GDPR: Data Subject Requests (DSRs)

How Microsoft enables you to respond to Data Subject Requests.

The GDPR grants individuals (or data subjects) certain rights in connection with the processing of their personal data, including the right to correct inaccurate data, erase data or restrict its processing, receive their data and fulfill a request to transmit their data to another controller. Below we discuss what the GDPR requires of controllers (you) and processors (Microsoft) to respond to those requests, and how Microsoft will enable you to do so.

DSR Documentation for Online Services

Office 365

Dynamics 365

Visual Studio Family

Microsoft Professional Services

Data Subject Request admin tools

Security & Compliance Center

User-generated data is exported by the Security & Compliance Center or in-application features.

Azure AD Admin Center

Delete a data subject from Azure Active Directory and related services using Azure AD Admin Center.

Microsoft Data Log Export

System-generated logs can be exported by tenant administrators using the Microsoft Data Log Export.

Data Subject Request frequently asked questions

Below are important questions and answers about responding to a DSR.


As controller, the GDPR requires you to be able to:

  • Give data subjects a copy of their personal data, together with an explanation of the categories of their data that are being processed, the purposes of that processing, and the categories of third parties to whom their data may be disclosed.
  • Help every individual exercise their right to correct inaccurate personal data, erase data or restrict its processing, receive their data in a readable form, and where applicable, fulfill a request to transmit their data to another controller.


We must implement the appropriate technical and organizational measures to assist you in responding to requests from data subjects exercising their rights as discussed above.

You can find a series of GDPR-related articles here. Produced by Microsoft, they provide recommended approaches for on-premises workload for SharePoint Server, Exchange Server, Skype for Business Server, Project Server, Office Web Apps Server, Office Online Server, and on-premises file shares.

Online Services offer a host of capabilities to enable you, as a controller, to respond to a data subject’s request. Microsoft enterprise online services and administrative controls help you act on personal data responsive to data subject rights requests, allowing you to discover, access, rectify, restrict, delete, and export personal data that resides in the controller-managed data stored in Microsoft’s cloud. Online Services also provide data in machine-readable form should you need it.


The DSR documentation provides more information about how specific Microsoft online services enable you to handle data subject requests, including general instructions on how to execute a DSR.