Yes. Our Office 365 and Microsoft Dynamics CRM Online customers around the world are subject to many different laws and regulations. Legal requirements in one country or industry may be inconsistent with legal requirements applicable elsewhere. As a provider of global cloud services, we must run our services with common operational practices and features across multiple customers and jurisdictions. To help our customers comply with their own requirements, we build our services with common privacy and security requirements in mind, and our built-in capabilities help enable compliance with a wide range of regulations and privacy mandates.
However, it is ultimately up to our customers to evaluate our offerings against their own requirements, so they can determine whether our services satisfy their regulatory needs. We are committed to providing our customers detailed information about our cloud services to help them make their own regulatory assessments.
Information on certifications that may assist in regulatory compliance is located in the Security, audits, and certification section.
It is your obligation to comply with your regulatory obligations. We provide you with information to help you do so.
We commit to compliance with data protection and privacy laws generally applicable to IT service providers. If you are subject to industry or jurisdictional requirements, you will need to make your own assessment of your ability to comply, but customers in many industries and geographies have found they can use Office 365 and Microsoft Dynamics CRM Online in a manner that remains in compliance with applicable regulations, provided they utilize the services in a manner appropriate to their particular circumstances.
For example, organizations covered by the EU Data Protection Directive should have their own policies, security, and training program in place to ensure their personnel do not use Office 365 or Microsoft Dynamics CRM Online services in a way that violates the Directive. Office 365 and Microsoft Dynamics CRM Online will do our part by abiding by the contractual promises we have made, thereby helping you remain compliant.
For example, a European Union (EU) customer may store a customer list that includes contact information. Office 365 and Microsoft Dynamics CRM Online have security procedures in place to ensure that Microsoft personnel do not inappropriately access or disclose this information. However, one of the customer’s employees, who is a user of Microsoft Exchange Online, might use the service to send such a customer list to a marketer without appropriate consent. Any resulting violation of EU data protection requirements arising from Office 365 and Microsoft Dynamics CRM Online having followed the direction of the customer—namely, by causing an email to be sent in the ordinary course of providing the services—is the customer's responsibility.
Under the EU Data Protection Directive and our contractual commitments, Office 365 and Microsoft Dynamics CRM Online act as the custodian of your data, essentially a subcontractor (the law calls us the "data processor").
You, the customer, have ownership of your data and the responsibility under the law for making sure that we are following the rules and that it is legal for you to be sending personal data to us (the law calls you the "data controller"). You must determine for your business in your particular situation if you may use our services to process and store your personal data.
Requirements of the EU Data Protection Directive have been accounted for in the design and operation of our services for normal use, and we continually monitor this area for changes relevant to the evolution of the services.
We understand that some customers need assurances regarding transfers of personal information, which is why we are willing to sign the EU Model Clauses (also known as the “Standard Contractual Clauses”) with all customers. For more information on transfer of data outside the EU, see the Data Maps section of the Trust Center.
In some countries, we also adhere to the security requirements for storage of sensitive personal data, as defined by law. If you have concerns because of the rules in your country or the type of data you are storing, or would like more information about the practices and supported features of Office 365 or Microsoft Dynamics CRM Online, and if you are otherwise unable to find that information in the service documentation, you can contact Support. To the extent that it does not weaken our security to reveal helpful information, we will do so in order to help you make your own determination regarding the acceptability of the implementation of Office 365 or Microsoft Dynamics CRM Online against your requirements.
You should read the Compliance common questions and understand that just because Office 365 and Microsoft Dynamics CRM Online support your organization’s compliance with privacy laws, this does not mean that your organization is compliant; there may be additional steps you need to implement, such as putting the right company policies in place and training employees in good privacy practices. Also, depending on your country, there may be additional steps you need to take to comply with local law, such as filing information with your data protection agency.
No, Office 365 and Microsoft Dynamics CRM Online, as data processors, do not register with EU authorities the customer data that we process on behalf of our customers.
We help our customers comply with HIPAA and are willing to sign a HIPAA BAA with all customers. Please see the HIPAA/HITECH FAQ for more information.
Office 365 and Microsoft Dynamics CRM Online help customers comply with the security requirements of GLBA by providing technical and organizational safeguards to help customers maintain security and prevent unauthorized usage.
Microsoft can provide customers, on request, a summary report of a third-party certification by an independent auditor.
Office 365 and Microsoft Dynamics CRM Online do not support the processing, transmitting, or storing of PCI-governed data, such as credit card numbers.
The PCI standard is not applicable to Office 365 or Microsoft Dynamics CRM Online, because credit card processing and data storage is not a function offered by Office 365 or Microsoft Dynamics CRM Online. Office 365 and Microsoft Dynamics CRM Online do apply applicable security policies and controls defined by industry best practices, such as ISO 27001 and others.
Please note, however, that the Office 365 and Microsoft Dynamics CRM Online ordering, billing, and payment systems that handle credit card data are Level One PCI Compliant, and customers can use credit cards to pay for the services with confidence.
Is Office 365 compliant with FERPA?
While an educational institution has many varied obligations under FERPA, Microsoft stipulates the key contractual terms that govern the use and disclosure of education records that may be stored in Office 365, allowing educational institutions to use Office 365 as part of a broader FERPA compliance strategy.
FERPA requires any educational agency or institution that receives funding from the U.S. Department of Education to protect privacy rights of students by safeguarding “education records” from use or disclosure without consent. Department of Education guidance makes clear that email communications are considered education records subject to FERPA and that cloud email providers should be similarly restricted in how they use or disclose information in emails and documents.
FERPA requires that a cloud provider agree that “education records” contained in faculty, staff, and student emails and other electronic documents will be used only for the narrow purpose of providing the cloud service and that such information will not be scanned or used to support and maintain commercial activities such as advertising. Microsoft provides educational institutions with a route to FERPA compliance by agreeing to be deemed a “school official” subject to FERPA with “legitimate educational interests” in the institution’s data, and by agreeing to abide by the limitations and requirements imposed by FERPA on school officials, including agreeing that it will not scan institution emails or documents for advertising purposes.
If my school uses Office 365, does Microsoft require direct parental consent for students under the age of 13 to ensure COPPA compliance?
No. Microsoft uses Office 365 customer data only to provide the Office 365 service and not for other commercial purposes (such as for advertising or marketing or to build commercial profiles). The Federal Trade Commission (FTC) has stated that under such circumstances an “operator is not required to obtain consent directly from parents.”
Microsoft provides Office 365 to the school as our customer and all customer data belongs to the school. We do not use or share Office 365 customer data for any other commercial purposes (for example, in connection with advertising or marketing or to build user profiles for commercial purposes not related to the provision of Office 365). For more information, please visit the Office 365 Trust Center. Accordingly, the FTC’s guidance indicates that an operator such as Microsoft does not need to obtain direct consent from parents of students using the service—even if they are under the age of 13. As the FTC explains, COPPA allows schools to act as either as an intermediary for parental consent or “the parent’s agent in the process of collecting personal information online from students in the school context” where, as here, the operator collects users’ personal information only for the use and benefit of the school. However, consistent with the FTC’s guidance, we believe schools should forward information to parents about how personal information is collected, used, and shared in Office 365—including assurances that Microsoft will not use such information for other commercial purposes—in the school’s own Acceptable Use Policies for Internet Use or similar document that educates parents about in-school Internet use of Office 365 and any other online services, whether provided by Microsoft or other providers. For more information on COPPA compliance generally, see the FTC’s Complying with COPPA: Frequently Asked Questions. For unique issues related to COPPA and Schools, refer to FAQs M1 to M4 from the foregoing document.
If my business is subject to the Children’s Online Privacy Protection Act (COPPA), can I use Office 365 and remain compliant?
Yes. Microsoft uses customer data only to provide the Office 365 service and does not use or share the data for its own or a third party’s commercial purposes, such as for advertising purposes. Moreover, Office 365 provides features and security that support customers’ compliance with COPPA.
We understand that Microsoft customers may use Office 365 in connection with activities that may be governed by COPPA—like providing commercial online services directed to children under 13 years of age or otherwise knowingly collecting personal information from such children. Office 365 customers are ultimately responsible for complying with their own COPPA obligations, which may include providing parents with notice of the customer’s practices regarding the collection, use, and disclosure of personal information from children under 13, and obtaining any necessary parental consents. However, the use of Office 365 creates no additional COPPA burdens for customers beyond those that would apply if the customer used an on-premises solution. Microsoft uses the customer data in the Office 365 services only for the benefit of the customer—we don’t use or share customer data for commercial purposes other than to provide the Office 365 service. Moreover, Office 365 supports customers’ compliance with COPPA through our implementation of extensive measures designed to help protect the confidentiality, security, and integrity of customer data. For more information on COPPA compliance generally, see the FTC’s Complying with COPPA: Frequently Asked Questions.
If my organization is subject to the Children’s Internet Protection Act (CIPA), does Office 365 provide controls that help with compliance?
Yes. CIPA requires certain schools and libraries that receive funds from the U.S. Department of Education, or that receive certain discounted services through the U.S. E-rate program, to annually certify that they have an Internet safety policy that includes technological measures to protect against Internet access to visual depictions that are obscene, child pornography, or harmful to minors. Entities subject to CIPA must also certify that their Internet safety policy addresses unauthorized disclosure, use, and dissemination of personal information regarding minors, among other requirements. Although CIPA obligations do not directly apply to Microsoft or to the provision of Office 365 services, and customers must independently assess whether their Internet safety policy complies with CIPA obligations (including technological measures governing web access entirely unrelated to Office 365), the Office 365 service supports customer compliance through administrative controls that allow customers to control user access to Office 365 components, and through the implementation of extensive security measures designed to help safeguard customer data.
For Japanese customers: Can I use Office 365 and Microsoft Dynamics CRM Online and still comply with Japan’s My Number Act?
Customers can be compliant with the My Number Act while using Office 365 and Microsoft Dynamics CRM Online with My Number data.
Customers need to have appropriate safety measures to protect My Number data as required by the law. For details, please see Q3-13 of Q&A of the Guidelines for proper handling of Specific Personal Information (for private entities) (“Q&A”) by Specific Personal Information Protection Commission (“the Commission”). Microsoft does not have standing access to customer content stored in Office 365 and Microsoft Dynamics CRM Online. As such, Microsoft believes that using Office 365 is not considered “outsourcing” of My Number data, and an outsourcing contract is not needed. Please see Q3-12, Q&A.
日本向け: マイナンバーを含むデータをOffice 365 とMicrosoft Dynamics CRM Online で取り扱うことはマイナンバー法上の問題がありますか？
お客様がOffice365 と Microsoft Dynamics CRM Online ででマイナンバーを取り扱うことにマイナンバー法上の問題はありません。
お客様は、法律上要求される安全管理措置を講ずる必要があります。詳細は、特定個人情報保護委員会の「特定個人情報の適正な取り扱いに関するガイドライン（事業者編）」に関するQ&A（「Q&A」）の Q3-13を参照してください。マイクロソフトは原則お客様のデータにアクセスしません。したがって、番号法上の「委託」には該当せず、委託契約も不要との取扱いになると理解しております。詳細は、Q&A Q3-12を参照してください。