Explore GDPR

Completed

The European parliament published the European Union (EU) General Data Protection Regulation (also known as GDPR) in April 2016. This regulation was designed to harmonize data privacy laws across Europe. It applies to both data controllers (mostly consumer services) and data processors (enterprise services) that process personal data of a person who resides in the EU.

For Microsoft online services, we are the data processor:

  • Microsoft presents the data controller's privacy statement to their data subjects.
  • Microsoft designs changes to existing service features and new features in alignment with data subject rights.
  • Microsoft provides notice if there is a data breach when the breach is likely to "result in a risk for the rights or freedom of individuals." We commit to notify appropriate parties within 72 hours when a data breach has been declared.

In alignment to GDPR provisions for the implementation of appropriate and effective technical and organizational measures, Microsoft aligns to ISO 27001 and ISO 27018 control requirements and is expending alignment to ISO 27701 across our services.

Data subject requests (DSRs)

The GDPR grants individuals (or data subjects) certain rights in connection with the processing of their personal data, including the right to correct inaccurate data, erase data or restrict its processing, receive their data and fulfill a request to transmit their data to another controller. The controller is responsible for providing a timely, GDPR consistent reply. Microsoft (data processor) assists its customers (controllers) by providing features that facilitate and enable their compliance and response to DSRs.

Microsoft provides customers with administrative tools to help find personal data and take action in response to DSRs:

  • Discover: Use search and discovery tools to find customer data that may be the subject of a DSR.
  • Access: Retrieve personal data that resides in the Microsoft service and, if requested, make a copy of it that can be made available to the data subject.
  • Rectify: Make changes or implement other requested actions on the personal data, where applicable.
  • Restrict: Restrict the processing of personal data, either by removing licenses for various Microsoft services or turning off the desired services where possible. Customers can also remove data from the Microsoft cloud and retain it on-premises or at another location.
  • Delete: Permanently remove personal data that resided in the Microsoft service.
  • Export/Receive (Portability): Provide an electronic copy (in a machine-readable format) of personal data or personal information to the data subject.

Data Protection Impact Assessment

The GDPR requires controllers to prepare a Data Protection Impact Assessment (DPIA) for operations that are "likely to result in a high risk to the rights and freedoms of natural persons." There is nothing inherent in Microsoft products and services that requires the creation of a DPIA. However, because Microsoft products and services are highly customizable, a DPIA may be necessary depending on the details of a customer's situation. Microsoft has no control over, and little or no insight into, such information. The data controller must determine appropriate uses of their data. Microsoft does, however, recognize the sizable effort required to perform a DPIA and so has provided some resources to help customers in meeting their obligations in the DPIA for the GDPR, should they need to do so.

Learn more