Microsoft publishes new Data Protection Addendum
On 15 September 2021, Microsoft published a revised version of its Data Protection Addendum (DPA). The DPA applies to all customers with volume licence agreements. It is automatically part of the Universal License Terms for Online Services. This mechanism is in line with the previous practice of incorporating the DPA into the Online Services Terms. Customers with volume licence agreements therefore do not need to take any action for the new DPA to apply in relation to the processing of their data.
The following changes are worth highlighting:
Uniform DPA for products and services
In principle, there is now only one uniform DPA for Online Services and Software (together “Products”) as well as for Professional Services. So-called “Supplemental Professional Services” are excluded. According to the new definition, these are support requests that the regular support team has escalated to a product engineering team. This also includes other non-standardised consulting and support services that Microsoft provides in connection with Products or a volume licensing agreement.
Data transfers under processor-to-processor Standard Contract Clauses
The main reason for the revision and renewal of the DPA was the implementation of the new EU Standard Contractual Clauses as a mechanism for the transfer of Customer Data, Professional Services Data and Personal Data to so-called unsafe third countries.
For this purpose, Microsoft uses Module 3 of the Standard Contractual Clauses (Processor-to-Processor) newly created by the EU Commission, which Microsoft has concluded within the group between Microsoft Ireland Operations Ltd. and Microsoft Corp. USA.
For transfers from Switzerland and the United Kingdom, the existing 2010 Standard Contractual Clauses between Customers and Microsoft Corp. remain in force. For the time being, they are regarded as an additional transfer mechanism alongside the processor-to-processor Standard Contractual Clauses. This is probably due to the fact that the FDPIC only recently confirmed the new EU Standard Contractual Clauses as a permissible transfer mechanism for Switzerland. It can be assumed that this special feature for Switzerland will soon cease to apply.
It remains to be seen whether Microsoft will address the “Swiss finishes” addressed by the FDPIC in its guidance of 27 August 2021 in the Standard Contractual Clauses concluded within the group. In the case of a pure “onward transfer” from the EU to a so-called unsafe third country, this does not seem necessary a priori, as the FDPIC generally recognizes the adequacy of the EU data protection regime in the context of cross-border transfers in its guidance (in which he does not deal with onward transfers).
Update, 15 September 2021, 15h00: Meanwhile, the processor-to-processor Standard Contract Clauses have been posted in the Service Trust Center. They do indeed contain (see last page) the Swiss finishes requested by the FDPIC.
Additional safeguards now at DPA level
The Additional Safeguards Addendum, introduced as a reaction to the Schrems II judgement of the CJEU, is now directly attached to the DPA (and no longer part of the Standard Contractual Clauses). In particular, this results in a significant extension of the scope of application of the additional safeguards. The additional safeguards now apply not only to transfers of personal data under the Standard Contractual Clauses, but also generally to all personal data processed by Microsoft (as a processor directly subject to the GDPR), i.e. in particular to all contract processing by Microsoft Ireland Operations Ltd. as a processor.
The content of the additional safeguards themselves remains essentially the same as introduced in December 2020. In particular, this concerns the indemnification of data subjects against damages that arise in the context of access by public authorities, as well as explicit assurances regarding “challenges to orders”:
- use every reasonable effort to redirect the third party to request data directly from the customer;
- promptly notify the customer, unless prohibited under the law applicable to the requesting third party, and, if prohibited from notifying the customer, use all lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to the customer as soon as possible; and
- use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with applicable law of the Europe-an Union or applicable Member State law.
For Switzerland, the Addendum still needs to be supplemented, especially with regard to the last point. However, Microsoft has already acknowledged this in the context of the initial implementation in De-cember 2020. Accordingly, such an amendment is to be expected.
Further information and contact
Please do not hesitate to contact us if you have any questions about this Policy Alert or if you need support in dealing with the new DPA.
15 September 2021