Spanish Royal Decree 1720/2007, Spanish Organic Law 15/1999 (LOPD)

Spanish Royal Decree 1720/2007, Spanish Organic Law 15/1999 overview

The AEPD is the public authority that oversees compliance with Spanish Organic Law 15/1999 for the Protection of Personal Data (Ley Orgánica 15/1999 de Protección de Datos, or LOPD), including the transfer of data across international boundaries. In 2014, the AEPD reviewed Microsoft's terms and conditions applicable to the EU Model Clauses-covered Microsoft Azure, Dynamics 365, and Office 365, and issued a resolution determining that those terms provided adequate safeguards for customers to move their personal data to those services.

Title VIII of Royal Decree 1720/2007 establishes stringent requirements for processing personal data, including a specific listing of basic, intermediate-level, and high-level security measures that must be implemented. Microsoft retained an independent third-party auditing firm in Spain, BDO Auditores, to assess Microsoft Azure and Office 365 for compliance with the high-level requirements and Microsoft Dynamics 365 for compliance with the intermediate-level requirements established in Royal Decree 1720/2007. Based on interviews, visits to facilities, and a review of the environmental and physical security measures and controls, the auditor determined that Microsoft Azure and Office 365 information systems, facilities, and data processing met the high-level standard with no points requiring correction.

Microsoft and Spanish Royal Decree 1720/2007, Spanish Organic Law 15/1999

Microsoft was the first hyper-scale cloud service provider to receive, for the benefit of its customers, an authorization from the Spanish Data Protection Agency (Agencia Española de Protección de Datos, or AEPD) for its compliance with the high standards governing international data transfer under Spanish Organic Law 15/1999 (Ley Orgánica 15/1999 de Protección de Datos, or LOPD). Microsoft is also the first hyper-scale cloud service provider to obtain a third-party audit certification for its online services' compliance with the security measures set forth in Title VIII of Royal Decree 1720/2007. This authorization lets customers make transfers of personal data to Microsoft Azure, Dynamics 365, and Office 365 services covered by the European Union Model Clauses.

Microsoft in-scope cloud platforms & services

Office 365 and LOPD

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Azure Active Directory, Azure Information Protection, Bookings, Compliance Manager, Delve, Exchange Online, Exchange Online Protection, Forms, Kaizala, Microsoft Analytics, Microsoft Booking, Microsoft Defender for Office 365, Microsoft Graph, Microsoft Teams, Microsoft To-Do for Web, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Cloud App Security, Office 365 Groups, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, StaffHub, Stream, Sway, Yammer Enterprise

Audits, reports, and certificates

Microsoft Azure

Microsoft Office 365

Microsoft Dynamics 365

Frequently asked questions

How does meeting the high-level standard benefit Microsoft customers?

The high-level standard applies to the processing of sensitive data such as health information. Customers who use Microsoft Azure and Office 365 can rest assured that their sensitive data is being processed in accordance with Royal Decree 1720/2007.

Can I use Microsoft's compliance in my organization's certification process?

Yes. If your organization requires or is seeking an accreditation in line with the LOPD or Royal Decree 1720/2007, you can use AEPD's authorization and the security measures certification in your compliance assessment. However, you are responsible for engaging an assessor to evaluate your implementation as deployed on Microsoft Azure, Dynamics 365, or Office 365, and for the controls and processes within your own organization.