Data Protection Impact Assessments: Guidance for Data Controllers Using Dynamics 365 and Power Platform

Under the General Data Protection Regulation (GDPR), data controllers are required to prepare a Data Protection Impact Assessment (DPIA) for processing operations that are 'likely to result in a high risk to the rights and freedoms of natural persons'. There is nothing inherent in Dynamics 365 and Power Platform that would necessarily require the creation of a DPIA by a data controller using it. Rather, whether a DPIA is required will be dependent on the details and context of how the data controller deploys, configures, and uses Dynamics 365 or Power Platform. In any case, a DPIA should begin early in the life of a project and run in parallel to the planning and development process.

The purpose of this document is to provide data controllers with information about Dynamics 365 and Power Platform that will help you determine whether you need a DPIA and, if so, what details to include.

Note

Microsoft is not providing any legal advice in this article. This article is being provided for informational purposes only. Customers are encouraged to work with their privacy officers (and/or Data Protection Officer (DPO) where designated) and/or legal counsel and/or advisors to determine the necessity and content of any DPIAs related to their use of Microsoft Dynamics 365, Power Platform, or any other Microsoft online service.

Part 1: Determining whether a DPIA is needed

Article 35 of the GDPR requires a data controller to create a Data Protection Impact Assessment '[w]here a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.' It further sets out particular factors that would indicate a high risk, which are discussed in the following table: In determining whether a DPIA is needed, a data controller should consider these factors, along with any other relevant factors, in light of the controller's specific implementation(s) and use(s) of Dynamics 365 and Power Platform.

Risk Factor Relevant Information about Dynamics 365 and Power Platform
A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; Some Dynamics 365 and Power Platform services perform certain automated processing of data, such as lead or opportunity scoring (for example, predicting how likely a sale is to occur). However, Dynamics 365 and Power Platform services are not designed to perform processing on which decisions are based that produce legal or similarly significant effects on individuals.

However, because Dynamics 365 and Power Platform are highly customizable services, a data controller could potentially configure them to be used for such processing. Data controllers should make this determination based on their usage of Dynamics 365 and Power Platform.
Processing on a large scale 1 of special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data used to uniquely identify a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation), or of personal data relating to criminal convictions and offenses; Dynamics 365 and Power Platform services aren't designed to process special categories of personal data on a large scale.

However, a data controller could use Dynamics 365 and Power Platform to process the enumerated special categories of data. Further, Dynamics 365 and Power Platform is a highly customizable service that enables the customer to track or otherwise process personal data, including special categories of personal data. But as the data processor, Microsoft has no control over such use and typically would have little or no insight into such use.
A systematic monitoring of a publicly accessible area on a large scale Dynamics 365 and Power Platform aren't designed to conduct or facilitate such monitoring on a large scale.

However, a data controller could use it to process data collected through such monitoring. Dynamics 365 and Power Platform are highly customizable services that enables the customer to track or otherwise process any type of data, including monitoring data. As the data processor, Microsoft has no control over such use and has little or no insight into such use. It is inclumbent upon the data controller to determine appropriate uses of the data controller's data.

Note

1 With respect to the criteria that the processing be on a 'large scale,' Recital 91 of the GDPR clarifies that: 'The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional, or lawyer. In such cases, a data protection impact assessment should not be mandatory.'

Part 2: Contents of a DPIA

Article 35(7) of the GDPR mandates that a Data Protection Impact Assessment specifies the purposes of processing and a systematic description of the envisioned processing. A systematic description in a comprehensive DPIA might include factors such as the types of data processed, how long data is retained, where the data is located and transferred, and what third parties may have access to the data. Ideally, a data flow diagram supports the description. In addition, the DPIA must include:

  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • An assessment of the risks to the rights and freedoms of natural persons; and
  • The measures used to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned.

The table below contains information about Dynamics 365 and Power Platform that is relevant to each of those elements. As in Part 1, data controllers must consider the details provided below, along with any other relevant factors, in the context of the data controller's specific implementation(s) and use(s) of Dynamics 365 or Power Platform.

Elements of a DPIA Relevant Information About Dynamics 365 and Power Platform
Purpose(s) of processing The purpose(s) of processing data using Dynamics 365 and Power Platform is determined by the controller that implements, configures, and uses it.

As specified by the Product Terms and Microsoft Products and Services Data Protection Addendum (DPA), Microsoft, as a data processor, processes Customer Data to provide the customer with Online Services in accordance with the customer's documented instructions.

As detailed in the Product Terms and Products and Services Data Protection Addendum (DPA), Microsoft also uses personal data to support a limited set of business operations.

Microsoft is controller of the processing of personal data to support these specific business operations. Generally, Microsoft aggregates personal data before using it for our business operations, removing Microsoft's ability to identify specific individuals. Microsoft uses personal data in the least identifiable form that will support processing necessary for business operations.

Microsoft won't use Customer Data or information derived from it for profiling or for advertising or similar commercial purposes.

Dynamics 365 is an online platform for processing that features several discrete online services, each of which has distinct purposes of processing. You can find descriptions of each Dynamics 365 service offering here and Power Platform service offering here.

Dynamics 365 and Power Platform processes personal data only to provide customers its online services, including purposes compatible with providing those services.
Categories of personal data processed Customer Data: All data, including text, sound, video, or image files and software, that customers provide to Microsoft or that is provided on customers' behalf through their use of Microsoft online services. It includes data that customers upload for storage or processing, and customizations.

Service-Generated Data: Data that Microsoft generates when you operate a service, such as use or performance data. Most of these data contain pseudonymous identifiers generated by Microsoft.

Professional Services Data: All data, including all text, sound, video, image files, or software that's provided to Microsoft by, or on behalf of, Customer (or that Customer authorizes Microsoft to obtain from a Product) or otherwise obtained or processed by or on behalf of Microsoft through an engagement with Microsoft to obtain Professional Services.

For more information regarding data processed by Dynamics 365 and Power Platform, see the Product Terms and Microsoft Products and Services Data Protection Addendum.
Data retention Microsoft will retain Customer Data for the duration of the customer's right to use the service, until all Customer Data is deleted or returned in accordance with the customer's instructions or the terms of the Product Terms and Products and Services Data Protection Addendum (DPA). During the term of the customer's subscription, the customer will have the ability to access and extract customer data stored in each online service. Microsoft will usually retain Customer Data stored in the Online Service in a limited function account for 90 days after expiration or termination of customer's subscription so that customer may extract the data. After the 90 day-retention period ends, Microsoft will disable the customer account and delete the Customer Data.

The customer can delete Customer Data and pseudonymous data at any time using the capabilities described in the Dynamics 365 and Power Platform Data Subject Rights Guide.
Location and transfers of personal data Customers have the ability to provision Customer Data at rest within specified geographic regions, subject to certain exceptions as set out in the Products and Services Data Protection Addendum (DPA). For more information regarding service deployments and data residency, visit the Microsoft Trust Center and a Dynamics 365 and Power Platform article about data location and availability at Dynamics 365 availability and data locations and International availability of Microsoft Power Platform.

For personal data transferred out of the European Economic Area, Switzerland, and the United Kingdom, Microsoft will ensure that transfers of personal data to a third country or an international organization are subject to appropriate safeguards as described in Article 46 of the GDPR. In addition to Microsoft's commitments under the Standard Contractual Clauses for processors and other model contracts, Microsoft continues to abide by the terms of the Data Privacy Framework.
An assessment of the necessity and proportionality of the processing operations in relation to the purposes Such an assessment will depend on the data controller's needs and purposes of processing.

Microsoft takes measures such as the aggregation of personal data used by Microsoft to support business operations to support provision of the services, minimizing the risk of such processing to data subjects that use the service.

Regarding the processing carried out by Microsoft, such processing is necessary and proportional for providing the services to the data controller.
An assessment of the risks to the rights and freedoms of data subjects The key risks to the rights and freedoms of data subjects from the use of Dynamics 365 or Power Platform will depend on how and in what context the data controller implements, configures, and uses it.

Microsoft takes measures such as aggregation of personal data when used to support business operations, reducing the risk of such processing to data subjects that use the service.

However, as with any service, personal data held in the service may be at risk of unauthorized access or inadvertent disclosure. Measures Microsoft takes to address such risks are discussed below.
Data sharing with third-party subprocessors Microsoft shares data with third parties acting as our subprocessors (as defined in the GDPR) to support functions such as customer and technical support, service maintenance, and other operations. Any subprocessors to which Microsoft transfers Customer Data, Support Data or Personal Data will have entered into written agreements with Microsoft that are no less protective than the terms in the Product Terms and Products and Services Data Protection Addendum (DPA). All third-party subprocessors with which Customer Data from Microsoft's Core Online Services is shared are included in the Online Services Subcontractor list.
Data subject rights When operating as a processor, Microsoft makes available to customers (data controllers) the personal data of its data subjects and the ability to fulfill data subject requests when they exercise their rights under the GDPR. Microsoft does so in a manner consistent with the functionality of the product and our role as a processor.  If Microsoft receives a request from the customer's data subjects to exercise one or more of its rights under the GDPR, we redirect the data subject to make the request directly to the data controller.

Refer to the Dynamics 365 and Power Platform Data Subject Requests guide for information for data controllers about how to support data subject rights using the capabilities in Dynamics 365 and Power Platform.

Microsoft generally aggregates personal data before using it for our business operations and isn't in a position to identify personal data for a specific individual in the aggregate. This reduces the privacy risk to the individual. Where Microsoft is not in a position to identify the individual, it cannot support data subject rights for access, erasure, portability, or the restriction or objection of processing.
The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned Microsoft is committed to helping protect the security of Customer Data. The security measures Microsoft takes are described in detail in the Product Terms.

Microsoft complies with strict security standards and industry-leading data protection methodology. Microsoft is continually improving its systems to deal with new threats. More information regarding cloud governance and privacy practices is available at Trust Center's Managing compliance in the cloud page.

Microsoft takes reasonable and appropriate technical and organizational measures to safeguard the personal data that it processes. These measures include, but aren't limited to, internal privacy policies and practices, contractual commitments, and international and regional standard certifications. More information is available at Trust Center's Privacy page.

For detailed list of Microsoft-managed controls (technical and business process controls) for security implemented by Dynamics 365 and Power Platform, visit the Service Trust Portal. Further, when Microsoft acts as a data processor, it complies with all other GDPR obligations that apply to data processors.

Where Microsoft processes personal data for its business operations, it complies with GDPR obligations that apply to data controllers.

Learn more