The data protection conference judges that it is not possible to use Microsoft Office 365 in accordance with data protection regulations. The reason for this is that many formulations in the data protection regulations and the online terms of business for Microsoft Office365 are kept vague and US access to customer data cannot be ruled out. In the view of the supervisory authority, the data protection provisions for the cloud-based software package are not compatible with Art. 28 GDPR on commissioned data processing.
The main points of criticism are:
- The conditions coming from Microsoft in the Online Service Terms and the Data Processing Addendum do not make sufficiently clear which user-related data is processed and how. It is also not possible to determine separate data protection requirements and risk levels. Such information should actually already be apparent from the contract processing agreement. For this reason, the Conference of Data Protection Authorities (DSK) proposes more transparency by using free fields which can be adapted individually if necessary.
- In addition, the recording and use of telemetry diagnostic data collected by Microsoft is unclear as to its legal basis. There is no legal basis for the transfer of personal data from the user to Microsoft other than the contract for the processing of orders. In particular, the use by public authorities could not be sufficiently specific in view of individual, international regulations. Microsoft’s statement that processed data may also be disclosed outside of the customer’s specifications if this is required by law, for example, is not considered sufficiently concrete. In particular, the effects of the Cloud Act have not been sufficiently clarified in this context.
- It is also questionable whether Microsoft sufficiently protects user data and how long it is stored. It is unclear which measures appropriate to the risk are taken for the processing of personal data.
- Another point of criticism is the inadequate regulation of the transfer of user data to subcontractors. This becomes problematic, for example, in the case of subsequently commissioned service providers who extend the scope of Windows – without obtaining the explicit consent of the user. The prior written consent of the customer is only sufficient if the customer has a current overview of other service providers to whom the user data is passed on.