On September 22, 2023, the Lower Saxony data protection authority (LfD Niedersachsen) announced that it, together with six other data protection supervisory authorities, had developed a guide on how to deal with Microsoft's standard order processing agreement, known as Products and Services Data Protection Addendum (the Addendum), for the use of Microsoft 365.

In particular, the guide states that the German Data Protection Conference (DSK) released an assessment of Microsoft 365, in November 2022, in which the DSK determined that the Addendum did not meet the requirements of Article 28(3) of the General Data Protection Regulation (GDPR) and that the guide was developed in connection with the issues highlighted by the DSK. More specifically, the guide is for those responsible for concluding the Addendum, to support them in working towards appropriate contractual changes. The guide, among other things, includes:

• information on the determination of the type and purpose of processing and type of personal data;
• Microsoft's responsibility in the context of processing for business activities initiated by the provision of the products and services to the customer;
• binding instructions, disclosure of processed data, and fulfillment of legal obligations;
• implementation of technical and organizational measures;
• deletion of personal data, which must be contractually adjusted; 
• information on sub-processors; and
• certain 'to-do' tips.

The guide excludes the topics of international data transfer and the extraterritorial scope of application of US laws. Finally, the guide notes that it does not replace the data protection assessment of all the technical functions of Microsoft 365 and the person responsible must independently carry out a data protection check.

You can read the press release here and download the guide here, both only available in German.