Data protection in companies: Microsoft 365, yes or no?

The data protection conference has published an assessment of whether Microsoft 365 can be operated in accordance with EU law in accordance with data protection law. Public as well as non-public users must check how they can use the office solution from the cloud in accordance with data protection.


Despite extensive changes to the terms of use, “Microsoft 365” is still not compliant with data protection for companies, yes? This was the verdict of the 104th Data Protection Conference (DSK).

The new assessment by the body of independent German federal and state data protection supervisory authorities affects public users such as schools and authorities, but also non-public users. The determination made is not aimed at Microsoft, but at the users of Microsoft 365. </p >

Users have a duty

The DSK sees users as having an obligation to deal with the requirements for those responsible and processors contained in the GDPR. Accordingly, those responsible would have to be able to prove that their use of Microsoft 365 satisfies EU data protection regulations – i.e. that the company only works with those processors who can prove that they process their clients’ personal data in compliance with data protection regulations. However, this proof cannot be provided on the basis of the “Data Protection Addendum of September 15, 2022” provided by Microsoft, as the data protection conference has now determined. Anyone who uses Microsoft 365 in their company or in an authority or organization is therefore still violating the GDPR, risking high fines and has one foot in prison.


There is still a need for clarification

The current publication of the DSK is an assessment of the present data protection regulations as part of the contracts for the use of Microsoft 365. With regard to a complete data protection assessment of the Microsoft 365 cloud service, further questions must therefore be discussed.

Microsoft stated in a Statement that the concerns of the DSK are taken seriously, but that many of the data protection assessments and the conclusions of the DSK are fundamentally wrong.


Recommendation for action

Those responsible should definitely continue to follow the developments – after all, the responsibility for data protection ultimately lies not only with Microsoft, but also with them. They have to decide whether or not to (continue to) rely on Microsoft 365.