GDPR frequently asked questions
To assist you, and your organization, in your journey to GDPR, we compiled a list of frequently asked questions, and more importantly, the answers.
Yes. The GDPR requires controllers (such as organizations using Microsoft’s enterprise online services) only use processors (such as Microsoft) that provide sufficient guarantees to meet key requirements of the GDPR. Microsoft has taken the proactive step of providing these commitments to all Volume Licensing customers as part of their agreements.
You can find the contractual commitments of Microsoft with regard to the GDPR under Customer agreements on the GDPR Overview page.
Microsoft provides tools and documentation to support your GDPR accountability. This includes support for Data Subject Rights, performing your own Data Protection Impact Assessments, and working together to resolve personal data breaches. Visit the GDPR Overview page.
Microsoft’s GDPR Terms reflect the commitments required of processors in Article 28. Article 28 requires that processors commit to:
- Only use subprocessors with the consent of the controller and remain liable for subprocessors.
- Process personal data only on instructions from the controller, including with regard to transfers.
- Ensure that persons who process personal data are committed to confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk.
- Assist controllers in their obligations to respond to data subjects’ requests to exercise their GDPR rights.
- Meet the breach notification and assistance requirements.
- Assist controllers with data protection impact assessments and consultation with supervisory authorities.
- Delete or return personal data at the end of provision of services.
- Support the controller with evidence of compliance with the GDPR.
Microsoft has long used the Standard Contractual Clauses (also known as the Model Clauses) as a basis for transfer of data for its enterprise online services. The Standard Contractual Clauses are standard terms provided by the European Commission that can be used to transfer data outside the European Economic Area in a compliant manner. Microsoft has incorporated the Standard Contractual Clauses into all of our Volume Licensing agreements via the Online Services Terms. The Article 29 Working Party has specifically found Microsoft’s implementation of the Standard Contractual Clauses are compliant.
And when the EU-US Privacy Shield became available, Microsoft was the first company to certify. See Microsoft’s certification to the Privacy Shield, and read the Online Services Terms. The EU-US Privacy Shield helps customers that want to transfer their data to the US do so in a manner consistent with their data protection obligations.
As a global company with customers in nearly every country in the world, Microsoft has a robust compliance portfolio to assist our customers. To view a complete list of our compliance offerings including FedRamp, HIPAA/HITECH, ISO 27001, ISO 27002, ISO 27018, NIST 800-171, UK G-Cloud, and many others visit our compliance offering list.
To find information about capabilities in Microsoft services used to address requirements of the GDPR, please visit www.microsoft.com/trust-center/privacy/gdpr-accountability-documentation.
The GDPR imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles:
- Transparency, fairness, and lawfulness in the handling and use of personal data. You will need to be clear with individuals about how you are using personal data and will also need a "lawful basis" to process that data.
- Limiting the processing of personal data to specified, explicit, and legitimate purposes. You will not be able to re-use or disclose personal data for purposes that are not "compatible" with the purpose for which the data was originally collected.
- Minimizing the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
- Ensuring the accuracy of personal data and enabling it to be erased or rectified. You will need to take steps to ensure that the personal data you hold is accurate and can be corrected if errors occur.
- Limiting the storage of personal data. You will need to ensure that you retain personal data only for as long as necessary to achieve the purposes for which the data was collected.
- Ensuring security, integrity, and confidentiality of personal data. Your organization must take steps to keep personal data secure through technical and organizational security measures.
You will need to understand what your organization’s specific obligations are to the GDPR are and how you will meet them, though Microsoft is here to help you on your GDPR journey.
To learn more about the General Data Protection Regulation (GDPR), please visit www.microsoft.com/gdpr where you can also learn more about how specific Microsoft products can help you prepare to comply with the GDPR, please see the sections on Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, and Windows 10.
The GDPR provides EU residents with control over their personal data through a set of “data subject rights.” This includes the right to:
- Access information about how personal data is used.
- Access personal data held by an organization.
- Have incorrect personal data deleted or corrected.
- Have personal data rectified and erased in certain circumstances (sometimes referred to as the "right to be forgotten").
- Restrict or object to automated processing of personal data.
- Receive a copy of personal data.
A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Yes, the GDPR applies to both controllers and processors. Controllers must only use processors that take measures to meet the requirements of the GDPR.
Under the GDPR, processors face additional duties and liability for noncompliance, or acting outside of instructions provided by the controller, as compared to the Data Protection Directive. Processor duties include, but are not limited to:
- Processing data only as instructed by the controller.
- Using appropriate technical and organizational measures to protect personal data.
- Assisting the controller with data subject requests.
- Ensuring subprocessors it engages meet these requirements.
Companies can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to meet certain GDPR requirements. Additional individual remedies could increase your risk if you fail to adhere to GDPR requirements.
It depends on several factors identified within the regulation. Article 37 of the GDPR states that controllers and processors shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
Meeting compliance with the GDPR will cost time and money for most organizations, though it may be a smoother transition for those who are operating in a well-architected cloud services model and have an effective data governance program in place.
The GDPR regulates the collection, storage, use, and sharing of "personal data." Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.
Personal data can include, but is not limited to, online identifiers (e.g., IP addresses), employee information, sales databases, customer services data, customer feedback forms, location data, biometric data, CCTV footage, loyalty scheme records, health and financial information and much more. It can even include information that does not appear to be personal – such as a photo of a landscape without people – where that information is linked by an account number or unique code to an identifiable individual. And even personal data that has been pseudonymized can be personal data if the pseudonym can be linked to a particular individual.
You should also be aware that the processing of certain "special" categories of personal data – such as personal data that reveals a person's racial or ethnic origin, or concerns their health or sexual orientation – is subject to more stringent rules than the processing of "ordinary" personal data.
This evaluation of personal data is highly fact-specific, so we recommend engaging an expert to evaluate your specific circumstances.
Yes. Although the rules differ somewhat, the GDPR applies to organizations that collect and process data for their own purposes ("controllers") as well as to organizations that process data on behalf of others ("processors.") This is a shift from the existing Data Protection Directive, which applies to controllers.
Personal data is any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. Personal data can include:
Examples of personal data include:
- Home address
- Work address
- Telephone number
- Mobile number
- Email address
- Passport number
- National ID card
- Social Security Number (or equivalent)
- Driver's license
- Physical, physiological, or genetic information
- Medical information
- Cultural identity
- Bank details / account numbers
- Tax file number
- Work address
- Credit/Debit card numbers
- Social media posts
- Social media posts
- IP address (EU region)
- Location / GPS data
Yes, however the GDPR strictly regulates transfers of personal data of European residents to destinations outside the European Economic Area. You may need to set up a specific legal mechanism, such as a contract, or adhere to a certification mechanism in order to enable these transfers. Microsoft details the mechanisms we use in the Online Services Terms.
Where there are legitimate grounds for continued processing and data retention, such as “for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject” (Article 17(3)(b)), the GDPR recognizes that organizations may be required to retain data. You should, however, make sure you engage your legal counsel to ensure that the grounds for retention are weighed against the rights and freedoms of the data subjects, their expectations at the time the data was collected, etc.
Encryption is identified in the GDPR as a protective measure that renders personal data unintelligible when it is affected by a breach. Therefore, whether or not encryption is used may impact requirements for notification of a personal data breach. The GDPR also points to encryption as an appropriate technical or organizational measure in some cases, depending on the risk. Encryption is also a requirement through the Payment Card Industry Data Security Standard and part of the strict compliance guidelines specific to the financial services industry. Microsoft products and services such as Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, SQL Server/Azure SQL Database, and Windows 10 offer robust encryption for data in transit and data at rest.
To learn more about how Microsoft products and services can help you prepare to comply with the GDPR, please see how our products help you meet GDPR requirements.
The GDPR will change data protection requirements and make stricter obligations for processors and controllers regarding notice of personal data breaches. Under the new regulation, the processor must notify the data controller of a personal data breach, after having become aware of it, without undue delay. Once aware of a personal data breach, the controller must notify the relevant data protection authority within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, controllers will also need to notify impacted individuals without undue delay. Additional guidance on this topic is being developed by the EU’s Article 29 Working Party.
Microsoft products and services—such as Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, and Windows 10—have solutions available today to help you detect and assess security threats and breaches and meet the GDPR’s breach notification obligations.
Microsoft FastTrack is a service benefit*, our customer success service to help businesses realize business value faster with the Microsoft Cloud. FastTrack helps to:
- Migrate email, content, and light up Microsoft 365 services.
- Deploy and securely manage devices.
- Enable your business and gain end-user adoption.
Microsoft FastTrack is an ongoing and repeatable service benefit, available to customers, and delivered by Microsoft engineers and specialists to help customers or partners to plan, onboard and drive adoption/usage and help to move to the cloud confidently and at customers' and partners' own pace.
As we help customers with specific deployments and migration to our Online Services, Microsoft FastTrack commits to being GDPR compliant by the time enforcement begins on May 25, 2018. As part of the FastTrack professional service benefit, we also work with our customer’s existing partner(s) or refer Partners for deployment and adoption assistance.
Refer to https://FastTrack.Microsoft.com for further information.
*”Service benefit” is considered a “professional service” as defined by our OST and MBSA.
The FastTrack engineers and specialists are industry experts in the planning for the scenarios and business value customers or partners want to achieve, and are focused on the planning, deployment and driving adoption of the products and services to help customers or partners achieve these objectives. Learn more about how Microsoft’s products and services support your compliance with GDPR via our Trust Center website. We encourage our customers and partners to work with a legally qualified professional to discuss GDPR, how it applies specifically to their organization, and how best to ensure compliance.
We advise that our customers should work with their own legal and compliance teams to determine GDPR requirements for encryption and overall GDPR requirements. GDPR compliance is specific to a customer’s data collected, use scenarios, and industry sectors or vectors.
Microsoft FastTrack is a customer success service committed to delivering faster deployments, ROI and driving higher adoption for your employees or end users of Microsoft products and services. With that in mind, as customers or partners submit a request for assistance through Microsoft FastTrack, we will begin our process to appropriately deploy the Microsoft products and services for our customers or partners.
As part of our FastTrack professional service benefit, we also work with our customer’s existing partner(s) or refer Partners for deployment and adoption assistance. You can learn more about Partners specialized in GDPR who are available to help Microsoft Partners toward compliance as described on the Trust Center’s GDPR page here. You can reference our Trusted Cloud/GDPR web page to assess your readiness for the GDPR and how you can accelerate GDPR compliance with the Microsoft Cloud, and use Microsoft FastTrack for deployment assistance.