In the future, Microsoft will assume the role of data protection officer for cloud services.

After much pressure from privacy advocates, Microsoft is revising the terms of service for cloud services to commercial customers to better meet the requirements of the General Data Protection Regulation (DSGVO). As such, the US company assumes the role of data protection officer when employees “process data for specific administrative and operational purposes related to the provision of cloud services such as Azure, Office 365, Dynamics, and Intune covered by these frameworks.”

Microsoft is thus in the public and private sector clientele in the future for some of the EDP, in which the company itself has a hand in the game. It must also ensure with appropriate technical and organizational measures that the ( DGVO ) is complied with. The corresponding users are off the hook here.

Microsoft guarantees “integrity and security”

The corresponding “update” of the “Microsoft Online Services Terms” (OST) relates to, for example, data processing for purposes such as account management, financial reporting, the fight against cyber attacks on own products or services as well as those intended to meet legal obligations. The correction “will benefit our customers by further clarifying how we use data,” said Julie Brill, Chief Privacy Officer at Microsoft, in a blog post on Monday . It ensures that the Group will treat information in a DSGVO-compliant manner.

Most of their business services have designed the company to act as a processor. Personal data is used to provide the online services required by customers for the purposes specified by them. Microsoft ensures “the integrity and security” of the information, Brill executes. In this variant, however, these remain in the possession of the client and would be managed and controlled by the client.

The special rules for further processing, such as the disputed telemetry data for diagnostic purposes, essentially reflect treaty changes that Microsoft has developed with the Dutch Ministry of Justice. On behalf of the department last year, the consulting company Privacy Company first raised the alarm that Microsoft was collecting personal data from Office users on a large scale without informing them. This is equivalent to a massive violation of the GDPR. In the summer, the experts were more conciliatory, after Microsoft had improved. But they were not completely satisfied even then because of missing purpose information, whereupon the corporation once again readjusted itself legally.

Recently, the European Deputy Data Protection Officer Wojciech Wiewiórowski had expressed “grave concern” that Microsoft with its clauses and processing rules in contracts with EU authorities, the DSGVO not completely comply . The Dutch solution, on the other hand, had appeared to him a better model. However, Microsoft has not yet discussed directly the new contract solution for larger cloud customers with the supervisor, as it is not directly responsible for the economy, but ensures that the EU institutions comply with European law.

Brill expects that Microsoft will be able to offer the new terms of contract “at the beginning of 2020 to all public and commercial customers worldwide”. At the same time, she recalled that globally a number of additional data protection tools had been introduced and the use of telemetry data made more transparent. At the same time, there is increasing general concern among municipal IT service providers and the Federal Ministry of the Interior about too much dependence on the software manufacturer , which is contrary to “digital sovereignty”.