Microsoft Support and Professional Services Data Subject Requests for the GDPR and CCPA
Introduction to Microsoft Professional Services
Microsoft Professional Services includes a diverse group of technical architects, engineers, consultants, and support professionals dedicated to delivering on the Microsoft mission of enabling customers to do more and achieve more. Our Professional Services team includes more than 21,000+ total consultants, Digital Advisors, Premier Support, engineers, and sales professionals working across 191 countries, supporting 46 different languages, managing several million engagements per month, and engaging in customer and partner interactions through on-premises, phone, web, community, and automated tools. The organization brings broad expertise across the Microsoft portfolio, using an extensive network of partners, technical communities, tools, diagnostics, and channels that connect us with our enterprise customers.
Find out more about Microsoft Professional Services by going to the Microsoft Professional Services Security Documentation webpage. Microsoft Professional Services takes its obligations under the General Data Protection Regulation (GDPR) seriously. The information in this document is designed to answer customer questions about how Microsoft's support and consulting offerings will respond to and assist customers in responding to Data Subject Request (DSR) obligations under GDPR.
Introduction to DSRs
The GDPR gives rights to people (known in the regulation as data subjects) to manage the personal data that has been collected by an employer or other type of agency or organization (known as the data controller or just controller). Personal data is defined broadly under the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data subjects specific rights to their personal data; these rights include obtaining copies of it, requesting changes to it, restricting the processing of it, and deleting it. A formal request by a data subject to a controller to take an action on their personal data is called a Data Subject Request or DSR. Additionally, it obligates companies working on behalf of a controller (known as the data processor or just processor) to reasonably assist the controller in fulfilling DSRs.
Similarly, the California Consumer Privacy Act (CCPA), provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information. The CCPA also provides for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out/ opt-in" requirements for certain data transfers classified as "sales". Sales are broadly defined to include the sharing of data for a valuable consideration. For more information about the CCPA, see the California Consumer Privacy Act and the California Consumer Privacy Act FAQ.
This guide discusses how to find, access, and act on personal data that resides in Microsoft IT systems that may have been collected to provide Support and other Professional Services offerings.
In developing a response for DSRs, it is important for Microsoft's customers to understand that Support and Consulting Data is separate from Customer Data in the Online Services or other data that they or their data subjects may have provided to Microsoft. Tools and processes provided for Online Services, the Microsoft Privacy Dashboard, or other Microsoft systems for responding to DSRs cannot be used to respond to DSRs for personal data held by Microsoft Support or other Professional Services.
All requests must be made through a support representative, as described later in this article. Currently there is no self-serve tool for customers to gain access to personal data within the Professional Services organizations.
Overview of the processes outlined in this guide
- Discover: Use search and discovery tools to more easily find customer data that may be the subject of a DSR. Once potentially responsive documents are collected, you can perform one or more of the DSR actions described in the following steps to respond to the request. Alternatively, you may determine that the request doesn't meet your organization's guidelines for responding to DSRs.
- Access: Retrieve personal data that resides in the Microsoft cloud and, if requested, make a copy of it that can be available to the data subject.
- Rectify: Make changes or implement other requested actions on the personal data, where applicable.
- Restrict: Restrict the processing of personal data, either by removing licenses for various Azure services or turning off the desired services where possible. You can also remove data from the Microsoft cloud and retain it on-premises or at another location.
- Delete: Permanently remove personal data that resided in the Microsoft cloud.
- Export/Receive (Portability): Provide an electronic copy (in a machine-readable format) of personal data or personal information to the data subject. Personal information under the CCPA is any information relating to an identified or identifiable person. There is no distinction between a person's private, public, or work roles. The defined term "personal information" roughly aligns with "personal data" under GDPR. However, the CCPA also includes family and household data. For more information about the CCPA, see the California Consumer Privacy Act and the California Consumer Privacy Act FAQ.
Below are the relevant definitions of terms from the GDPR for this guide:
- Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller, or the specific criteria for its nomination may be provided for by Union or Member State law.
- Personal data and data subject: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Additional terms and definitions that may be helpful in understanding this guide
- Support and Consulting Data: All data, including all text, sound, video, image files, or software, that are provided to Microsoft by, or on behalf of, Customer (or that Customer authorizes Microsoft to obtain from an Online Service) through an engagement with Microsoft to obtain Support or Professional Services. To clarify, this does not include data collected where Microsoft is the data controller including Customer Contact Data.
- Customer Contact: Personal data that may be part of your business relationship with Microsoft, such as personal data contained within your customer contact information. This may include your name, e-mail, or phone number of the Premier Contract Service Manager (CSM), the Global or IT Administrator for an Online Service, or similar roles.
- Pseudonymized Data: When you use Microsoft support for Microsoft's enterprise products and services, Microsoft generates some information linked to a Microsoft numeric identifier to provide the support. This information is often referred to as "Pseudonymized Data", although this data cannot be attributed to a specific data subject without the use of additional information, some of it may be deemed personal under GDPR's broad definition for personal data. Within Professional Services, requests to fulfill or assist in fulfilling DSRs will always automatically include addressing pseudonymized data.
How to use this guide
This guide covers four scenarios a customer may encounter if they have utilized Microsoft Professional Services.
- DSR for a Customer Contact Engaging Microsoft: Explanation for how Microsoft will respond to requests from a customer contact or IT administrator to exercise their data subject rights.
- DSR for an End-User Engaging Microsoft: Explanation for how Microsoft will respond to requests from a customer's employees or other data subjects to exercise their rights.
- DSR for Customer Provided Data: Commercial Support: Explanation for how to receive assistance from Microsoft when a customer has received a request from their employee or other data subjects to exercise their rights, and that data subject's personal data was collected by Microsoft Support during a support engagement.
- DSR for Customer Provided Data: Consulting Services including FastTrack Migration Services: Explanation for how to receive assistance from Microsoft when a customer has received a request from their employee or other data subjects to exercise their rights, and that data subject's personal data was collected by Microsoft during a consulting engagement.
DSR for a Customer Contact Engaging Microsoft
How Microsoft responds to requests by a customer contact or IT admin to exercise their data subject rights.
When a customer engages with Microsoft to receive support or consulting services, Microsoft Support automatically collects or retrieves from account records the personal data of the Customer Contact (for example, Premier CSM, Global Admin, IT Admin). This likely includes the name, email, phone, and other personal data of the individual seeking support or consulting services.
The Customer Contact's personal data is part of Microsoft's business relationship with the customer, and Microsoft is the Data Controller, except when this data is collected in the course of providing technical support. Microsoft will respond to DSRs from the Customer Contact around their personal data, regardless of whether they are still with the organization.
When the Customer Contact's Personal Data is collected in the course of providing technical support, Microsoft is the Data Processor.
Customers should understand that the DSR only covers the personal data of the Customer Contact, and no changes or deletions will be made to any of the customer's data submitted as part of engagements (for example, transcripts, case descriptions, files, work product), since Microsoft is the data processor. Additionally, to maintain the engagement's historical record no changes at all will be made to closed engagements, including the record of who opened an engagement.
Upon receiving an inquiry from a Customer Contact regarding a DSR where Microsoft is the Data Controller, Microsoft personnel will refer a customer contact to the Privacy Response Center. This is Microsoft's primary input mechanism for privacy inquiries and complaints. Upon receiving an inquiry, the Privacy Response Center will identify that this is part of a commercial or organizational account and respond accordingly.
Where Microsoft is the Data Processor, please see DSR for Customer Provided Data: Commercial Support below.
To maintain customer's business continuity, Microsoft will also not process a DSR associated with an engagement until a replacement contact is confirmed. Upon confirmation of a new contact, Microsoft will swap out the old contact with the new one in open engagements.
Customers may choose to make changes to their data collected during Professional Services engagements through normal support or consulting channels, separate from this DSR. For instance, Microsoft can assist in expunging support engagements, on request (see in the DSR Guide for Customer Provided Data section).
Example for Illustration Purposes Only
John is a Project Manager for an O365 enterprise customer, with one open Consulting engagement and two closed engagements. Now John is leaving his company and wants his data deleted. John contacts the Privacy Response Center, who identifies him as the Project Manager. John is informed his name cannot be deleted from the prior (closed) engagements or from any data within the open engagements. However, the Privacy Response Center will replace John as the contact on the current open engagement if he will identify a replacement contact. John lets Microsoft know that Jane will be his replacement contact, and Microsoft makes the change across all systems.
DSR for an End-User Engaging Microsoft
How Microsoft responds to requests from a customer's employees or other data subjects to exercise their rights.
If a customer's employee or other data subject contacts Microsoft to exercise their rights over data that Microsoft has collected as the data processor, then that data subject will be informed that they need to contact Microsoft's customer, as the data controller, to exercise those rights. Microsoft will take no further action.
If the data subject has also contacted Microsoft about exercising their rights for data Microsoft has collected in situations where Microsoft is the data controller (for example, consumer support, commercial customer contact) then Microsoft will separately respond to the individual's data subject right request for that personal data.
Example for Illustration Purposes Only
Jane is an employee of an Enterprise customer, Contoso, that has given her a Dynamics 365 account. She contacts Microsoft to have all her data deleted and is referred to the Privacy Response Center. Jane fills out the request form. The Privacy Response Center identifies her as an enterprise end user and lets her know she needs to work through Contoso for the deletion of her enterprise data. They also identify her as a Microsoft X-Box user and delete her data out of her consumer Microsoft account.
DSR for Customer Provided Data: Commercial Support
How to receive assistance from Microsoft when a customer has received a request from their employee or other data subjects to exercise their rights, and that data subject's personal data was collected by Microsoft Support during a support engagement.
When a customer engages with Microsoft Support, Microsoft collects Support Data from the customer to resolve any issues that required a support engagement. This Support Data includes Microsoft's interaction with the customer (for example, chat, phone, email, web submission) plus any content files the customer sends to Microsoft or Microsoft has, with customer's permission, extracted from the customer's IT environment or Online Services tenancy to resolve the support issue. In the case of Premier support, this would also include any data we collect from you to proactively prevent future issues. However, this excludes other information from Microsoft's business relationship with the customer (for example, billing records).
For all Support Data and Contact Data collected in the course of providing support, Microsoft is the data processor. As such, Microsoft's will not respond to direct requests from data subjects regarding Support Data provided when they were associated with a Microsoft commercial customer. Microsoft will work with the customer through their normal support channels to assist them in responding to DSRs.
Step 1: Discover
The first step in obtaining Microsoft's assistance in responding to a DSR is to find the personal data that is the subject of the DSR. This first step—finding and reviewing the personal data at issue—will help a customer determine whether a DSR meets the organization's policies for honoring a data subject request.
After the customer finds the data, the customer can then perform the specific action to satisfy the request by the data subject. Depending on what the customer is trying to do will determine what level of discovery the customer needs to engage in.
Where Microsoft assists a customer with the resolution of a DSR then this is a business function, and the request is made through your regular support channel and not through a request to the Privacy Response Center.
In discovering relevant data and obtaining Microsoft's assistance, a customer has several options for how to approach the DSR:
Option A: Cross-Microsoft Support Customer DSR. Apply the DSR to all the customer's support data across Microsoft's support environment. To do this, a customer can just ask Microsoft to apply the DSR to all Support Data collected.
Option B: Specific Customer Engagements. Use online systems to review tickets, then identify specific engagements containing the relevant personal data and report them Microsoft. Microsoft will attempt to provide assistance to perform a search if the customer does not have the ability to search across engagements (tickets).
Once engagements are identified, request to apply the DSR to either a specific part of the record or everything related to that engagement across Microsoft.
To identify specific engagements, customers need to search across their engagements. For Premier customers, the Contract Service Manager ("CSM") for a customer has visibility across all Support Requests (SRs) that are created under that Contract Schedule. For Non-Premier, equivalent support engagement portals are available, such as through Online Services support areas.
The CSM can go to the portal at Services Hub and select manage all Support Requests.
In addition to the case history in Services Hub, customers may also have personal data of an end user in files that was collected by Microsoft (or, with customer's permission, removed from the Online Service) during a support engagement. Examples may include copies of customer's exchange mailboxes, Azure VMs, or databases. This personal data may or may not be mentioned in the case history (i.e. ticket) for a particular engagement. To review that data, the Customer Contact must be a specific authenticated (via AAD or MSA) Support Request contact that has received a URL for a workspace in Microsoft Support Data Transfer and Management tool (DTM). A Customer Contact will have access to the files, but no global view is available, and Services Hub will not indicate if files exist.
Once customers have identified all the relevant data in the selected support tickets, customers can decide whether to request the deletion of everything related to a ticket or selectively apply the DSR to individual instances of personal data.
Step 2: Access
After a customer has found Support Data containing personal data that is potentially responsive to a DSR, it is up to the customer to decide which personal data to include in the response. For example, the customer may choose to remove personal data about other data subjects and any confidential information.
Response to the DSR may include a copy of the actual document, an appropriately redacted version, or a screenshot of the portions the customer has deemed appropriate to share. For each of these responses to an access request, the customer will have to retrieve a copy of the document or other item that contains the responsive data.
Access to the personal data of an end user may be from a mention or notation in the various types of content documentation. Since customers may access the engagement ticket and the content, they can provide a summary of personal data themselves without further assistance from Microsoft.
In rare cases, customer may have need to obtain copies of support interaction data (for example, emails, transcribed copies of phone recordings; chat transcripts) between a Microsoft Representative and the Customer's Representative. To the extent required, Microsoft may provide redacted copies of these transcripts based on need, sensitivity, and difficulty.
Step 3: Rectify
If a data subject has asked the customer to rectify the personal data that resides in their organization's Support Data, the customer will have to determine whether it's appropriate to honor the request. If the customer chooses to honor the request, then the customer may request that Microsoft make the change. Microsoft may rectify data or may delete customer's data from the support systems and request that the customer resubmit it to Microsoft in corrected format.
Step 4: Restrict
The customer may at any time close an engagement or contact Microsoft and request the engagement be closed. A closed engagement will prevent any work from being performed.
For extra assurance, customer may contact Microsoft and request that a note be placed in the engagement ticketing system instructing that the case should not be re-opened for any reason absent the customer's permission.
Note: Engagements (tickets) will also be deleted according on a retention and deletion schedule, based on the sensitivity of data, service, and system. If customer requires a copy of data, they should ensure that they have extracted data prior to deletion.
Step 5: Delete
The "right to erasure" by the removal of personal data from an organization's Support Data is a key protection in the GDPR. Removing personal data includes deleting entire engagements, documents, or files or deleting specific data within an engagement, document, or file.
As a customer investigates or prepares to delete personal data in response to a DSR, here are a few important things to understand about how deletion works for Microsoft Support.
All data at Microsoft has a retention and deletion policy applied to it, which will vary depending on risk and other factors.
Customers requesting the deletion of a data subject's personal data universally across Support systems may do so through your TAM or by filing a Support Request (SR) in Services Hub or equivalent system. You must indicate that this is a request to assist with a DSR under GDPR.
Option A: Cross-Microsoft Support Customer DSR. For a cross system DSR, customer must provide the personal data that Microsoft needs to identify the required data (for example, email address; phone number). Microsoft will not correlate or research records and will only search directly on identifiers provided by the customer. When data is found, Microsoft will delete all engagements and all associated data.
Important Note: this may result in loss of historical records that are important to customer's organization.
Option B: Specific Customer Engagements. For specific engagements that the customer has identified and wants deleted, do not delete tickets out of Services Hub. This will result in personal data remaining in logs and downstream systems that may not be deleted within the needed timeframe. Instead, identify the ticket or personal data within the ticket that must be deleted, and contact Microsoft Support to assist you in deleting that data.
Microsoft Support Data Transfer and Management tool (DTM) instructions
For all these searches, Microsoft will not search across DTM due to the potential sensitivity of content in files. However, if the customer desires, Microsoft will delete all files contained in DTM associated with the customer's account. Due to the potential for serious customer impact, Microsoft requires a separate request from customer specifying the deletion of DTM files.
- For open cases, the Customer Contact can go into DTM and delete files.
- For cases closed less than 90 days, a request must be made to a TAM or in an SR to have the files removed.
- For cases closed after than 90 days, files have already been automatically deleted.
- Even if the personal data was only located within a file that has been deleted, customers must still have Microsoft run a check across systems for the personal data as some data may have been removed from DTM in the course of providing support.
Step 6: Export
The "right of data portability" allows a data subject to request a copy of their personal data in an electronic format and request that your organization transmit it to another controller. In the case of Support Data, any usable information that Microsoft has would be in the form of engagement information or files that can be returned to you for re-communication or uploading to another controller.
Note: Exported data may not include Microsoft's intellectual property or any data that may compromise the security or stability of the service.
Example for Illustration Purposes Only
John is a Premier CSM for an Enterprise customer, Contoso, that uses O365 for its employee e-mail and Azure to host a Contoso SQL Database. Contoso has multiple open and closed tickets. Recently, Microsoft Support, with Contoso's permission, moved a copy of the SQL Database into DTM for support and troubleshooting.
John receives a DSR from Jane asking that all her data be deleted. John goes into Services Hub and searches across engagements to identify that Jane had email account issues and so was referenced in two tickets by name and email address. He contacts his TAM, provides the TAM with Jane's name and e-mail address as an identifier, and requests that those two tickets be deleted, along with all downstream data that may have been generated out of those tickets.
He also suspects he was engaged in a chat conversation with support personnel where he mentions Jane, so he requests that chat log to be deleted.
He also knows that Jane's personal data is in the SQL Database. Since the SQL VM was moved into DTM less than 90 days ago, he asks his TAM separately to assist in the immediate deletion of the database out of DTM.
Lastly, since he knows that data may have been removed from the DTM file while providing support, he asks Microsoft to run a check across IT systems for Jane's personal data from the SQL Database.
Microsoft Support performs all these deletions and, based on customer request, the TAM provides him with an attestation statement that the required data has been deleted.
DSR Guide for Customer Provided Data in Consulting Services including Migration Services
How to receive assistance from Microsoft when a customer has received a request from their employee or other data subjects to exercise their rights, and that data subject's personal data was collected by Microsoft during a consulting engagement.
Microsoft Consulting Services
For Microsoft Consulting Services engagements contracted where the Microsoft Professional Services Data Protection Addendum (https://aka.ms/professionalservicesdpa) applies.
Microsoft is the data controller for Customer Contacts working with the engagement team. Those individuals should contact the Privacy Response Center to fulfill data subject rights.
Microsoft is the data processor for a DSR located within data provided during a consulting engagement. The customer should contact the engagement manager to build in a plan to assist in responding to a DSR based on the data collected and then specific type of consulting services provided. To the extent your request constitutes a level of effort typically seen within a Microsoft Consulting Services engagement, there may be an additional work order required. Additionally, personal data will be deleted after each consulting engagement within a timeframe dependent on the type of consulting engagement. Customer can request data to be deleted sooner and request an attestation of deletion.
Microsoft FastTrack Services
Microsoft FastTrack provides IT consulting services to organizations to help them onboard and use Microsoft cloud services such as Microsoft 365, Azure, and Dynamics 365.
Microsoft is the data controller for Customer Contacts working with the FastTrack team. If Customer Contacts wish to access, revise or remove contact information from Microsoft's FastTrack records, customers can have the data subject send the request directly to Office 365 FastTrack GDPR Request inbox <firstname.lastname@example.org>.
For FastTrack migration services, Microsoft is the data processor. In accordance with our Fast Track additional privacy disclosure statement, all data in migration is considered "migration data." If you need to execute DSRs while your organization is engaged in a FastTrack migration project, special care is required.
If you need to process any access, rectify, or export DSR requests while a user's data is being processed through FastTrack migration systems, it will be the customer's responsibility to fulfill such DSRs through your existing source systems in which the user data is stored. Once the user's migration is complete and the data has been migrated to the destination Microsoft cloud service, the guidance provided by Microsoft on how customers can use Microsoft products, services, and administrative tools to find and act on personal data to respond to data subject request will then apply. To view this guidance see Data Subject Requests for the GDPR.
If you need to delete a user account in response to a DSR delete request while your organization is engaged in an ongoing FastTrack migration project, you should be aware that migration systems may retain a copy of user migration data for a period of time following completion of the user's migration and deleting the user account will not automatically delete such user migration data stored in FastTrack migration systems. If you would like the Microsoft FastTrack team to delete user migration data, you can submit a request. In the ordinary course of business, Microsoft FastTrack will delete all data copies once your organization's migration is complete.
Other Consulting Services
Customer receiving other Professional Services through Microsoft should work through the engagement team for fulfillment of all GDPR requirements. If the engagement team is not able to provide clear instructions on GDPR DSR fulfillment, customers may contact the Privacy Response Center for assistance.