What is the EU Data Boundary?
Overview of the EU Data Boundary
The EU Data Boundary is a geographically defined boundary within which Microsoft has committed to store and process Customer Data and personal data for our Microsoft enterprise online services, including Azure, Dynamics 365, Power Platform, and Microsoft 365, subject to limited circumstances where Customer Data and personal data will continue to be transferred outside the EU Data Boundary. This documentation provides details about those transfers. The online services included in the EU Data Boundary commitment (referred to in this documentation as EU Data Boundary Services) are identified in the Microsoft Product Terms as part of the services agreements.
Important
This EU Data Boundary documentation reflects the current state of the EU Data Boundary as of the date of publication. As noted in many cases in this documentation, we are continuing to deploy more services, service capabilities, and professional services data within the EU Data Boundary and will update this documentation accordingly and note the last updated date. Last updated: January 2, 2024.
Customer Data
As defined in the Microsoft Product Terms, Customer Data means all data, including all text, sound, video, or image files, and software, that are provided to Microsoft by, or on behalf of, Customer through use of the Online Service. Customer Data doesn't include Professional Services Data. For clarity, Customer Data also doesn't include information used to configure resources in the Online Services, such as technical settings and resource names.
Personal data in system-generated logs
Microsoft online services create system-generated logs as part of the regular operation of the services. These logs continuously record system activity over time to allow Microsoft to monitor whether systems are operating as expected. “Logging” (the storage and processing of logs) is essential to identify, detect, respond to, and prevent operational problems, policy violations, and fraudulent activity; optimize system, network, and application performance; assist in security investigations and resilience activities; and to comply with laws and regulations. While the focus of these logs is on how systems are operating and not on individual uses, when events in Microsoft cloud services are initiated by user interaction with a cloud service, some logs directly reflecting these events will – and must in order to fulfill their purposes – contain fields that either identify or can identify specific persons. These logs contain personal data. Examples of system-generated logs that may contain personal data include:
- Product and service usage data such as user activity logs
- Data specifically generated by the interaction of users with other systems
Pseudonymization in system-generated logs
Pseudonymization, as defined in GDPR, Article 4(5), is the processing of personal data so that it can no longer be attributed to a specific data subject without using additional information. In other words, it takes personally identifiable information within a data record and replaces it with one or more artificial identifiers, or pseudonyms, thus protecting the data subject's identity.
Microsoft requires all personal data in system-generated logs to be pseudonymized. Microsoft uses various techniques to pseudonymize personal data in system-generated logs, including encryption, masking, tokenization, and data blurring. Regardless of the specific method of pseudonymization, this protects user privacy by enabling authorized Microsoft personnel to do their work using logs containing only pseudonymized personal data. This enables our personnel to ensure the quality, security, and reliability of our online services without identifying or reidentifying users. For example, this enables DevOps personnel to identify the extent of a service issue across regions, including number of affected users in any given region, without these personnel being able to identify or reidentify specific individuals. For more information on the Microsoft DevOps model, see Remote access to data stored and processed in the EU Data Boundary. In the event of any unauthorized access to system-generated logs, pseudonymization helps protect user privacy. Controls on data that could enable reidentification of individuals from pseudonymized logs are the same as controls applied to Customer Data.
In contrast, other methods of protecting user privacy that eliminate personal data, such as anonymization, would permanently alter the data such that it couldn't be used to identify unique numbers of events or occurrences, and would eliminate the ability to reidentify individuals. Since system-generated logs contain information about factual actions such as the type, content or time of transactions conducted within the Microsoft cloud, anonymization would compromise the historical record of actions, compromising Microsoft’s ability to ensure quality, reliability, and security of our services.
Microsoft takes several steps to limit access to and usage of system-generated logs. Security controls include:
- Data minimization via implementation of retention policies set at the minimum retention time required for each type of log.
- Regular checks and scrubbing of system-generated logs to detect errors or policy non-conformance.
- Limited usage of system-generated logs solely for purposes related to service operations.
- Policies requiring access controls that limit the rehydration or reidentification of personal data such that it's returned to its original form.
EU Data Boundary countries and datacenter locations
The EU Data Boundary consists of the countries in the European Union (EU) and the European Free Trade Association (EFTA). The EU countries are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden; and the EFTA countries are Liechtenstein, Iceland, Norway, and Switzerland.
The EU Data Boundary uses or may use Microsoft datacenters announced or currently operating in Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Netherlands, Norway, Poland, Spain, Sweden, and Switzerland. In the future, Microsoft may establish datacenters in additional countries located in the EU or EFTA to provide EU Data Boundary Services.
How to configure services for use in the EU Data Boundary
For EU Data Boundary Services, Customer Data and pseudonymized personal data are stored and processed in datacenters located in countries in the EU or EFTA. In some cases, customers can select the EU deployment region directly; in others, the location is automatically assigned based on customer location, billing address, or a customer decision to have their environment reside in the EU Data Boundary.
- For Azure, regional services that a customer deploys in an EU Data Boundary region will be in-scope for the EU Data Boundary. For more information, including details on which Azure regions are in the EU and EFTA, see Data Residency in Azure. For Azure non-regional services, see Configuring Azure non-regional services for the EU Data Boundary for details on how to configure each of these services to be in-scope for the EU Data Boundary.
- For Dynamics 365 and Power Platform, the geographic area (Geo) in which a customer's services tenancy is hosted is determined by billing address. Customers can configure their services to be in-scope for the EU Data Boundary by provisioning their tenant and all Dynamics 365 and Power Platform environments in a Geo located in the EU Data Boundary. For more information, see the availability deck and Create and manage environments in the Power Platform admin center.
- For Microsoft 365, customers with a sign-up location in a country or region in the EU or EFTA are in scope for the EU Data Boundary. However, Customers who have purchased Multi-Geo Capabilities are not in scope for the EU Data Boundary even if their tenant is listed as being in a country or region in the EU or EFTA. Customers can check their tenant’s country or region in the Microsoft 365 admin center.