Data breach notification under the GDPR
The GDPR mandates notification requirements for data controllers and processors in the event of a breach of personal data. The information below discusses those provisions, how Microsoft tries to prevent breaches in the first place, how Microsoft detects a breach, and how Microsoft will respond in the event of breach and notify you as a data controller.
Personal data means any information related to an individual that can be used to identify them directly or indirectly. A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
In the event of a breach of personal data that is likely to result in a high risk to the rights and freedoms of individuals (such as discrimination, identity theft, fraud, financial loss, or damage to their reputation), the GDPR requires you to:
- Notify the appropriate Data Protection Authority (DPA) within 72 hours of becoming aware of it—for example, after Microsoft notifies you. If you don’t notify the DPA within that time period, you’ll need to explain why to the DPA. This notice to the DPA is required even where there is a risk to individuals that is not likely to result in a high risk.
- Notify the data subjects of the breach without undue delay.
- Document the breach including a description of the nature of the breach—such as how many people were impacted, the number of data records affected, the consequences of the breach, and any remedial action your organization is proposing or took.
After we become aware of a personal data breach, the GDPR requires us to notify you without undue delay. Where Microsoft is a processor our obligations reflect both GDPR requirements and our standard, worldwide contractual provisions. We consider that all confirmed personal data breaches are in scope; there is no risk of harm threshold. We will notify our customers whether the data breach was suffered by Microsoft directly or by any of our sub-processors. We have processes in place to quickly identify and contact security incident personnel you’ve identified in your organization. In addition, all sub-processors are contractually obliged to report their own breaches to Microsoft, and provide guarantees to that effect.
All our services and personnel follow internal incident management procedures to ensure that we take proper precautions to avoid data breaches in the first place. However, in addition, Online Services have specific security controls in place across our platforms to detect data breaches in the rare event that they occur.
To support you in the event of a breach of personal data Microsoft has:
- Security personnel trained on the specific procedures to follow.
- Has policies, procedures, and controls in place to ensure that Microsoft maintains detailed records. This includes documentation that captures the facts of the incident, its effects, and remedial action, as well as tracking and storing information in our incident management systems.
Microsoft has policies and procedures in place to notify you promptly. To satisfy your notice requirements to the DPA, we will provide a description of the process we used to determine if a breach of personal data has occurred, a description of the nature of the breach and a description of the measures we took to mitigate the breach.