It is still unclear whether Microsoft 365 can be used in a legally secure manner.
According to a report by the independent federal and state data protection supervisory authorities (DSK) from November 2022, Microsoft is currently unable to provide evidence that Microsoft 365 is operated in compliance with data protection law. The determination refers to the 58-page final report of the AG DSK “Microsoft Online Services” of 2 November 2022..
No legally binding statement by the DSK
The message that Microsoft 365 is not data protection compliant has made big “waves” in the media, as the DSK report gives the impression of an official decision. However, this is not true, as there is no legal basis for the DSK to take legally binding action. The DSK is rather a mere working body for the exchange of positions. The report is therefore an agreed legal opinion of the data protection supervisory authorities.
Microsoft has responded to the publication of the report and defends itself against the criticism of the DSK.
Consequences for companies
So what are the consequences for companies? How should they behave? The fact is that the DSK does not prohibit the use of MS 365. Companies must therefore weigh up for themselves whether (further) use of MS 365 is justifiable.
In the context of this risk assessment, companies must especially consider whether there are suitable alternatives to the Microsoft operating system that offer comparable standards in the area of IT security. This is because the threats from cyber attacks are constantly growing. Locally administered systems are becoming increasingly insecure.
If a company decides to use MS 365, it should in any case take certain measures to minimise the data protection risk.
These include both legal measures and technical measures, these include in particular:
1. legal measures
- Companies must conclude the current Data Processing Addendum (as of January 2023). If this does not automatically apply, the earlier DPA already concluded must be updated.
- A data protection and transfer impact assessment should be carried out before using MS 365. Helpful templates are provided by Microsoft and the Dutch government.
2. technical measures
A variety of privacy-friendly settings must be made in Microsoft 365. The aim is to prevent data processing operations that are not necessary. These include in particular:
- Preventing the transmission of diagnostic data
- Restriction of “Connected Experiences
- Deactivation of “Viva Insights
- Disabling Microsoft Search in Bing
- Disabling organisational data collection by Bing
- Pseudonymisation of reports
- Disabling access through Cortana
- Disabling external sharing in Share Point
- Deactivation of LinkedIn integration
- Choice of data storage location Germany
- Deactivation of the “Customer Experience Improvement Program” / CEIP
- Deactivation of Dynamics 365
We have created a whitepaper for you, which describes all the essential technical measures. Please fill in the form to receive the whitepaper.
If you request our whitepaper, we may contact you later by email to inform you about our services and products and to keep in touch with you. In this context, we process your personal data. You can find more information in the privacy policy.