Privacy guide for personal insights in the Viva Insights app

When data is processed in the Microsoft Viva Insights app, Microsoft protects employee privacy and fully complies with local regulations, such as the General Data Protection Regulation (GDPR). Viva Insights protects privacy in the following ways:

  • Personal and private – Content in your insights are personal and private and are only available to you and cannot be accessed by anybody else in your organization.

  • Everyone's data is kept private – Viva Insights does not include any new personally identifiable information about anybody else in your organization. The insights and actions are based on information generated by you and your organization just by going about your regular workday. Your insights are based on information that you already have access to but can’t quickly aggregate without help.

  • Mailbox security – Viva Insights uses Exchange Online email and calendar data and processes and stores any insights or actions inside your Exchange Online mailbox, so data security is built in and enforced by Exchange.

  • GDPR compliant – Microsoft complies with the GDPR when providing insights and actions in the app.

How it works

The personal insights and actions in the Microsoft Viva Insights app are based on your Exchange Online mailbox data, such as email and calendar data. The insights are derived from data that is already available to you in your Exchange Online mailbox. For example, if you want to determine what commitments you made to others, you could manually review each email in your mailbox. The Viva Insights app simply saves you from this tedious process.

GDPR compliance

Microsoft helps data controllers meet the following obligations for the Microsoft Viva Insights app:

  • Secure and protect users’ personal data – Insights requires an Exchange Online license, and all data is stored in the employees’ Exchange Online mailbox. The computed metrics, such as tasks, are appended to the mailbox. Thus, the Viva Insights app meets this obligation by virtue of Exchange Online also meeting the obligation:

    • Microsoft will not mine customer data in Exchange Online for advertising.
    • Microsoft will not voluntarily disclose Exchange Online customer data to law enforcement agencies.
    • Microsoft will meet all requirements related to encryption of Exchange Online data and implement controls to reduce security risks and help ensure business continuity, as described in ISO 27001 and 27018.
  • Notify users in the event that a breach is detected – Microsoft will notify customer privacy contacts within 72 hours of Microsoft becoming aware of a breach by Microsoft 365 incident response standard operating procedures.

  • Honor user requests (DSRs) to export, delete, or restrict processing personal data – Microsoft supports user requests, such as requests for export of or deletion of data.

To learn more, see GDPR compliance.

Viva Insights introduction