European Union Model Clauses
European Union (EU) data protection law regulates the transfer of EU customer personal data to countries outside the European Economic Area (EEA), which includes all EU countries and Iceland, Liechtenstein, and Norway. The EU Model Clauses are standardized contractual clauses used in agreements between service providers (such as Microsoft) and their customers to ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law and meet the requirements of the EU Data Protection Directive 95/46/EC.
Microsoft has invested in the operational processes necessary to meet the exacting requirements of the Model Clauses for the transfer of personal data to processors. Microsoft offers customers Model Clauses, referred to as Standard Contractual Clauses, that make specific guarantees around transfers of personal data for in-scope Microsoft services. This ensures that Microsoft customers can freely move data through the Microsoft cloud from the EEA to the rest of the world.
However, Microsoft enterprise customers, who are the controllers of the personal data, carry the primary obligation to protect that data. This means that EEA enterprise customers have a strong interest in ensuring that their service provider abides by EU data protection laws, or the customer can face liability—and even blockage of its ability to use a service.
On a practical level, compliance with EU data protection laws also means that customers need fewer approvals from individual authorities to transfer personal data outside of the EU, since most EU member states do not require additional authorization if the transfer is based on an agreement that complies with the Model Clauses.
Microsoft provided its Standard Contractual Clauses to the EU's Article 29 Working Party for review and approval. The Article 29 Working Party includes representatives from the European Data Protection Supervisor, the European Commission, and each of the 28 EU data protection authorities (DPAs).
The group determined that implementation of the provisions in Microsoft agreements was in line with their stringent requirements. (Microsoft was the first cloud service provider to receive a letter of endorsement and approval from the group.) Approval covered the engagements reflected in Model Clauses 2010/87/EU but not in the appendices, which describe the transfers of data and the security measures implemented by the data importer. The appendices need to be completed by Microsoft and its clients when signing the contract and may be analyzed separately by the DPA.
Frequently asked questions
This directive sets the baseline for handling personal data in the EU. It provides the regulatory framework under which Microsoft transfers personal data out of the EU. Under this directive and our contractual agreements, Microsoft acts as the data processor of customer data. The customer acts as the data controller, with final ownership and responsibility for ensuring that the data can be legally provided to Microsoft for processing outside of the EEA.
A service provider that commits contractually to the Model Clauses gives its customers assurance that personal data will be transferred and processed in compliance with EU data protection law. Use of the Model Clauses also means that customers need to get fewer approvals from individual data-protection authorities to transfer personal data outside the EU.
Compliance is a contractual commitment. Microsoft Standard Contractual Clauses are available to all cloud customers in the Online Services Terms; for other services, see your existing agreement with Microsoft.
A "sub-processor" is someone who processes personal data following the data controller’s instructions, as well as the terms of the EU Model Clauses and the subcontract. Microsoft customers—independent software vendors (ISVs), in particular—are sometimes themselves data processors; in those instances, Microsoft is the sub-processor.
You can enter an agreement such, as the Online Services Terms, or explore amending your existing agreement to incorporate the Standard Contractual Clauses.
Microsoft continually assesses the EU standards, and updates its services as needed.
Microsoft in-scope services
API Management, App Service: Mobile Apps, App Service: Web Apps, Application Gateway, Automation, Azure Active Directory, Azure IoT Hub, Azure Resource Manager, Backup, Batch, BizTalk Services, Cloud Services, Data Catalog, Data Factory, Azure Cosmos DB, Event Hubs, ExpressRoute, HDInsight, Key Vault, Load Balancer, Log Analytics (formerly Operational Insights), Machine Learning, Media Services, Multi-Factor Authentication, Notification Hubs, Portal, Redis Cache, RemoteApp, Rights Management, Scheduler, Service Bus, Service Fabric, Site Recovery, SQL Database, Storage, Storage Premium, StorSimple, Stream Analytics, Traffic Manager, Virtual Machines, Virtual Network, and VPN Gateway
- Cloud App Security
- Commercial Support: Premier and On Premises for Azure, Dynamics 365, Intune, and for Medium Business and Enterprise customers of Office 365
- Dynamics 365 detailed list
- Intune: Cloud service portion of the Intune Add-on Product and Mobile Device Management for Office 365
- Microsoft Flow cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Office 365 detailed list
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
- Visual Studio Team Services