New Microsoft Data Protection Rules


Effective as of January 2020, Microsoft has removed all data protection related terms from their Online Services Terms (OST) document and moved it to a new separate document called Online Services Data Protection Addendum (DPA).

The new DPA can be found here (direct download for January 2020 versions: EN; DE; FR).

The new DPA update replaces the previous OST language authorizing Microsoft to process Customer Data “only to provide Customer the Online Services including purposes compatible with providing those services” with more specific instructions and limitations. These changes result from various customer feedback, more precisely from discussions with the Dutch Ministry of Justice and Security (Dutch MoJ). Microsoft’s goal is to create more transparency for its customers about data processing in the Microsoft Cloud as they outlined in a Blogpost on November 18, 2019.

In summary and at a high level, the DPA update:

. allows Microsoft to process Customer Data and Personal Data as a data processor for three authorized purposes: (1) delivering the Online Services, (2) troubleshooting, and (3) ongoing improvement;

. excludes processing of Customer Data and Personal Data for the purpose of (1) profiling, (2) advertising or similar commercial purposes, or (3) market research (unless done in accordance with documented instructions from customer);

. clarifies that Microsoft has the responsibilities of a data controller if it processes Customer Data and Personal Data for certain additional listed “legitimate business operations”, with specific limitations;

. adds clarity and additional details based on customer feedback (e.g., around how Customers can engage with Microsoft to audit Microsoft’s data processing pursuant to the GDPR); and

. clarifies notification periods for addition of new subprocessors (6 months for subprocessors with access to Customer Data; 14 days for subprocessors with access to Personal Data other than that which is contained in Customer Data).

Microsoft makes the commitments in this new DPA to all customers with volume license agreements. These commitments are binding on Microsoft regardless of the version of the OST that is otherwise applicable to any given Online Services subscription, or any other agreement that references the OST.