Many companies use Microsoft 365 (M365). There has always been a certain legal uncertainty as to whether the service can be used in a data protection-compliant manner. The reason for this is that personal data is transferred to the USA and is thus exposed to a higher risk. In addition, it is not entirely transparent for what other purposes Microsoft processes the data. We have already provided information on this several times and have so far assessed the risks as manageable.
Now the German data protection supervisory authorities have published a decision. According to the decision, controllers (including your company if you use Microsoft services) are not in a position to prove that M365 is being used in a legally compliant manner.
This decision applies only in Germany. It is controversial and is being discussed at various levels. But it has been published and it is possible that supervisory authorities will start questioning companies about their use of M365.
Do you use M365? If so, you should investigate and document which specific, additional, individual protection measures you use to protect personal data in M365. According to the authorities, mere references to Microsoft contracts and documents will not be sufficient.
Examples of additional safeguards:
- Ensuring that no particularly sensitive data is processed in M365 (e.g. sick days, information on severely disabled persons, religious affiliation).
- Ensuring that personal data is only stored and processed in encrypted form (e.g. using “Microsoft Purview”)
- Ensuring that additional functions in M365 that are not required are deactivated
- Ensuring that Microsoft processes the data within the EU where possible (“EU Data Boundary”)
However: Whether such documentation is sufficient will only become clear later. In any case, we are of the opinion that it is better to have it than to have nothing at all in hand.
For clarification: The use of US services is not per se inadmissible (cf. OLG Karlsruhe, “Vergabekammer-Beschluss” (decision) of September 7th 2022). However, the companies are liable for lawful use. What is lawful and what is not has not yet been clarified by the courts. It is quite possible that the supervisory authorities are overstepping the law here. In order to clarify this question, however, a lawsuit would have to be filed and decided by a court. And that is likely to take time. In the future, the risk could be reduced somewhat: Next spring, the new Data Privacy Framework is set to come into force in the EU and thus create a better legal basis. In addition, Microsoft could further clarify its wording in texts and contracts, as has often been the case in the past.
The requirements from the supervisory authorities for the use of Microsoft 365 are currently very high. Although fines may not be imposed immediately at this time, your company could still try to reduce the risk by reviewing and documenting additional, individual protective measures.
We will of course keep you up to date on any new information on this topic.