Data protection and Microsoft Office 365: GDPR-compliant use for companies
The cloud-based version Office 365 from Microsoft is an established standard for office activities and contains products such as Outlook, Word, PowerPoint, Excel or OneDrive. Microsoft Office 365 has, however, also been the subject of repeated criticism by data protection supervisory authorities. In the following article, we will show you which data protection challenges exist and how you can solve them in a GDPR compliant manner.
Most important information about the data protection classification of Office 365
- Microsoft's cloud-based Office 365 is an established standard for office operations
- From a data protection point of view, the processing by Microsoft is very controversial, but the data protection supervisory authorities have not currently issued a uniform ban.
- Currently, there is no satisfactory recommendation from the supervisory authorities on the data protection-compliant use of Microsoft Office 365.
- Despite this, data controllers in companies are required to implement risk-minimising measures and data protection-friendly default settings.
- To minimise the risk of potential fines, these Office 365 configurations are required
Content about data protection and Microsoft 365:
Background information: What are the latest developments on Office 365 and GDPR-compliant deployment?
Microsoft's Office products set today's standard for contemporary office software. In addition to Microsoft Word for word processing and Microsoft Excel for spreadsheets, Microsoft PowerPoint is indispensable for professional presentations. Microsoft Exchange in conjunction with Microsoft Outlook represents a de facto standard for e-mailing, contact management and calendar management in the business context.
The Corona crisis has shown that, in addition to the classic Microsoft Office applications, new applications accessible via the Internet are gaining in importance. These include Microsoft Teams for chatting and communicating via audio and video within the company and with customers and service providers. Microsoft SharePoint and Microsoft OneDrive are particularly suitable for sharing files and knowledge, as a document management system (DMS) and as a central knowledge management platform. In the past, Microsoft applications have repeatedly been criticised by data protection authorities. We provide an overview.
European Data Protection Supervisor
The European Data Protection Supervisor has taken a position on Microsoft's products in a detailed report. The EDPS recommends that companies, when selecting suitable service providers, ensure that they provide sufficient guarantees for the implementation of appropriate technical and organisational measures so that the processing of personal data meets the requirements of the GDPR.
He advises responsible parties that have already licensed numerous Microsoft services to negotiate with the processor on instructions necessary to protect the rights and freedoms of the data subjects. Even if it is a company of considerable size. According to the EDPS, Microsoft is ready to meet the EU's compliance requirements.
The EDPB report lists the following five key issues that should be resolved through adjustments to Microsoft's services and through contractual arrangements:
- Under existing license agreements, Microsoft has extensive control powers and acts in part as a controller for the processing activities of personal data. In order to minimise these control powers, the EDPB recommends a contractual agreement that Microsoft should be designated from controller to processor.
- Microsoft's handling of sub-processors and the lack of meaningful audit rights were also found to be deficient. Therefore, the EDPB's recommendation is to implement a more transparent use of sub-processors and to contractually define their controls.
- Data transfer and the associated risk of unlawful disclosure of personal data were also considered critical. The EDPB criticised the lack of transparency regarding the location of personal data and the absence of measures to protect such data outside the EU. Therefore, it should be clarified where personal data are stored and how protection is ensured in third countries.
- The data transfer of Microsoft diagnostic data was also classified as unlawful by the EDPS. In order to reduce the transfer of diagnostic data to an appropriate level, we have developed concrete steps for the data protection-compliant use of Microsoft 365.
- Furthermore, the nature, scope and purposes of the processing and the risks for the data subjects to comply with their transparency obligations towards the data subjects were found to be deficient. The circumstances of the processing should therefore be precisely defined in the contract.
Data Protection Conference
The Conference of Independent Data Protection Authorities of the Federal Government and the States (Data Protection Conference) had reviewed "the Online Service Terms (OST) underlying the use of the product Microsoft Office 365 as well as the Data Protection Provisions for Microsoft Online Services (Data Processing Addendum / DPA) - in each case as of January 2020". With the review, the DSK came to the conclusion that, at the time of the review, it was not possible to use Microsoft Office 365 in a way that complied with data protection requirements.
However, the data protection supervisory authorities of Baden-Württemberg, Bavaria, Hesse and Saarland did not share the DSK's overall assessment and classified it as not yet ready for a decision. In particular, because the assessment would be too undifferentiated and Microsoft had revised the reviewed contractual provisions twice in the meantime.
The data protection supervisory authorities therefore welcome all the more the fact that the Data Protection Conference has set up a working group which is to begin talks with Microsoft in the near future.
German supervisory authorities
In February 2021, the Berlin Commissioner for Data Protection and Freedom of Information, as the data protection supervisory authority, published a notice on the data protection-compliant use of video conferencing solutions against the background of the Corona pandemic. This included an assessment of Microsoft Teams via a traffic light system and a recommendation for use. The results of the short tests on various video conferencing systems can be found here: Information on providers of videoconferencing services from the Berlin data protection supervisory authority
The focus of the brief review of the design and implementation of the order processing relationship, in the case of Microsoft 365, however, this turned out to be deficient, so that there was no further review of the technical and organisational measures.
Schrems II judgment
The ECJ ruling of 16 July 2020, also referred to as "Schrems II", also prohibits the transfer of data to the USA to a large extent. Since Microsoft 365 also transfers personal data to the USA, Microsoft is directly affected by this ruling. However, only the data protection supervisory authority in Berlin has taken a position on the current status with a concrete ban on data transfer.
Classification: Office 365 GDPR
Microsoft is a provider based in the USA. From the USA, Microsoft operates more than one hundred data centres worldwide on which the services of Office 365 are provided. For companies in the European Economic Area, the scope of the General Data Protection Regulation (GDPR)Microsoft offers to operate the core of the above-mentioned central services in European data centres.
However, this does not apply to all services that are Office 365 operation are necessary. In particular, the user identities created and the associated so-called meta-data flow from the EU to the USA. And here lies the problem of the German data protection authorities, who view the transfer of precisely this data as critical.
The problem with this transfer lies at its core in the fact that, from the EU's perspective, the USA is a so-called third country with inadequate data protection guarantees. This problem was exacerbated by the fact that the previously applicable agreement between the US and the EU, the so-called Privacy Shield, was declared invalid in 2020 by the so-called Schrems II ruling of the European Court of Justice.
Until that time, the Privacy Shield was the valid legal basis for transferring personal data between the US and the EU. This legal basis has now expired and the transfer - from a purely legal perspective - is prohibited for the time being or only permitted under certain conditions.
These conditions are at the core:
- The use of so-called EU standard contracts
- The establishment of internal corporate policies for the use of Office 365 within a company.
- The consent of the persons concerned as consent to the Transatlantic data transfer
However, the second and third coats of paint have practically no relevance. At the latest, the use of Exchange and e-mails makes it de facto impossible to restrict the use of Office 365 to the company or to obtain consent before sending emails.
For this reason, the EU standard contract clauses must currently be used. This is also actively proclaimed by Microsoft and is part of the license agreement. Nevertheless, some of the German supervisory authorities in data protection do not agree with this approach.
Nevertheless, the GDPR always offers the possibility to justify processing operations on the basis of a risk assessment and to implement appropriate measures in order to increase the level of data protection as required. The method for this is called data protection impact assessment, the requirements of which are described in Article 35 of the GDPR.
Is a data protection impact assessment required when using Office 365 GDPR?
Due to some data protection risks when used in companies, the use of Office 365 must be subject to a Data protection impact assessment (DPIA) carried out in accordance with Art. 35 GDPR . The assessment of the use of Office 365 in the context of a DPIA is always an individual case and depends on factors such as: number of employees, use of software products or the processing purposes.
What data is processed in Office 365?
- Find out which Office 365 software products your company is using
- Investigate which people have access to them
- Record the types of data being processed: is it customer, telemetry, diagnostic, meta or functional data?
- Describe the purpose for which these types of data are processed
Risk analysis and remedial actions
GDPR-compliant use of Office 365: What are the necessary settings?
Many Microsoft products are installed, provided and kept up-to-date locally, i.e. on-premises, by an administrator. This is sometimes associated with high costs (hardware and personnel) and complex license models and licensing costs. Since very sensitive personal data (e.g. e-mails, personnel files, etc.) and business secrets that need to be protected (e.g. strategies, customer documents that are subject to confidentiality) are usually processed on locally operated Microsoft servers, there is the additional challenge of complying with the requirements of data protection, especially Article 32 GDPR, as well as the security requirements based on ISO / IEC 27001 or BSI basic protection or other security standards such as TISAX, ISIS 12 or vds3473.
This poses significant challenges for many companies. But not least of all, the new regulations that came to light in March 2021. Zero-Day Vulnerability (Zero-Day-Exploit) Hafnium in Microsoft Exchange Server (Local versions) shows that keeping complex IT infrastructure local can be fraught with problems. Incidentally, the Office 365 cloud version of the Microsoft products described above was not affected by the vulnerability.
In addition to aspects of security, the advantage of the Office 365 Suite over the local on-premise installation is that you have access to all Microsoft products in the Office 365 Suite on the basis of a simple user license. This applies to Office products such as Word, Excel, PowerPoint or OneNote, professional e-mailing via Exchange, as well as collaboration platforms such as SharePoint and OneDrive, the communication platform Teams, the appointment booking system Booking, the virtual whiteboard, the video streaming portal Stream or the workflow engine Flow.
An installation of the Office 365 version is not required. In the first step, it is sufficient to connect your own domain and create the corresponding users, who then have access to all activated products, sharepoints or mailboxes. So even a "layman" can get started right away.
The challenge, however, lies in setting the details in the Office 365 Admin Center so that Office 365 meets the requirements of the GDPR. Here, the detailed access and compliance settings play a role, as well as aspects of security such as backup and virus protection.
The following configurations are based on the Dutch privacy impact assessment and require an update from older Office versions to version 1905 or higher. Only with this version were the corresponding setting options in Office 365 / Microsoft 365 enabled.
GDPR-compliant use through configuration: After updating to a current version, the following GDPR-compliant configurations can be made.
Customer Experiences / Services
Disable the use of Connected Experiences/Services in Office 365, get professional advice now. Microsoft classifies itself as a controller, not just a processor, when providing these services. Whenever this is the case, the purpose of use is no longer limited and includes the use of processed data for personalisation or advertising. Disable the following Customer Experiences to limit the purpose of use. Note that functions such as the translator or the room search are no longer available:
- 3D Maps
- Insert online 3D Models
- Map Chart
- Office Store
- Insert Online Video
- Smart Lookup
- Insert Online Pictures
- LinkedIn Resume Assistant
- Weather Bar in Outlook
- PowerPoint QuickStarter
- Giving Feedback to Microsoft
- Suggest a Feature
When you use Office 365, Microsoft processes so-called diagnostic data to provide, improve and update services and their security. This diagnostic data is uniquely assigned to a user via an ID and is sent to Microsoft servers. Examples of data types are the user ID, program language, or duration of use of an Office service. This option can be deactivated without any direct disadvantage for the user by selecting "neither" in the diagnostic data settings.
Telemetry level and Windows settings
Set the telemetry level to "neither" via group policy or registry entry of Microsoft 365 and the settings of Windows 10 Enterprise to "secure". If you have any questions about the configuration, we will be happy to advise you.
Data protection impact assessment
Discuss with your data protection officer whether the type and scope of data processing by Office 365 requires a data protection impact assessment. If a DPIA should be necessary, document it in your data protection documentation. If you have any questions about the data protection impact assessment, we will be happy to advise you.
If you process sensitive personal data in Office 365, it is recommended to use a so-called customer lockbox or the customer key. The use of this function ensures a customer-side encryption of the documents, but is associated with additional costs.
In Office 365, it is generally possible to connect the LinkedIn accounts of employees; in Germany, this function is currently activated by default. Check your company's settings in the administrator interface and deactivate it manually if necessary.
Workplace Analytics or Activity Reports
The Workplace Analytics or Activity Reports functions involve the evaluation of performance data. This function should always be deactivated and must be discussed with the data protection officer and, if available, the works council before use. If necessary, a data protection impact assessment may even have to be carried out. Please also make sure not to install the "Insights" plugin.
Office 365 mobile and web apps
As mentioned above, the use of Office 365 mobile and web applications is not compliant with the GDPR due to the classification of the Dutch supervisory authority. Managers need to raise awareness among their employees and have policies in place to prevent them from using these applications. Please note the further steps taken by Microsoft to adapt the level of data protection to the applicable EU requirements. If you have any questions about the configuration, we will be happy to advise you.
What are missing security features in Office 365 deployment?
While Office 365 runs in the cloud, it should not be assumed that all security issues are taken care of or that all information security protection goals such as confidentiality, integrity and availability are met. Furthermore, some building blocks need to be added to the Office 365 package to enable truly secure operation and ensure data protection compliance. If you have any questions about the configuration, we will be happy to advise you.
Email archiving according to GDPR/GoBD
Tamper-proof archiving of all e-mail traffic in accordance with the current guidelines of the tax authorities (GoBD) and the GDPR.
Practicable, centrally managed transport encryption of e-mail traffic. Checking the transmission route from sender to recipient for valid transport encryption.
Email Anti-Spam and Virus Scanning
Centrally manageable anti-spam and anti-virus solution. Maximum detection performance through deep analysis and AI-based threat detection.
GDPR-compliant real-time monitoring of mail traffic
Real-time monitoring of e-mail traffic. Detailed information about the encryption method and classification of incoming and outgoing emails, as well as the reason for the corresponding classification.
Email content control and compliance filtering
Setting options to categorise and filter attachments of received emails. Ability to enforce company-wide communication rain.
Central signature management
Central signatures should be used, among other things, to comply with legal requirements. In this way, you ensure the company-wide integration of a legally compliant legal disclosure for all emails (also for mobile devices).
Data backup function for Exchange, Teams, SharePoint and OneDrive
Office 365 (Microsoft 365) does not include a data backup function. Microsoft refers here to the backup responsibility of the user. A valid and regularly checked data backup is a fundamental criterion for the use of a software solution, both from the perspective of self-protection and the GDPR.
Hosting in European area
Microsoft's data storage for German customers is ostensibly in German data centers. However, this is not contractually guaranteed. Thus, from the perspective of the GDPR, it must be assumed that data is stored in Europe.
Professional administration of the platform
At first glance, Office 365 and Microsoft 365 solutions are not easy to put into operation. In everyday life, you are also confronted with issues such as integration into existing structures, enforcing legal requirements or solving daily problems. Ultimately, the administration of these cloud products means that all functions of a Windows client-server network must be completely under control.
Conclusion: GDPR-compliant use always depends on the individual case
At the current state of affairs, the fully GDPR-compliant use of Office 365 is not possible. It is only necessary to configure the Microsoft services to be as data protection-compliant as possible, which, however, cannot be fully covered by the Microsoft products. However, this realisation only helps a few companies, because the Microsoft services are not so easy to replace in many companies due to volume licenses and daily use. In addition, the German supervisory authorities and the European Data Protection Supervisor position themselves very differently and anything but clearly on this topic. So what can companies do to achieve a minimum level of GDPR compliance when using Office 365?
- Follow the coverage of the upcoming talks with Microsoft and the further positioning of the regulators
- To the extent possible, adjust the settings of your Microsoft products to be as GDPR compliant as possible
- Document the measures taken in your data protection documentation in order to be meaningful in the event of a review by the competent supervisory authority
For companies, the current situation means that not only the additional security features described above must be available for a more secure operation of Office 365 in compliance with data protection, but that a functioning data protection management system must be established in any case, which on the one hand fulfils the documentation and verification obligations of the GDPR and on the other hand documents the implementation of the risk assessments as part of a data protection impact assessment.