Learn roles and responsibilities
Microsoft online services are based on a shared responsibility model, in which part of the responsibility for security and privacy lies with the cloud services provider and part belongs to the customer. The division of responsibilities between Microsoft and its customers depends on the service model in use (infrastructure, platform, or software as a service), how the service is configured and used by each customer, and applicable privacy laws and regulations.
For instance, the following roles and responsibilities illustrate GDPR provisions:
Data controller – The controller controls personal data and determines how it's used. The responsibilities of the controller include but are not limited to collecting, maintaining, directing actions, protecting, modifying, and deleting personal data. The controller either adds users to the system, grants access to the system, and collects data from data subjects, or has employees who complete these tasks on the company's behalf. The burden of understanding the process for GDPR requests and carrying out a GDPR request rests with the controller.
This role is covered by Microsoft's customer.
Data processor – The processor provides services to, and processes data on behalf of, the data controller. The processor performs actions on behalf of the controller. The processor help makes it possible for the controller to be GDPR-compliant, but has no ownership of the data and does not respond directly to Data Subject Requests or perform Data Protection Impact Assessments.
This role is covered by Microsoft. As data processor, Microsoft implements security and privacy controls to protect our services and assists data controllers to meet their compliance obligations. For example, Microsoft provides administrator toggle capabilities to control privacy features in their tenancies. Additionally, we work directly with the customer tenant administrators and redirect end users' questions about the service or data subject requests for personal data.
One important aspect to review is what we mean by how we enable compliance. Our customers often ask, "What does that mean, do you comply with these laws and regulations or not?" For most industry or geographic-specific regulations, it is possible to use Microsoft online services in a way that complies with a law or regulation. However, it is not possible for Microsoft online services to ensure end-to-end compliance because Microsoft does not analyze the contents of its customer's personal data.
For instance, organizations covered by HIPAA or other regulations should have their own training program in place and security to ensure their personnel do not use our Microsoft services to violate these regulations. The most Microsoft can promise is that we will do our part, and thereby enable a customer to run a legally compliant program.
To provide an example, a US doctor may store patients' protected health information on our service, regulated by HIPAA. Microsoft has security in place and privacy controls to make sure personnel cannot inappropriately access or disclose this patient information. However, a doctor who is a user of the services may use it to send patient's confidential information to a marketer. Microsoft would unknowingly deliver that message causing the customer to violate HIPAA. Microsoft would consider itself to be following the direction of a representative of the customer.
Microsoft stands behind its commitment to running and operating its services with state-of-the-art technology, security, and privacy practices in place; each customer and user of our services has the responsibility to determine how they comply with specific needs and obligations.