Germany: DSK releases assessment of Microsoft 365
The German Data Protection Conference ('DSK') published, on 25 November 2022, the report of the DSK working group on Microsoft 365 ('the DSK report'), following talks with Microsoft, initiated in September 2020, in order to promptly achieve data protection-compliant improvements, as well as adjustments to carry out data transfers to third countries. In particular, the DSK report specifies that, in September 2022, Microsoft presented an updated Products and Services Data Protection Addendum ('DPA'), which primarily brought changes in the area of contractual formulation of Microsoft's responsibility in the context of processing activities for legitimate business purposes. However, the DSK report highlights that the changes implemented by Microsoft could not conclusively clarify in which cases Microsoft acts as a data processor and in which cases it operates as data controller.
Moreover, the DSK report outlines the following shortcomings:
- during the discussions with Microsoft, the working group was not able to achieve any significant improvements in the drafting of the contract with regard to the definition of the types and purposes of processing and the types of personal data processed;
- with regards to Microsoft's responsibility in relation to processing for business activities, the working group was able to achieve changes to the contractual arrangement; however, such changes did not bring about any substantial changes to the actual processing operations;
- the DPA does not restrict disclosures of personal data, other than on the instructions of the data controller, to the instances required by EU or Member State law to which Microsoft is subject, in violation of Article 28(3)(a) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR');
- despite the changes implemented in the DPA, legal uncertainties remain, as the guarantees on security measures only formally cover a subset of the personal data;
- the design of the obligation to delete or return all the personal data to the controller after the end of the provision of the service does not always meet the requirements laid down by Article 28(3)(g) of the GDPR; and
- it is not possible to use Microsoft 365 without transferring personal data to the US.
Importantly, the DSK report clarifies that it does not provide conclusive investigations and cannot rule out nor anticipate other supervisory findings.
Separately, Microsoft published, on 25 November 2022, its response to the DSK report, where it disagreed with the DSK position.
You can read the DSK report, only available in German, here and Microsoft's response here.