Data privacy regulations

  • 4 minutes

Worldwide, many laws and regulations address data protection and privacy. The two most widely applied privacy laws are the General Data Protection Regulation 2016/679 (GDPR) and the California Consumer Privacy Act of 2018 (CCPA).

  • The GDPR is a regulation that governs data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
  • The CCPA is a California state privacy law and the first comprehensive privacy law in the United States.

This unit describes GDPR concepts and terminology, and how Microsoft supports and commits to data privacy regulations. The next unit provides more information about the CCPA and compares the two regulations.

Overview

The GDPR governs the use and treatment of personal data by organizations that offer goods and services to EU residents or monitor their behavior. This regulation also gives individuals certain rights to manage their personal data that an organization collects. The regulation applies regardless of where the organizations are located.

Note

The GDPR applies more broadly than might be apparent at first glance. Unlike privacy laws in some other jurisdictions, this regulation applies to organizations of all sizes and all industries, even if they don't have a physical presence in the EU. Work closely with your legal team to understand whether and how this regulation applies to your organization.

One goal of this regulation is to strengthen personal data protections for EU residents by focusing on the privacy and usage of an individual's personal data. The regulation updates and expands the 1995 Data Protection Directive by preserving many principles the Directive established, while giving individuals greater control over their personal data. The regulation imposes many new obligations on organizations that collect, handle, or analyze personal data.

In the context of the GDPR, data has a lifecycle that starts with data collection, continues with the data storage, processing, and use, and ends with data deletion from the system. The regulation sets out data handling requirements and advises on how to achieve them. Regulators also have new powers to impose significant fines on organizations that breach the law. The GDPR became enforceable in May 2018.

Concepts and terminology

The following concepts and terms are important for understanding this regulation.

  • Personal data is any data that relates to an identified or identifiable natural person. Personal data is any data that's linked or linkable to an identifiable individual. Common examples of personal data include name, address, date of birth, and IP address. Pseudonymous information, regardless of how obscure or technical it is, is also considered personal data if it's linked to an individual.

  • Sensitive personal data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Sensitive personal data also includes genetic data, biometric data that identifies a natural person, health data, or data about a natural person's sex life or sexual orientation. There are greater obligations for processing this data.

  • A controller is a natural or legal person, public authority, agency, or other body that, either alone or jointly with others, decides the purposes of, and processing methods for, personal data. The processing purposes and means are determined by the controller, by Union or Member State law, or by specific criteria the Union or Member State law provides for nomination.

  • A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of a controller.

  • Legal basis for processing means that organizations must be able to point to a legal basis for processing personal data. There are six legal bases for processing, including:

    • When the processing is necessary to fulfill a contract.
    • When an individual has consented to the processing of their data.
    • When the processing is in the organization's legitimate interest, as long as the individual's rights don't outweigh that interest.

  • Data subject rights give individuals certain rights with respect to an organization's or controller's use of their personal data. Under certain circumstances, individuals can file the following data subject requests (DSRs) for their personal data that an organization stores, processes, and transmits.

    • Access data. Individuals have a right to know whether an organization is processing their data and if so, to have access to that data.
    • Ask for data rectification. Individuals can ask a company to correct inaccurate data about the individual.
    • Ask for data deletion. This right, which is also called the right to erasure, allows an individual to request deletion of their personal data that a company has collected.
    • Request restricted processing. An individual can ask a company to suppress or restrict the processing of their data.
    • Request data portability. An individual can ask for their data to be transferred to another company or processing system.
    • Object. An individual can object to their data being used for various uses, including direct marketing.
    • Ask not to be subject to automated decision making, including profiling. There are strict rules about using data to profile people and basing decisions solely on automated processing.

Microsoft support

Microsoft believes that privacy is a fundamental right, and supports regulations that help protect and enable individuals' privacy rights. Microsoft is committed to regulatory compliance, and provides many products, features, and resources to help its customers meet their compliance obligations.

Controllers that use Microsoft's online services, such as organizations and developers, must process personal data only on the controller's behalf. Controllers must provide sufficient guarantees to meet compliance requirements.

Designated EU DPO

Microsoft has a designated EU data protection officer (DPO) who's an independent advisor for its engineering and business groups. The DPO helps ensure that all proposed processing of personal data meets EU legal requirements and Microsoft corporate standards. The design of the DPO role meets criteria mandated in Articles 37-39.

The EU DPO reports directly to the Microsoft Chief Privacy Officer, who's a senior executive within the Microsoft Corporate and Legal Affairs division. The DPO role has autonomy to perform functions in an independent, unbiased manner. Through the Chief Privacy Officer's organization, the DPO has access to training and customer-response resources they need to do their duties.

Commitments and terms

Microsoft terms reflect the following commitments that Article 28 requires for processors. Microsoft proactively provides these commitments to all online service customers as part of their subscription agreements, and to volume-licensing customers as part of their enterprise agreements.

  • Only use subprocessors with the consent of the controller, and remain liable for subprocessors.
  • Process personal data, including transfers, only on instructions from the controller.
  • Ensure that people who process personal data are committed to confidentiality.
  • Implement appropriate technical and organizational measures that help ensure a level of personal data security appropriate to the risk.
  • Help the controller meet its obligations to respond to data subjects' requests to exercise their personal data rights.
  • Meet regulatory breach notification and assistance requirements.
  • Assist the controller with data-protection impact assessments and consultation with supervisory authorities.
  • Delete or return personal data at the end of provision of services.
  • Support the controller with evidence of compliance.