Azure DevOps Services Data Subject Requests for the GDPR and CCPA
The European Union General Data Protection Regulation (GDPR) gives rights to people, known in the regulation as data subjects, to manage the personal data that's collected by a data controller. A data controller, or just controller, is an employer or other type of agency or organization. Personal data is defined broadly under the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data subjects specific rights to their personal data. These rights include obtaining copies of personal data, requesting corrections to it, restricting the processing of it, deleting it, or receiving it in an electronic format so it can be moved to another controller. A formal request by a data subject to a controller to take an action on their personal data is called a Data Subject Request, or DSR.
Similarly, the California Consumer Privacy Act (CCPA), provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access and receive (portability) their personal information. The CCPA also provides for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out/ opt-in" requirements for certain data transfers classified as "sales". Sales are broadly defined to include the sharing of data for a valuable consideration. For more information about the CCPA, see the California Consumer Privacy Act and the California Consumer Privacy Act FAQ.
For general information about GDPR, see the GDPR section of the Service Trust portal.
This guide discusses how to use Microsoft tools to export or delete personal data collected during an authenticated (signed-in) session of Azure DevOps Services (formerly known as Visual Studio Team Services).
Additional privacy information
Personal data we collect
Microsoft collects data from users to operate and improve Azure DevOps Services. Azure DevOps Services collects two categories of data — customer data and system-generated logs. Customer data includes user-identifiable transactional and interactional data that Azure DevOps Services needs to operate the service. System-generated logs include service usage data that is aggregated for each product area and feature.
Delete Azure DevOps data
Azure DevOps, as a system for managing changes, must comply with strict rules for data integrity, traceability, and auditing. These obligations influence our responsibilities for data deletion and retention under GDPR, and for this reason, we do not fulfill individual requests for anonymizaton or deletion. The only method to eliminate personal data from Azure DevOps is by completely deleting the organization. Terminating the Microsoft Entra ID or Microsoft Account (MSA) identity account does not alter or delete any artifacts or records associated with the individual identity within the Azure DevOps organization, for example, your pull requests or work items. We've ensured that when you delete an Azure DevOps organization, all associated personal data gets removed and system-generated logs get anonymized after the compulsory 30-day soft-delete timeframe.
Export Azure DevOps data
Controllers can export customer data and system-generated logs collected from their data subjects by one of two methods, depending upon the identity provider (MSA or Microsoft Entra ID) used to sign in to the Azure DevOps service.
Users that authenticate using an account that is backed by an Azure tenant, for example, Microsoft Entra account or MSA account associated with an Azure subscription, can follow the instructions in Azure Data Subject Requests for the GDPR.
Users that authenticate using an MSA identity can use this Privacy Request site to view activity data tied to their MSA identity across multiple Microsoft services. In this scenario, the user is a controller for their own personal data.
Export or delete issues
For Microsoft Entra identities, if you run into issues while exporting or deleting data from the Azure portal, go to the Azure portal Help + Support blade and submit a new ticket under Subscription Management > Privacy and compliance requests for Subscriptions > Privacy Blade and GDPR Requests.
For MSA identities, if you run into issues while exporting data from the Privacy Request site, log on to the Privacy Request site and submit a request for help from the Microsoft Privacy team via the request webform.
Microsoft is committed to ensuring that your Azure DevOps Services data remains secure and private, without exception. Visit the Azure DevOps Services data protection overview whitepaper to learn more about how we protect your Azure DevOps Services data.