archiving enabled, items that are two or two years old are moved from the user's primary mailbox to their archive mailbox according to the default MRM policy.

More information can be found at this link：Default Retention Policy in Exchange Online | Microsoft Learn

Thanks for your understanding and hope your issue would be resolved soon.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread