Privacy and Microsoft Teams
When an organization is considering relying on Microsoft Teams for communication and collaboration, privacy is something that needs to be addressed at every level. The topics we discuss in this article should address your privacy concerns when planning your Teams implementation, or at any point during Teams usage.
What personal data does Microsoft Teams collect and for what purposes does Microsoft Teams use this data?
Microsoft processes the personal data in Microsoft Teams to deliver the agreed-upon services defined in the Online Services Terms and for the purposes determined by the data controller obtaining the service. Microsoft Teams, as a cloud-based service, processes various types of personal data as part of delivering the service. This personal data includes:
- Content Your meetings and conversations chats, voicemail, shared files, recordings, and transcriptions.
- Profile Data Data that is shared within your company about you. Examples include your E-mail address, profile picture, and phone number.
- Call History A detailed history of the phone calls you make, which allows you to go back and review your own call records.
- Call Quality data Details of meetings and call data are available to your system administrators, which allows your administrators to diagnose issues related to poor call quality and service usage.
- Support/Feedback data Information related to troubleshooting tickets or feedback submission to Microsoft.
- Diagnostic and service data Diagnostic data related to service usage. This personal data allows Microsoft to deliver the service (troubleshoot, secure, and update the product and monitor performance) as well as perform some internal business operations, such as:
- Determine revenue
- Develop metrics
- Determine service usage
- Conduct product and capacity planning
To the extent Microsoft Teams processes personal data with Microsoft's legitimate business operations, Microsoft is an independent data controller for such use and is responsible for complying with all applicable laws and controller obligations.
Legal Basis of Processing
Our customers are controllers for the data provided to Microsoft, as set forth in the Online Services Terms, and they determine legal bases of processing. Microsoft, in turn, processes the data on the customers' instructions, as a processor.
To the extent Microsoft processes personal data with its own legitimate business operations, as described in the Online Services Terms, Microsoft is an independent controller for such processing, the legal basis of which is legitimate interests. "Microsoft's legitimate business operations" consist of the following, each as incident to delivery of Microsoft Teams to the customer: (1) billing and account management; (2) compensation (for example, calculating employee commissions and partner incentives); (3) internal reporting and modeling (for example, forecasting, revenue, capacity planning, product strategy); (4) combatting fraud, cybercrime, or cyber-attacks that may affect Microsoft or Microsoft Products; (5) improving the core functionality of accessibility, privacy, or energy-efficiency; and (6) financial reporting and compliance with legal obligations.
What third parties have access to personal data?
Microsoft won't disclose personal data except:
- as the customer directs (including as required to complete phone calls);
- as described in the Online Service Terms (such as the use of authorized subcontractors to provide certain components of services);
- as required by law.
If law enforcement contacts Microsoft with a demand, Microsoft will attempt to redirect the law enforcement agency to request that personal data directly from the customer. If compelled to disclose personal data to law enforcement, Microsoft will promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so. For more information about data that we disclose in response to requests from law enforcement and other government agencies, please see our Law Enforcement Requests Report.
The Teams Security Guide has more information about our compliance standards.
Where does Teams transfer and store personal data?
Personal data is transferred and stored as set forth in the Online Service Terms.
For transfers of personal data from the EEA, EU, Switzerland, and the UK, Microsoft is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail, although Microsoft does not rely on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18.
We have information on the Location of data in Microsoft Teams if you need to learn more.
How long does Microsoft Teams retain personal data?
Microsoft Teams retains your data for the minimum amount of time necessary to deliver the service.
Because this data is required to provide the service, this typically means that we retain personal data until the user stops using Microsoft Teams, or until the user deletes personal data. If a user (or an administrator on the user's behalf) deletes the data, Microsoft will ensure that all copies of the personal data are deleted within 30 days.
If a company terminates service with Microsoft, corresponding personal data will all be deleted between 90 and 180 days of service termination.
In some circumstances, local laws require that Microsoft Teams retains telephone records (for billing purposes) for a specific period of time, in those circumstances Microsoft Teams follows the law for each region.
Additionally, if a company requests that Microsoft Teams holds a user's data to support a legal obligation, Microsoft will respect the company administrator's request.
Right to withdraw consent
If Microsoft Teams processes any personal data based on consent, you may have the right to withdraw your consent at any time. You should direct your request to withdraw consent to your administrator, where your administrator is the controller of the personal data at issue.
Contact Details of Microsoft's Data Protection Officer
If you have a privacy concern, complaint or question for the Microsoft Chief Privacy Officer and EU Data Protection Officer, please contact us by using our web form. Our EU Data Protection Officer is located at Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Telephone: +353 1 706 3117. You can also raise a concern or lodge a complaint with a data protection authority or other official with jurisdiction.