Microsoft Global Data Privacy Notice for Employees, External Staff, Candidates and Guests
Last updated: June 2024
Your privacy is important to Microsoft (“we”, “us”, “our” or “Microsoft”). We respect the privacy rights of all individuals and we are committed to handling personal data responsibly and in accordance with applicable laws and Employee Privacy Principles. This privacy notice, together with the Addenda and other notices provided at the time of data collection, explain what personal data Microsoft collects about you, how we use this personal data, and your rights to this personal data.
Please note that this privacy notice applies to the handling of your personal data as an employee, former employee, candidate, guest, or as external staff. (“External staff” are workers who are not employed by Microsoft and who have access to Microsoft’s facilities and/or Microsoft’s corporate network. This could include agency temporary workers, outsourced staff, contractors, and business guests.) Microsoft has additional governance and privacy requirements concerning the collection and uses of personal data.
This notice does not cover your use of Microsoft consumer products as a consumer, or outside of your employment or assignment with Microsoft. Microsoft consumer products may include services, websites, apps, software, servers, and devices. To learn more about Microsoft’s data collection practises that cover your use of Microsoft products as a consumer, please read our Microsoft Privacy Statement.
This notice is not intended and shall not be read to create any express or implied promise or contract for employment, for any benefit, or for specific treatment in specific situations. Nothing in this notice should be construed to interfere with Microsoft’s ability to process employee data for purposes of complying with our legal obligations, or for investigating alleged misconduct or violations of company policy or law, subject to compliance with local legal requirements.
Microsoft's processing of personal data is in all cases subject to the requirements of applicable local law, internal policy, and where applicable or appropriate, any consultation requirements with worker representatives. To the extent this notice conflicts with local law in your jurisdictions, local law controls.
We collect, use, and store (collectively “process”) different types of personal data about you in the operation of our business. If you are an employee, we process personal data about you (and your dependents, beneficiaries and other individuals associated with your employment) primarily for managing our employment relationship with you and managing your interactions with workplace facilities/information systems. If you are a former employee, we process personal data about you primarily for legal compliance. If you are external staff or guest, the type of personal data we process is limited to what we need to manage your engagement with Microsoft and access to Microsoft facilities and information systems. If you are a candidate, the type of personal data we process is generally limited to what we need to engage with you about Microsoft career opportunities, consideration of your application for employment to specific roles at Microsoft, including candidate screening, interview scheduling and management, lawful background screening, and to on-board you at Microsoft if you receive and accept an offer of employment with us.
The personal data we process can include, but is not limited to, the following:
Name and contact data. Your first name and surname, employee identification number, email address, postal address, phone number, photo, beneficiary and emergency contact details, and other similar contact data. Additionally, you may opt to provide Microsoft with additional contact information such as personal email address(es) and/or cell phone number(s).
Demographic data. Your date of birth and gender as well as more sensitive personal data (also known as special category data) including information relating to racial and ethnic origin, religious, political or philosophical beliefs, trade union membership or information about your health, disabilities, sexual orientation, gender identity, and transgender status. We may also ask about your parental status and military status.
We process this personal data for a variety of reasons, and this will vary in our different jurisdictions. Our reasons for processing this data include:
Where the processing of this personal data is not required by law, we will seek your consent to process your data and, in the consent mechanism, we will explain the purposes for which we will use your data. This will be voluntary, and you may decide whether or not to give consent.
National identifiers. Your national ID/passport, citizenship status, residency and work permit status, social security number, or other taxpayer/government identification number.
Employment details. Your job title/position, office location and/or remote working location, employment contract, offer letter, hiring date, termination date, performance history and disciplinary records, training records, leave of absence, sick leave and holiday records.
Spouse’s/partner’s and dependents’ information. Your spouse and dependents’ first names and surnames, dates of birth and contact details.
Background information. Your academic and professional qualifications, education, CV/Resume, credit history and criminal records data (used for background checks and vetting purposes where permissible and in accordance with applicable law and consultation requirements).
Video, voice and image. We may collect and use your video, voice and image data, subject to the requirements of local law, internal policy, and any consultation requirements with worker representatives (where appropriate).
Financial information. Your bank account details, tax information, salary, retirement account information, company allowances and other information necessary to administer payroll, taxes, benefits, and equity and incentive compensation.
Learning and Skills Data. As described in the Learning and Skills Data Addendum.
Feedback and sentiment data. Your responses to employee listening surveys such as Employee Signals and Daily Pulse and feedback collected about managers and co-workers via tools like Manager Feedback and Perspectives.
Workplace, Device, Usage, and Content data. Application data (such as data from Office 365, Teams, Outlook, or internal business processes) including emails sent and received, calendar entries, to-do items, instant messages, technical data and information (containing only limited identifiers, if any personal data at all) in the context of using (online) applications, building and information system access, Microsoft devices, system and application usage (including telemetry) when accessing and using Microsoft corporate buildings and assets. Please note that more information about the specific types of data Microsoft may use for product improvement purposes can be found in several resources, including the Microsoft Data Programme (MDP) addendum to this DPN. We may also collect personal data about you from third parties or public sources as needed to support the employment relationship or to engage with you concerning job opportunities at Microsoft. For example, before and during your employment or assignment with Microsoft, we may collect information from public professional networking sources, such as your LinkedIn profile, for recruitment purposes. We also may conduct lawful background screenings, to the extent permitted by law, through a third-party vendor for information about your past education, employment, credit and/or criminal history. In the event of a natural disaster or other life/safety emergency, we may rely on public social media posts or other public sources to account for employees if otherwise unable to contact them. Additionally, if there is an investigation of an incident involving employees, we may obtain information relevant to the incident from external sources including private parties, law enforcement or news sources and public social media posts.
We collect your personal data for the purposes set out below. Failure to provide your personal data when requested may prevent us from being able to carry out these tasks and/or comply with our legal obligations.
1. To administer your employment contract, offer letter or other commitments we have made to you.
We collect and use your personal data primarily for the purposes of managing our employment or working relationship with you, and to fulfil our obligations under your employment contract, or applicable Microsoft policies, including on-boarding, payroll, benefits and equity compensation administration, pension and retirement administration, managing holiday and other types of leave, tax reporting and the like. A few examples include: your employment contract, your offer letter (e.g., so we can on-board you), promotion history and performance reviews (e.g., so we can manage our employment relationship with you), and your bank account and salary details (e.g., so we can pay you or provide HR benefits).
2. Other overriding and legitimate business purposes
We also may collect and use your personal data when it is necessary for other legitimate purposes, such as general HR administration, maintaining our global directory of employees and external staff, general business management and operations, disclosures for auditing and reporting purposes, measuring employee sentiment, internal investigations, management of network and information systems security, administration of business applications and systems, business operations, workplace analytics, corporate workplace policy compliance, security, life safety, building management, space planning and allocation, provision and improvement of employee services and facilities, physical security and cybersecurity, data protection, for global diversity and inclusion initiatives, to protect the life and safety of employees and others and in connection with the sale, assignment or other transfer of all or part of our business. We also use business data and other workplace usage, device and content data for organisational and individual analytics and data insight purposes to improve Microsoft business operations, manager capability and the employee experience. We may also use special applications and systems that record employee performance metrics, such as sales related or code databases for business operations purposes as well as for the purposes of reviewing, rewarding and coaching employees on their performance and for administration and assessment of training. We may also process your personal data to investigate potential violations of law or violations of our internal policies.
Additionally, we may process your personal data to conduct scientific research, without your additional consent, when viewed as in the public interest and/or where there is a clear attempt for contributions to generalizable knowledge. In these cases, we will ensure appropriate technical and organisational controls are in place to protect your personal data, such as anonymising and aggregating data to help protect your identity, ensuring use of your personal data is subject to our privacy standards and conducting ethics and compliance reviews prior to using your personal data.
As Microsoft enables AI supported experiences in its products, your data may also be processed by AI to facilitate certain features and experiences deployed on the Microsoft tenant – including AI co-pilot features such as chatbot features, summarisation features and similar. Microsoft’s processing of your data will comply with its commitment to responsible AI.
3. Legally required purposes
We may also use your personal data when necessary to comply with laws and regulations, including collecting and disclosing personal data as required by law (e.g. for minimum wage, working time, tax, health and safety, anti-discrimination laws, global migration, whistleblowing procedures and data subject rights), under judicial authorisation, or to exercise or defend Microsoft’s legal rights.
4. Other uses of your data (where permissible and in accordance with applicable laws and consultation requirements)
We also may collect your internal usage data of Microsoft products, services and internal applications and tools, including business data created by employees and external staff, to measure and improve these products and for product research including human and machine review of data to train AI models and improve machine learning for Microsoft products and services. Additionally, your internal usage data may be combined with other business data, including workplace, device, usage, and content data, for product improvement purposes or to conduct aggregate analyses to improve internal tools and processes, business operations, manager capability, and employee experience. Where required by law, we will seek your consent for such usage; and where your consent is sought, we will ensure your consent is informed, voluntary, and that you suffer no adverse consequence from any decision to withhold or revoke your consent.
For eligible employees (i.e., part or full-time employees, interns, apprentices, or visiting researchers) who enrol in Microsoft Give, with your consent, we collect and use your personal data to enable voluntary personal donations of money, Microsoft products, volunteer hours to eligible organisations (i.e., certain non-profits or non-governmental organisations), and to inform you of the benefits and opportunities available through Give. Give is a voluntary benefit programme from which participants can opt-out and revoke their consent at any time; however, opt-outs and revocations do not affect previous processing of personal data. Further information on Microsoft Give is available here.
We will use your personal data only for the purposes for which it was collected, unless we reasonably need it for another compatible purpose and there is a legal basis for further processing. For example, relying upon our legitimate interest in recruiting candidates for roles at Microsoft, we may process the personal data you provided while researching job openings. However, once you apply for and are successful in obtaining a role, we may process your personal data for the purpose of entering into an employment relationship with you.
Microsoft will only share your personal data with those who have a legitimate business need for it. Whenever we permit a third party to access your personal data, we will ensure the personal data is used in a manner consistent with this privacy notice (and any applicable internal data handling guidelines consistent with the sensitivity and classification of the personal data). Your personal data may be shared with our subsidiaries and affiliates and other third parties, including service providers, for the following legitimate purposes:
To carry out the purposes of our personal data processing as described above (see section titled: “Why We Process Personal Data”);
To enable third parties to provide services on behalf of Microsoft. Third party data recipients include financial investment service providers, insurance providers, pension administrators and other benefits providers, childcare providers, payroll support services, relocation, tax and travel management services, health and safety experts, facility management, legal service providers, and security services;
To comply with our legal obligations, regulations, government clearances, or contracts, or to respond to data subject rights, a court order, administrative or judicial process, such as a subpoena, government audit or search warrant. Categories of recipients would include counterparties to contracts, judicial and governmental bodies;
In response to lawful requests by public authorities (such as regulatory bodies, law enforcement authorities and national security organisations);
To seek legal advice from external lawyers and advice from other external professionals such as accountants, management consultants, etc.;
As necessary to establish, exercise or defend against potential, threatened or actual litigation;
Where necessary to protect Microsoft, your vital interests, such as safety and security, or the vital interests of other persons;
In connection with the sale, assignment or other transfer of all or part of our business (such as a potential purchaser and its legal/professional advisers); or
Otherwise in accordance with your consent.
Please note that where legal requirements limit the sharing of your personal data, Microsoft will respect such requirements.
In some regions, you may have certain rights under applicable data protection laws (such as the European Union and United Kingdom General Data Protection Regulation and the Swiss Federal Act on Data Protection). Please see the Addendum to this notice for additional information by region/country.
Site pages may use cookies (small text files placed on your device). Cookies and similar technologies allow us to store and honour your preferences and settings; enable you to sign-in; combat fraud; and analyse how our websites and online services are performing.
We also use “web beacons” to help deliver cookies and gather usage and performance data. Our websites may include web beacons, and cookies, or similar technologies from third-party service providers.
You have a variety of tools to control the data collected by cookies, web beacons and similar technologies. For example, you can use controls in your internet browser to limit how the websites you visit are able to use cookies and to withdraw your consent by clearing or blocking cookies.
Microsoft monitors its IT and communications systems through automated tools such as network authentication and wireless connectivity hardware and software, anti-malware software, website filtering and spam filtering software, security software for cloud-based applications, access and transaction logging, mobile device management solutions, and internal and external audits. The primary purpose of this monitoring is Microsoft’s legitimate interests in protecting its employees, customers, and business partners. For example:
We also monitor our offices, and other workplace facilities, through video monitoring such as closed-circuit television (“CCTV”) and badge scans for security, life safety, campus utilisation trends and workplace analytics, corporate workplace policy compliance, and building management purposes. CCTV is primarily used at office entrance and exit points, elevator lobbies, rooms where there may be valuable equipment, such as server rooms, and in other select areas with a high risk for theft or with highly sensitive assets. CCTV is not used in private spaces such as restrooms, new mothers’ rooms or locker rooms. Nor is it used to monitor employee workstations for performance reasons.
You should be aware that any message, files, data, document, facsimile, audio/video, social media post or instant message communications, or any other types of information transmitted to, through or from, received or printed from, or created, stored or recorded on our IT and communications systems and assets (included via the use of personal devices accessing corporate IT systems), are presumed to be business-related and may be monitored or accessed by us in accordance with applicable law and workplace agreements (such as works council agreements), and subject to Microsoft’s own policies on access to and uses of such data.
Microsoft is committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, use or disclosure. For example, we store the personal data you provide on limited access computer servers that are located in controlled facilities, and we protect certain highly confidential or sensitive personal data through encryption in transfer and at rest.
Microsoft operates globally and therefore personal data may need to be transferred to countries outside of where the personal data was originally collected. For example, because we are headquartered in the United States, personal data collected in other countries is routinely transferred to the United States for processing. We transfer personal data from the European Economic Area, the United Kingdom, and Switzerland to other countries, some of which have not yet been determined by the European Commission and/or the Swiss Federal Council to have an adequate level of data protection. For example, their laws may not guarantee you the same rights, or there may not be a privacy supervisory authority there that is capable of addressing your complaints. When we engage in such transfers, we use a variety of legal mechanisms, including contracts such as the standard contractual clauses published by the European Commission under Commission Implementing Decision 2021/914, to help protect your rights and enable these protections to travel with your data. To learn more about the European Commission’s decisions on the adequacy of the protection of personal data in the countries where Microsoft processes personal data, see this article on the European Commission website. We may also transfer personal data when (i) you have consented to disclosure abroad; (ii) it is necessary for the conclusion or performance of a contract; (iii) it is necessary to safeguard an overriding public interest or to establish, exercise, or enforce legal rights; (iv) it is necessary to protect the life or the physical integrity of you or another person, and it is not possible to obtain your consent within a reasonable time; (v) you have made the data generally accessible and have not explicitly prohibited processing; or (vi) the data originates from a statutory register to which we have legitimate access.
Microsoft Corporation complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Microsoft Corporation has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Microsoft Corporation has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. In the context of an onward transfer, Microsoft Corporation has responsibility for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as an agent on our behalf. Microsoft Corporation remains liable under the DPF if our agent processes such personal information in a manner inconsistent with the DPF, unless Microsoft Corporation can prove that we are not responsible for the event giving rise to the damage. If there is any conflict between the terms in this privacy statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) programme, and to view our certification, please visit the US Department of Commerce’s Data Privacy Framework website. The controlled U.S. subsidiaries of Microsoft Corporation, as identified in our self-certification submission, also adhere to the DPF Principles—for more info, see the list of Microsoft U.S. entities or subsidiaries adhering to the DPF Principles.
If you have a question or complaint related to participation by Microsoft in the DPF Frameworks, we encourage you to contact us via our web form. For any complaints related to the DPF Frameworks that Microsoft cannot resolve directly, we have chosen to co-operate with the relevant EU Data Protection Authority, or a panel established by the European data protection authorities, for resolving disputes with EU individuals, the UK Information Commissioner (for UK individuals) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) for resolving disputes with Swiss individuals. Please contact us if you’d like us to direct you to your data protection authority contacts. As further explained in the DPF Principles, binding arbitration is available to address residual complaints not resolved by other means. Microsoft is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Individuals whose personal data is protected by Japan's Act on the Protection of Personal Information should refer to the article on the Japanese Personal Information Protection Commission’s website (only published in Japanese) for more information on the commission’s review of certain countries’ personal data protection systems.
We will store personal data in accordance with applicable laws or regulatory requirements and retain data for as long as necessary to fulfil the purposes for which the personal data was collected, as documented in our corporate data retention schedule.
We may occasionally update this privacy notice. When we do, we will revise the "last updated" date at the top of the privacy notice. If there are material changes to this privacy notice or in how Microsoft will use your personal data, we will use reasonable efforts to notify you either by prominently posting a notice of such changes before they take effect on our websites or by directly sending you a notification. We encourage you to periodically review this privacy notice to learn how Microsoft protects your personal data.
For copies of additional privacy documents mentioned in this privacy notice, or if you have a privacy concern or question related to this privacy notice, please contact AskHR@microsoft.com.
Our address is:
HR Privacy
Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052 USA
Telephone: (+1) 425-882-8080.
Last updated: June 2024
Microsoft believes that privacy is a fundamental human right. It is core to our business that consumers and enterprises alike trust us with their data. With trust, we can empower every individual and organisation on the planet to achieve more.
Similarly, respecting these principles in the workplace empowers our employees to do their best work. Our employees power our mission each and every day. Their trust is essential if we are to achieve that mission. We firmly believe that employees do not fundamentally give up their privacy rights by virtue of their employment at Microsoft. We respect the privacy laws and requirements of every country where we operate. In many cases, Microsoft goes beyond what is required to ensure that our employees can truly trust that Microsoft will act responsibly with the data we gather about them and remain our Company’s greatest champions and advocates.
In short, Microsoft takes a thoughtful, considered, and deliberate approach to employee privacy that both acknowledges the uniqueness of the employment relationship while also balancing the Company’s interests in running a secure, inclusive, efficient, and innovative operation. Our approach is bolstered by a privacy programme that cares deeply about these issues, as reflected in Microsoft’s investment in its Employee Data Governance Board (EDGB), which oversees the requirements of the Microsoft Privacy Standards concerning employee data, and in partners across Microsoft’s established privacy programme to ensure that teams treat employee privacy with extraordinary care.
The employment relationship is different from a consumer or customer relationship, and will at times mean that Microsoft has contractual, legal or other requirements to use employee data, including to provide required government reporting (such as reports required of Microsoft as a federal contractor, or pay-gap reporting in some countries), or take appropriate action to defend or prosecute legal claims made against or by the Company.
Informed by both our desire to maintain trust and balance the different nature of the employment relationship, Microsoft has adopted six core employee privacy principles:
I. Microsoft provides notice about how employee data is used.
Microsoft first and foremost believes employees should have clear and appropriate notice about how employee data may be used. That notice starts with Microsoft’ Data Privacy Notice for Employees, External Staff, Candidates and Guests (DPN). The DPN and its addenda set out the framework for all of Microsoft’s processing of employee data. If you have not yet taken the opportunity to review the DPN, we encourage you to do so. The DPN and its addenda are updated annually, and employees are reminded of the DPN on an annual basis through required privacy training.
In addition to the DPN, Microsoft will provide more specific privacy notice when it is required. For example, our Elite dogfooding programme frequently provides additional notice about the kinds of data being gathered when dogfooding new products. Additionally, your local employment contract or employee agreement may also contain provisions related to data processing.
II. When appropriate, Microsoft offers choice on how employee data is used.
While Microsoft does not rely on consent for processing most employee data (unless legally required), we do believe in offering employees choice as to how that data is processed, where appropriate. That choice can take many forms. In some cases, it’s offering employees the ability to opt-out of certain kinds of product features, or certain truly optional data uses. The Microsoft Data Programme (MDP) is a good example of this kind of choice. You can read more about that programme in the MDP Addendum to the DPN. That programme leverages approved Microsoft business data for product development and improvement, subject to a number of controls and limitations. Employees in countries where the programme is active are offered the ability to choose not to participate in the programme entirely, or to take steps to limit the kinds of data processed by that programme.
The unique nature of the employment relationship means that choice may be more limited or not available for certain kinds of data processing (payroll processing for example or, where permissible, aggregated data analytics). Similarly, where Microsoft has legal or contractual rights or obligations to process or disclose data, we cannot allow for choice in how that data is used.
III. Microsoft thoughtfully balances employee and company interests when using data.
Where processing of employee data is not wholly supported by legal, contractual or other specific requirements, Microsoft carefully considers its interests in using the data, and balances that interest against an individual employee’s privacy interests in the data. In particular, when it comes to using business data for certain kinds of optional or “secondary” uses, like product development, workplace analytics, or business insights, Microsoft deeply considers the impact such use may have on employee privacy, and what controls it can and should establish to protect employee privacy before proceeding. Microsoft might, for instance, provide opportunities to opt-out of particular data uses, ensure data is de-identified, pseudonymized or anonymized before use, use data aggregation in reporting and analysis, or implement other kinds of security measures and controls to ensure appropriate use of the data.
A good example of this is in our design and implementation of Viva Insights, which leverages data to surface insights directly to you to help you make decisions about how you are investing your time at work. These insights are not shared with your manager at an individual level, quite deliberately, to keep the insights at an appropriate team or group level as part of our commitment to employee privacy.
IV. Use of employee data is appropriately limited and controlled.
When Microsoft does make use of data it takes reasonable steps to ensure that we only use the data needed to fulfil a particular use. For example, we ask teams who want to use data for product development or experimentation to tailor their data needs to those that are strictly necessary for their work. Teams seeking to use our data must comply with existing privacy requirements or engage in rigorous processes that review access to, and uses of, employee data to ensure appropriate minimisation and scope of use. Access to data that is not necessary to support the intended scope is generally prohibited.
V. Microsoft provides access to employee data.
Microsoft routinely provides its employees access to their own data, such as their pay, benefits, holiday time, Rewards and Connects, through self-service portals. Microsoft also provides employees additional access to their individual data at the employee’s request, to the extent required by local law. Giving employees self-service access to, and the ability to make corrections and updates to that data as appropriate, ensures employees always have access to the data they care about most.
VI. Employee data is protected by industry leading security safeguards
In addition to privacy, the security of our employee data is paramount. Data related to our employees is carefully controlled. We minimise access to more sensitive data, such as that used by our HR teams, to those who truly have a business need to work with it and require teams to respect existing privacy requirements, or engage in a privacy review, for new uses of data to ensure that they are appropriate. Our employee data is also considered “customer data” by our engineering teams, requiring appropriate review, approval and controls before Microsoft would allow that data to be used.
Last Updated: December 2022
California: Your Rights
If you are an employee, external staff member, or candidate that resides in California, this section applies to you and supplements the information shared in the privacy notice.
California residents have specific rights regarding their personal information under the California Privacy Rights Act (“CPRA”). This section describes your rights and explains how to exercise those rights. Please note that in the preceding twelve (12) months, we have not sold your personal information or shared such information for cross context behavioural advertising. We may disclose certain personal information, such as your first name and surname, employee identification number, email address, bank account details, job title/position, and other similar contact data, financial information, and employment details with our subsidiaries and affiliates and other third parties, including service providers who provide services on behalf of Microsoft.
None of these rights are absolute and there may be circumstances in which we are required or permitted under applicable law not to address your request.
Only you or an authorised agent that you authorise to act on your behalf may make a verifiable request related to your personal information.
Any verifiable request (including those to delete data) must:
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable request does not require you to create an account with us.
We will not penalise you for exercising any of your rights where prohibited by law.
You may exercise your rights under the CPRA through one of the following means:
Last updated: October 2023
The following additional provisions apply to employees, candidates and external staff working in Canada.
Manner of Collection
We collect personal data that you provide directly to us (such as through the job application process or in connection with the management of your employment or working relationship) as well as information devices provide to us automatically, as described above. We may also collect personal data indirectly with consent. For example, we collect background verification information from third-party background screening providers and we may also obtain personal data from recruitment agencies or job references.
Transfer of Personal Data
We and our service providers (including affiliates) may access, store and otherwise process personal data outside of your province (including, for Quebec residents, outside of Quebec), including in other parts of Canada, the United States, and other foreign jurisdictions where we or our service providers are located. We, our affiliates and our service providers may disclose your personal data if we are required or permitted by applicable law or legal process, which may include lawful access by foreign courts, law enforcement or other government authorities in the jurisdictions in which we or our service providers operate.
Retention
We will process and keep your personal data for as long as is necessary to meet the purposes for which the information was collected as set out in this policy and to meet our legal or business requirements, as documented in our corporate data retention schedule.
Your Rights
Subject to limited exceptions under applicable law, you have the right to access, update, rectify and correct inaccuracies in your personal data in our custody and control and withdraw your consent to our collection, use and disclosure of your personal data (although an employee cannot withdraw consent to the collection of personal data necessary to administer their employment). You may request access, updates, rectification, and corrections of inaccuracies in your personal data in our custody or control or withdraw your consent by emailing AskHR@microsoft.com. We may require certain personal data for the purpose of verifying your identity or the identity of the individual making the request.
How to Contact Us
If you have any questions or comments about this privacy notice or the manner in which we or our service providers (including our service providers outside Canada) treat your personal data, or to request access to or correction of your personal data, or to withdraw your consent, please contact us by emailing AskHR@microsoft.com.
You can also contact our Privacy Officer by using our web form.
Last updated: May 2022
This China Notice is a supplement to the Microsoft Global Data Privacy Notice (“DPN”) and provides additional information about personal data processing as required by the China Personal Information Protection Law and its implementing rules and regulations (“Applicable Chinese Law”). In case of any inconsistencies between the DPN and the China Notice, this China Notice prevails.
With respect to this China Notice, "Personal Data" means "Personal Information" as defined under Applicable Chinese Law. Personal Data is any electronic or otherwise recorded information related to identified or identifiable natural persons, excluding anonymized data.
Personal Data that We Process
In addition to the types of Personal Data described under the “Personal Data that We Process” section in the DPN, we may also process the following Personal Data:
Under Applicable Chinese Law, the following non-exhaustive types of Personal Data that we collect from you, as necessary, may be considered sensitive Personal Data under Applicable Chinese Law:
Why We Process Personal Data
We process your Personal Data under a lawful basis of processing as provided by Applicable Chinese Law. Additionally, we process your Personal Data for the purposes described under the “Why We Process Personal Data” section in the DPN and for HR and workplace management, including investigations and disciplinary actions.
We collect and use sensitive Personal Data for the following purposes:
We will adopt strict security measures when processing sensitive Personal Data.
Your Rights to Your Personal Data
We respect your rights under Applicable Chinese Law. Under lawful circumstances, you may copy, consult, correct, complete, and delete your Personal Data. In certain circumstances, we may be unable to respond to your request to exercise your personal rights due to legal requirements, administrative regulations, or other legitimate purpose of processing Personal Data. You may exercise your rights via AskHR@microsoft.com.
Cross-Border Transfer of Personal Data
Microsoft operates globally. In order to perform general business management and operations, carry out HR management, fulfil legal obligations and for other lawful purposes, Microsoft may transfer Personal Data collected from you in China to Microsoft’s affiliated entities outside of China, for example, the US, where Microsoft is headquartered. When your Personal Data is transferred outside of China, we will ensure that the transfer complies with Applicable Chinese Law and will implement appropriate and necessary measures to provide an equivalent level of data protection in accordance with Applicable Chinese Law.
Last updated: October 2023
European Union, United Kingdom, and Switzerland: Your Data Subject Rights
In addition to the information shared in the privacy notice, EU, UK, and Switzerland employees, external staff and candidates (including individuals working in the EU, UK, and Switzerland, or in some circumstances individuals who normally reside in the EU, UK, and Switzerland who are working abroad) may have certain rights under applicable data protection laws, including the EU and UK General Data Protection Regulation (collectively, the “GDPR”) and local laws implementing or supplementing the GDPR and the Swiss Federal Act on Data Protection, including the rights to:
Please note that certain conditions, exceptions apply to these rights and that application of the above rights may vary depending on the type of personal data involved, and Microsoft’s particular basis for processing the personal data.
To make a request to exercise one of the above rights, please contact AskHR@microsoft.com by email or by letter to the following address:
HR Privacy
Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052 USA
We will consider and act upon any requests in accordance with applicable data protection laws. Please note that we may request certain information from you to enable us to confirm your identity. We may, in limited circumstances, charge you a reasonable fee for administrative costs in relation to responding to your request; however, we will advise you of any fee in advance.
If we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before withdrawal of consent.
EU, UK and Switzerland employees, external staff and candidates (including individuals working in the EU, UK, and Switzerland, or individuals who normally reside in the EU, UK, and Switzerland who are working abroad) may also direct questions about how we handle personal data to our Data Protection Officer by using our web form.
While we hope we can answer any questions that you may have, if you have unresolved concerns, you also have the right to complain to a relevant data protection supervisory authority in the EU, UK, and Switzerland.
For present and former employees, the controller of your personal data is the Microsoft entity that is or was your employer. For candidates, the controller of your personal data is the Microsoft entity to which you have applied for a role. For external staff, the Microsoft entity to which you provide services will be the controller of your personal data. Microsoft Corporation is also a controller of certain personal data of the above-mentioned data subjects. Any privacy-related queries for your data controller should be directed to AskHR@microsoft.com or by letter to the following address:
HR Privacy
Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052 USA
In addition, the contact information of the controller of your data is provided in your contract or job application.
Last updated: June 2024
This addendum applies to Learning and Skills Data that Microsoft processes about employees and external staff for various purposes, subject to compliance with local laws, our own internal policies, third-party terms of use (e.g., where skills data or training is provided by third parties), and applicable third-party contractual requirements.
Learning and Skills Data are information about your professional development activities, such as training and achievements, skills, and related interests. Sources of Learning and Skills Data include information about your:
Microsoft may process various kinds of data from the above sources including (but not limited to):
Microsoft also collects Learning and Skills Data in various contexts. For example, Microsoft collects Learning and Skills Data when you:
Microsoft uses Learning and Skills Data for the varied purposes set out below, which may involve automatic processing using machine learning and artificial intelligence applications, such as natural language processing.
To manage our employment or working relationship with you – including your career development opportunities
We process Learning and Skills Data for the purpose of managing our employment or working relationship with you, including fulfilling our obligations and commitments to you. Failure to provide your Learning and Skills Data when requested may prevent us from being able to carry out these tasks and/or comply with our legal obligations. For example, Microsoft uses Learning and Skills Data to:
To provide and improve our products and services
We process Learning and Skills Data to provide and improve our products and services. For example, when you register for Microsoft training or certification exams, we use your Learning and Skills Data to determine if you have completed the training and, if appropriate, meet certification benchmarks.
We process Learning and Skills Data for the purpose of improving our products and services. For example, we may:
Other lawful purposes
We process Learning and Skills Data for other lawful purposes, such as when:
Last updated: June 2024
This addendum applies to the Microsoft Data Programme (MDP) and the business-related data processed by MDP for purposes of debugging, testing, developing and improving new and existing products and services (“MDP Data”). MDP data may be used for scientific research purposes and to train AI and machine learning models. MDP and the terms of this addendum apply to Microsoft employees only, including former employees if they were employed at the time the data is extracted. External staff, guests and candidate data are specifically excluded from the scope of MDP. More information about the specific terms and scope of MDP can be found at the Learn More page. Employees may opt-out to limit their participation in the programme at any time, without adverse consequence by clicking here http://aka.ms/MDPOptOut.
MDP is aimed primarily at the processing of data or information that is transmitted, created, exchanged or stored by Microsoft employees using Microsoft internal systems, software, services, and assets within the scope of their employment. Microsoft will make reasonable efforts to implement controls to exclude nonbusiness-related data from the scope of MDP, where possible. While those controls are intended to limit the scope of MDP to processing Microsoft business-related data (as described further at the Learn More page), MDP may incidentally process certain personal content for employees that is created, stored or transmitted in Microsoft owned or provided systems and resources. When that occurs, Microsoft will continue to make reasonable efforts to refine its controls to better exclude such data in the future. At all times, MDP’s processing of data will comply with the stated requirements for MDP, as well Microsoft’s internal policies (including the Responsible Use of Technology Policy), as well as local law.
Sources of MDP data include, but are not limited to, emails and calendar information in Exchange, files stored in OneDrive for Business, content of meeting recordings, voice collected on work devices, messages in Viva Engage (formerly known as Yammer) and Teams, content on SharePoint sites, diagnostic data from work devices, search data, product and services feedback data, and internal line of business applications such as those applications developed to support sales processes (e.g., MSX). These are representative and non-exhaustive examples of the types of Microsoft business-related data from which MDP may process data. Up-to-date information concerning MDP can be found at the Learn More page.
In addition to content-related data from the above sources, Microsoft may also process various additional kinds of data from the above sources in support of MDP including (but not limited to):
Basic Demographic Data, including, for example, your name and alias, etc.;
Meta-data associated with the applicable content, such as time and date information, signals related to authorship and modification of data, document and meeting titles, etc.; and
Telemetry data, such as data related to product and feature usage, associated with the above content types and services, or machine-related data such as software version history, machine type, operating system version, etc.
Microsoft’s use of MDP data is premised on Microsoft’s legitimate interest in using its own business data for business-related purposes, as that use strongly exceeds our employee’s individual interest in the privacy of such business-related data. Microsoft may process certain MDP data based on employee consent, to the extent: (1) an individual’s privacy interest would exceed Microsoft’s interest in the processing; and (2) local law requires Microsoft to obtain consent prior to such processing. Where consent constitutes the primary basis for processing data under MDP, Microsoft will in all cases ensure consent is voluntary and informed and will also ensure employees suffer no adverse consequence for refusing to give or later revoking such consent, and gain no specific benefit from choosing to participate or contribute data to MDP.
Last updated: June 2021
Employees in Türkiye: Privacy Notice
With respect to the data processing activities concerning employees, candidates and external staff in Türkiye, Microsoft Bilgisayar Yazılım Hizmetleri Limited Şirketi acts as the data controller, within the purposes of the Law on the Protection of Personal Data numbered 6698 (the “Law”).
With respect to the data processing activities concerning employees, candidates and external staff of the Liaison Office (MEA HQ) in Türkiye, Microsoft Ireland Research ULC acts as the data controller, within the purposes of the Law.
In addition to the information shared above, we process personal data relating to you for the purposes of conducting contract management, audit, and ethics processes.
Such data may be obtained by means of email, telephone, web services, courier/post, physical and online forms, as well as photographs and video recordings during events and organisations, in both physical and electronic environments.
Personal data are processed on the following legal grounds: being envisaged under the laws; compliance with legal obligations; being necessary for the establishment, exercise and protection of a right, conclusion and performance of an agreement; legitimate interests of the data controller; and if provided, your explicit consent, as specified within the scope of the Law.
As data subjects, you are entitled to the rights, set forth under Article 11 of the Law. In accordance with the Communiqué on Principles and Procedures for Applications to Data Controllers, and to be concluded within 30 days, you may convey your requests concerning your rights under Article 11 of the Law, by the following means: