Is Microsoft 365 GDPR Compliant?

DSK has just published a report stating that Microsoft 365 cannot be used in compliance with privacy law in the EU


Why Microsoft 365 Is Under Fire By Dsk

The German Datenschutzkonferenz (“DSK”) is the regulatory body consisting of all German supervisory authorities that handle GDPR law. 

DSK has just published a report stating that Microsoft 365 cannot be used in compliance with privacy law in the EU. It’s a bold declaration for sure, and one that could end up hurting Microsoft and pushing away customers if enough people stop using the software.  

So today we’ll look at how this allegation (that Microsoft isn’t complying with privacy laws) came to be and address DSK’s concerns.  

For the past 2 years, DSK has been looking into cloud-based 365 products, and even engaging directly with the tech giant to encourage it to fix compliance issues.  

The problem discovered wasn’t so much that Microsoft was violating compliance policies, though—it was more that DSK was finding data paths that Microsoft wouldn’t sufficiently explain. 

Some of the concerns DSK brought up were that: 

  • Microsoft does not fully disclose the kind of processing that takes place in detail 
  • Microsoft does not explain which processing takes place on behalf of the customer, or for its own purposes 
  • There’s an overall lack of clarity/precision in Microsoft’s contacts  
  • Changes made to contracts in a data protection addendum from September 2022 were only minor improvements compared to the problems identified 


So what’s Microsoft’s take? Not surprisingly, Microsoft believes that DSK is wrong, and completely disagrees with the report.  

They stand by their software, and claim they’re completely GDPR compliant. They give examples of things that they’ve done to address the DSK’s concerns, including an improved notification process for subprocessor changes and “further clarifications” relative to the use of personal data for business operations.  

Microsoft also claims they have been fully cooperative with DSK, and even acknowledges the need for more transparency in the future.  

Regardless of how compliant Microsoft claims to be, Germany has just banned the use of the free version of Microsoft Office 365 in schools, since children are incapable of consenting to their data being collected. It won’t affect use by businesses or consumers, however.  

Commenting on DSK’s findings, Matthias Pfau, founder of the encrypted email service Tutanota thinks it’s “unbelievable” that US-based cloud services continue to walk all over EU data, even after over 4 years since the introduction of GDPR in May 2018.  

The business model of trading data to use a free service is incredibly lucrative.  

And since Microsoft isn’t facing any harsh consequences, the tech giant obviously has a different opinion regarding that matter. It should also be noted that Europe takes privacy and cybersecurity much more seriously than other countries. Like Germany, France has also said no to free versions of Office 365 being used in schools, whereas the US doesn’t seem to care if schools use it for now.  


Can We Ever Really Trust Big-name Vendors To Protect Privacy?

Microsoft can easily pretend to do everything right, and authorities can easily pretend to have done everything in their power to force Microsoft to become compliant. 

We’ve talked to a privacy specialist in Germany who doubts that Microsoft will be forced to make more changes or provide more detailed answers to DSK’s safety concerns. 

It brings up the question of an even bigger enterprise IT compliance issue—normally when people use big names like Microsoft, Google, or Oracle, we assume that the most basic cybersecurity/compliance issues have been handled, especially when it comes to GDPR. 

But the harsh reality is that your compliance is your compliance, and even using big-name vendors can’t save you from regulatory nightmares.  

So if you want to find out just how good you are at handling and protecting data, check out the link below to get a free privacy score today! Unlike human consultants, Ubiscore is a data-driven solution that can provide you with the FACTS (not opinions) about what needs to be done in order to better protect your customers’ privacy.  

Eventually, we also want to also release Ubiscore to consumers so they can find out whether companies have questionable business practices and/or whether their data gets sold to third parties.  

By using Ubiscore, you’ll have solid proof that you handle customer privacy with the utmost levels of care and attention, especially since you’ll receive an UBICERT badge for using our platform.  

We hope you enjoyed this article! If you’d like to learn more about cybersecurity and how to keep your organization’s data safe, check out our other articles on our blog or sign up for Ubiscore today for a free privacy score.