Data Protection Impact Assessments: Guidance for Data Controllers Using Microsoft Office 365

Under the General Data Protection Regulation (GDPR), data controllers are required to prepare a Data Protection Impact Assessment (DPIA) for processing operations that are 'likely to result in a high risk to the rights and freedoms of natural persons.' There's nothing inherent in Microsoft Office 365 that would necessarily require the creation of a DPIA by a data controller using it. Rather, whether a DPIA is required will be dependent on the details and context of how you, as the data controller, deploy, configure, and use Office 365.

Part 1 of this document provides information about Office 365 to help you, as a data controller, determine whether a DPIA is needed. If the answer is 'yes,' Parts 2 and 3 of this document provide key information from Microsoft that can help draft it. Specifically, Part 2 provides answers applicable to all Office 365 services for each of the required elements of a DPIA. Part 3 provides additional product-specific information for a number of the most relevant information needs of our customers for purposes of drafting their own DPIAs. Part 3 also includes an illustrative DPIA document that you can download and modify to make drafting DPIAs easier for you.

Office 365 applications and services, include, but are not limited to, Exchange Online, SharePoint, OneDrive for work and school, Viva Engage, and Microsoft Teams. A more complete list of services available through Office 365 can be seen in Tables 1 and 2 of the Office 365 Data Subject Request Guide.

Part 1: Determining whether a DPIA is needed

Article 35 of the GDPR requires a data controller to create a Data Protection Impact Assessment 'where a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.' It further sets out particular factors that would indicate such a high risk, which are discussed in the following table. In determining whether a DPIA is needed, you, as a data controller should consider these factors, along with any other relevant factors, in light of the controller's specific implementation(s) and use(s) of Office 365.

Risk Factor Relevant Information about Office 365
A systematic and extensive evaluation of personal aspects relating to natural persons that is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person Depending upon the data controller's configuration, Office 365 may perform certain automated processing of data, such as the analysis performed by Viva Personal Insights that allows the data controller to derive insights on how people collaborate within an organization based on email and calendar header information from user's mailboxes.

Office 365 is not designed to perform automated processing as the basis for decisions that produce legal or similarly significant effects on individuals. However, because Office 365 is a highly customizable service, a data controller could potentially use it for such processing.
Processing on a large scale 1 of special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation), or of personal data relating to criminal convictions and offenses Office 365 is not designed to process special categories of personal data on a large scale.

However, a data controller could use Office 365 to process the enumerated special categories of data. Office 365 is a highly customizable service that enables the customer to track or otherwise process any type of personal data, including special categories of personal data. Any such use is relevant to a controller's determination of whether a DPIA is needed. But as the data processor, Microsoft has no control over such use and typically would have little or no insight into such use.
A systematic monitoring of a publicly accessible area on a large scale Office 365 is not designed to conduct or facilitate such monitoring.

However, a data controller could use it to process data collected through such monitoring.

Note

1 With respect to the criteria that the processing be on a "large scale," Recital 91 of the GDPR clarifies that: "The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional, or lawyer. In such cases, a data protection impact assessment should not be mandatory."

Part 2: Contents of a DPIA

GDPR Article 35(7) mandates that a Data Protection Impact Assessment specifies the purposes of processing and a systematic description of the envisioned processing. In Microsoft's DPIAs, such systematic description includes factors such as the types of data processed, how long data is retained, where the data is located and transferred, and what third parties may have access to the data. In addition, the DPIA must include:

  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of natural persons; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the General Data Protection Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

The following table provides key information from Microsoft that can help with your DPIA drafting. It contains information about Office 365 that is relevant to each of the required elements of a DPIA. As in Part 1, data controllers must consider the details provided below, along with the details of its own specific implementation(s) and use(s) of Office 365.

Risk Factors Relevant Information About Office 365
Purpose(s) of processing The purpose(s) of processing data using Office 365 is determined by the controller that implements, configures, and uses it.

As specified by the Product Terms and Microsoft Products and Services Data Protection Addendum (DPA), Microsoft, as a data processor, processes Customer Data to provide Customer the Online Services in accordance with Customer's documented instructions.

As detailed in the standard Product Terms and Microsoft Products and Services Data Protection Addendum (DPA), Microsoft also uses Personal Data to support a limited set of legitimate business operations consisting of: (1) billing and account management; (2) compensation (for example, calculating employee commissions and partner incentives); (3) internal reporting and modeling (for example, forecasting, revenue, capacity planning, product strategy); (4) financial reporting and compliance with legal obligations (subject to the limitations on disclosure of Customer Data outlined in the Product Terms and Data Protection Addendum).

Microsoft accepts the obligation of a controller of the processing of personal data to support these specific legitimate business operations. Microsoft aggregates Personal Data before using it for our legitimate business operations, removing Microsoft's ability to identify specific individuals, and uses personal data in the least identifiable form that will support processing necessary for legitimate business operations.

Microsoft will not use Customer Data or information derived from it for profiling or for advertising or similar commercial purposes.
Categories of personal data processed Customer Data: This is all data, including text, sound, video, or image files and software, that customers provide to Microsoft or that is provided on customers' behalf through their use of Microsoft online services. It includes data that customers upload for storage or processing, as well as customizations. Examples of Customer Data processed in Office 365 include email content in Exchange Online, and documents or files stored in SharePoint or OneDrive for work and school.

Service-generated Data: This is data that is generated or derived by Microsoft through operation of the service, such as use or performance data. Most of these data contain pseudonymous identifiers generated by Microsoft.

Diagnostic Data: This data is collected or obtained by Microsoft from software that is locally installed by Customer in connection with the Online Service and may also be referred to as telemetry. This data is commonly identified by attributes of the locally installed software or the machine that runs that software.

Support Data: This is data provided to Microsoft by or on behalf of Customer (or that Customer authorizes Microsoft to obtain from an Online Service) through an engagement with Microsoft to obtain technical support for Online Services.

Customer Data, System-generated Log Data, and Support Data do not include administrator and billing data, such as customer administrator contact information, subscription information, and payment data, which Microsoft collects and processes in its capacity as a data controller and which is outside the scope of this document.
Data retention Customer Data: As set out in the Data Protection Terms in the Product Terms and Data Protection Addendum, Microsoft retains Customer Data for the duration of the customer's right to use the service and until all Customer Data is deleted or returned in accordance with the customer's instructions or the terms of the Product Terms and Data Protection Addendum.

At all times during the term of the customer's subscription, the customer has the ability to access, extract, and delete Customer Data stored in the service, subject in some cases to specific product functionality intended to mitigate the risk of inadvertent deletion (for example, Exchange recovered items folder), as further described in product documentation.

Except for free trials and LinkedIn services, Microsoft will retain Customer Data stored in the Online Service in a limited function account for 90 days after expiration or termination of the customer's subscription so that the customer may extract the data. After the 90-day retention period ends, Microsoft will disable the customer's account and delete the Customer Data.

Service-generated Data: This data is retained for a default period of up to 180 days from collection, subject to longer retention periods where required for security of the services or to meet legal or regulatory obligations.

For further information about service capability that enables the customer to delete personal data maintained in the service at any time, see the Office 365 Data Subject Requests Guide.
Location and transfers of personal data As described in Attachment 1 of the Product Terms, if Customer provisions its instance of Office 365 in Australia, Canada, the European Union, France, India, Japan, South Korea, the United Kingdom, or the United States, Microsoft stores the following Customer Data at rest only within that location: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint site content and the files stored within that site, (3) files uploaded to OneDrive for work and school, and (4) project content uploaded to Project Online.

For personal data transferred out of the European Economic Area, Switzerland, and the United Kingdom, Microsoft will ensure that transfers of personal data to a third country or an international organization are subject to appropriate safeguards as described in Article 46 of the GDPR. In addition to Microsoft's commitments under the Standard Contractual Clauses for processors and other model contracts, Microsoft abides by the terms of the Data Privacy Framework.
Data sharing with third-party subprocessors Microsoft shares data with third parties acting as our subprocessors to support functions such as customer and technical support, service maintenance, and other operations. Any subcontractors to which Microsoft transfers Customer Data, Support Data, or Personal Data will have entered into written agreements with Microsoft that are no less protective than the Data Protection Terms of the Product Terms. All third-party subprocessors with which Customer Data from Microsoft's Core Online Services is shared are included in the Online Services Subprocessor disclosure. All third-party subprocessors that may access Support Data (including Customer Data that customers choose to share during their support interactions) are included in the Microsoft Commercial Support Contractors list.
Data sharing with independent third-parties Some Office 365 products include extensibility options that enable, at the controller's election, sharing of data with independent third parties. For example, Exchange Online is an extensible platform that allows third-party add-ins or connectors to integrate with Outlook and extend Outlook's feature sets. These third-party providers of add-ins or connectors act independently of Microsoft, and their add-ins or connectors must be enabled by the users or enterprise administrators, who authenticate with their add-in or connector account.

Microsoft will not disclose Customer Data or Support Data to law enforcement unless required by law. If law enforcement contacts Microsoft with a demand for Customer Data or Support Data, Microsoft will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose Customer Data or Support Data to law enforcement, Microsoft will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so.

Upon receipt of any other third-party request for Customer Data or Support Data, Microsoft will promptly notify Customer unless prohibited by law. Microsoft will reject the request unless required by law to comply. If the request is valid, Microsoft will attempt to redirect the third party to request the data directly from the customer.
Data subject rights When operating as a processor, Microsoft makes available to customers (data controllers) the personal data of its data subjects and the ability to fulfill data subject requests when they exercise their rights under the GDPR. We do so in a manner consistent with the functionality of the product and our role as a processor. If we receive a request from the customer's data subjects to exercise one or more of its rights under the GDPR, we redirect the data subject to make its request directly to the data controller. The Office 365 Data Subject Requests Guide provides a description to the data controller on how to support data subject rights using the capabilities in Office 365.

Requests from a data subject to exercise rights under the GDPR for personal data processed to support the legitimate business processes should be directed to Microsoft, as clarified in the Microsoft Privacy Statement.

Microsoft generally aggregates personal before using it for our legitimate business operations and isn't in a position to identify personal data for a specific individual in the aggregate. This significantly reduces the privacy risk to the individual. Where Microsoft is not in a position to identify the individual, it cannot support data subject rights for access, erasure, portability, or the restriction or objection of processing.
An assessment of the necessity and proportionality of the processing operations in relation to the purposes Such an assessment depends on the controller's needs and purposes of processing.

With regard to the processing carried out by Microsoft, such processing is necessary and proportional for the purpose of providing the services to the data controller.
An assessment of the risks to the rights and freedoms of data subjects The key risks to the rights and freedoms of data subjects from the use of Office 365 will be a function of how and in what context the data controller implements, configures, and uses it.

Microsoft takes measures such as the anonymization or aggregation of personal data used by Microsoft to support legitimate business operations to support provision of the services, minimizing the risk of such processing to data subjects that use the service.

However, as with any service, personal data held in the service may be at risk of unauthorized access or inadvertent disclosure. Measures Microsoft takes to address such risks are discussed in the following sections.
The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned Microsoft is committed to helping protect the security of Customer's information. In compliance with the provisions of Article 32 of the GDPR, Microsoft has implemented and will maintain and follow appropriate technical and organizational measures intended to protect Customer Data and Support Data against accidental, unauthorized, or unlawful access, disclosure, alteration, loss, or destruction.

Further, Microsoft complies with all other GDPR obligations that apply to data processors, including but not limited to, data protection impact assessments and record keeping.

Where Microsoft processes personal data for its legitimate business operations, it complies with GDPR obligations that apply to data controllers.

Part 3: DPIAs are hard, but this may help

If you have determined that your organization needs to draft a DPIA, the information in this section is designed to help make that process easier for you.

This section:

  • provides Office 365 and product-specific information relevant service elements, and
  • provides you with a blank model DPIA template that you can download, modify, and use to draft your own DPIAs.

DPIA service elements matrix

The DPIA Service Elements Matrix is an organization of content that you might find helpful as you start the process of documenting your DPIA. It's organized by service and provides product-specific information and links to documentation that may help you draft responsive answers to the required DPIA elements more easily.

Customizable DPIA document

We realize that drafting DPIAs can be a time-consuming effort. Although each customer's DPIA will differ based on how each organization configures and uses Office 365, the following document may save you time. You can download the Customizable DPIA document as a modifiable illustrative template to get quickly get started. It is free for you to use and adapt to your specific implementation of the service. This document should not be construed as legal advice provided by Microsoft or any of its affiliates. If you have any questions regarding the DPIA drafting process, we urge you to consult with your attorney.

Learn more