The Dutch Government published, on 16 February 2022, a Data Protection Impact Assessment ('DPIA'), which assessed the data protection risks of the professional use of Microsoft Teams in combination with OneDrive, SharePoint Online, and the Azure Active Directory. In particular, the DPIA was conducted by the Ministry of Justice, the Strategisch Leveranciersmanagement Microsoft Rijk ('SLM Rijk') who are the central negotiator for Microsoft, Google, and Amazon Web Service products and services for Dutch central government organisations, and by SURF B.V.

Moreover, the DPIA is a repeated assessment of the use of Microsoft Teams, SharePoint, and OneDrive on two versions of the Microsoft Office software: Office for the Web and the mobile Office apps. Furthermore, the DPIA contains outcomes with respect to diagnostic data processing in the Office for the Web software and the mobile Office apps as of 31 May 2020, as retested in September 2021.

In addition, the DPIA notes, among other things, that there are no high risks when using the aforementioned services, however, there is a high risk if organisations use Microsoft Teams to process very sensitive and special categories of data, due to the possible access by law enforcement and security services in the US. In this regard, the DPIA provides that organisations can mitigate this high risk for OneDrive and SharePoint by using their own encryption keys, with Microsoft Double Key Encryption.

You can read the press release here and download the DPIA here.