Data Protection Impact Assessments: Guidance for Data Controllers Using Dynamics 365
Under the General Data Protection Regulation (GDPR), data controllers are required to prepare a Data Protection Impact Assessment (DPIA) for processing operations that are 'likely to result in a high risk to the rights and freedoms of natural persons'. There is nothing inherent in Dynamics 365 that would necessarily require the creation of a DPIA by a Data Controller using it. Rather, whether a DPIA is required will be dependent on the details and context of how the data controller deploys, configures, and uses Dynamics 365. In any case, a DPIA should begin early in the life of a project and run in parallel to the planning and development process.
The purpose of this document is to provide data controllers with information about Dynamics 365 that will help them to determine whether a DPIA is needed and, if so, what details to include.
Microsoft is not providing any legal advice in this article. This article is being provided for informational purposes only. Customers are encouraged to work with their privacy officers (and/or Data Protection Officer (DPO) where designated) and/or legal counsel and/or advisors to determine the necessity and content of any DPIAs related to their use of Microsoft Azure or any other Microsoft online service.
Part 1: Determining whether a DPIA is needed
Article 35 of the GDPR requires a data controller to create a Data Protection Impact Assessment '[w]here a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.' It further sets out particular factors that would indicate such a high risk, which are discussed in the following table: In determining whether a DPIA is needed, a data controller should consider these factors, along with any other relevant factors, in light of the controller's specific implementation(s) and use(s) of Dynamics 365.
|Risk Factor||Relevant Information about Dynamics 365|
|A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;||Dynamics 365 does perform certain automated processing of data, such as lead or opportunity scoring (for example, predicting how likely a sale is to occur). But it is not designed to perform processing on which decisions are based that produce legal or similarly significant effects on individuals.
However, because Dynamics 365 is a highly customizable service, a data controller could potentially configure it to be used for such processing, such as scoring for employment decisions or credit applications.
|Processing on a large scale 1 of special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation), or of personal data relating to criminal convictions and offenses;||Dynamics 365 is not designed to process special categories of personal data.
However, a data controller could use Dynamics 365 to process the enumerated special categories of data. For instance, Dynamics 365 offers healthcare industry templates that could be used to process personal data associated with a health condition. Further, Dynamics 365 is a highly customizable service that enables the customer to track or otherwise process any type of personal data, including special categories of personal data. But as the data processor, Microsoft has no control over such use and typically would have little or no insight into such use.
|A systematic monitoring of a publicly accessible area on a large scale||Dynamics 365 is not designed to conduct or facilitate such monitoring.
However, a data controller could use it to process data collected through such monitoring.
1 With respect to the criteria that the processing be on a 'large scale,' Recital 91 of the GDPR clarifies that: 'The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional, or lawyer. In such cases, a data protection impact assessment should not be mandatory.'
Part 2: Contents of a DPIA
Article 35(7) mandates that a Data Protection Impact Assessment specifies the purposes of processing and a systematic description of the envisioned processing. A systematic description of a comprehensive DPIA might include factors such as the types of data processed, how long data is retained, where the data is located and transferred, and what third parties may have access to the data. In addition, the DPIA must include:
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- An assessment of the risks to the rights and freedoms of natural persons; and
- The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
The table below contains information about Dynamics 365 that is relevant to each of those elements. As in Part 1, data controllers must consider the details provided below, along with any other relevant factors, in the context of the controller's specific implementation(s) and use(s) of Dynamics 365.
|Elements of a DPIA||Relevant Information About Dynamics 365|
|Purpose(s) of processing||The purpose(s) of processing data using Dynamics 365 is determined by the controller that implements, configures, and uses it.
Dynamics 365 is an online platform for processing that is made up of several discrete online services, each of which has distinct purposes of processing. Below are the types of services offered by Dynamics365:
Customer Engagement at its core is a customer relationship management service. It includes the following online services: Dynamics 365 for Sales, Dynamics 365 for Marketing, Dynamics 365 for Customer Service, Dynamics 365 for Project Service, and Dynamics 365 for Field Service.
Dynamics 365 for Finance and Operations, Enterprise edition (D365FOEE) is an enterprise resource planning suite offered as a software as a service (SaaS), that is provided primarily to enterprise customer management of Sales, Service, Finance and Operations, Manufacturing and Human Resources.
Dynamics 365 for Retail (D365FR) is offered as a software as a service (SaaS) with integrated on-premise point-of-sale solutions for enterprise retailers and distributors.
Dynamics 365 Lifecycle Services (LCS) is and ancillary online service, used primarily by enterprise customers in the deployment, management, and maintenance of the customer's D365FOEE, D365FR implementations.
Dynamics 365 for Business Central is an enterprise resource planning offering, provided as a Software as a Service (SaaS) by Microsoft to small and medium-sized enterprises. The service processes personal data to assist with finance, manufacturing, customer relationship management, supply chains, analytics, and electronic commerce.
Dynamics 365 for Talent is offered as a software as a service (SaaS), that provides customers with the management of Human resources and consists of the following services:
Core HR — A service to streamline recordkeeping tasks and automate processes related to staffing an organization. These processes include employee retention, benefits administration, compensation, training, performance reviews, and change management.
Attract - a service to find, interview, and hire personnel.
Onboarding - a service to help onboard new hires into their job*.
Microsoft Social Engagement (MSE) is an ancillary service to Dynamics 365 offered to enterprise customers to (i) enable processing of public social media posts and personal data posted by data subjects in a limited number of social media outlets to help them analyze and identify topics of interest (for example, trends), and manage corporate or institutional presence in these virtual places (for example, fan pages), including publishing content to specific social media outlets (listen); and (ii) engage directly with data subjects via private communications in social media (engage).
In its processor capacity operating the services enumerated above, Dynamics 365 processes personal data only to provide customers its online services as described, including purposes compatible with providing those services such as personalization, security, fraud and malware prevention, troubleshooting and improvement.
As specified by the Product Terms and Products and Services Data Protection Addendum (DPA), Microsoft, as a data processor, processes Customer Data to provide Customer the Online Services in accordance with Customer's documented instructions.
As detailed in the standard Product Terms and Products and Services Data Protection Addendum (DPA), Microsoft also uses Personal Data to support a limited set of legitimate business operations consisting of: (1) billing and account management; (2) compensation (for example, calculating employee commissions and partner incentives); (3) internal reporting and modeling (for example, forecasting, revenue, capacity planning, product strategy); (4) combatting fraud, cybercrime, or cyber-attacks that may affect Microsoft or Microsoft Products; (5) improving the core functionality of accessibility, privacy, or energy efficiency; and (6) financial reporting and compliance with legal obligations (subject to the limitations on disclosure of Customer Data outlined in the Online Service Terms).
Microsoft is controller of the processing of personal data to support these specific legitimate business operations. Generally, Microsoft aggregates Personal Data before using it for our legitimate business operations, removing Microsoft's ability to identify specific individuals, and uses personal data in the least identifiable form that will support processing necessary for legitimate business operations.
Microsoft will not use Customer Data or information derived from it for profiling or for advertising or similar commercial purposes.
|Categories of personal data processed||Customer Data: This is all data, including text, sound, video, or image files and software, that customers provide to Microsoft or that is provided on customers' behalf through their use of Microsoft online services. It includes data that customers upload for storage or processing, and customizations. Examples of Customer Data processed in Office 365 include email content in Exchange Online, and documents or files stored in SharePoint Online or OneDrive for Business.
Service-Generated Data: This is data that is generated or derived by Microsoft through operation of the service, such as use or performance data. Most of these data contain pseudonymous identifiers generated by Microsoft.
Support Data: This is data provided to Microsoft by or on behalf of Customer (or that Customer authorizes Microsoft to obtain from an Online Service) through an engagement with Microsoft to obtain technical support for Online Services.
Customer Data, System-generated Log Data, and Support Data do not include administrator and billing data, such as customer administrator contact information, subscription information, and payment data, which Microsoft collects and processes in its capacity as a data controller and which is outside the scope of this document.
|Data retention||Microsoft will retain Customer Data for the duration of the customer's right to use the service and until all Customer Data is deleted or returned in accordance with the customer's instructions or the terms of the Online Services Terms. At all times during the term of the customer's subscription, the customer will have the ability to access and extract Customer Data stored in the service. Microsoft will retain Customer Data stored in the Online Service in a limited function account for 90 days after expiration or termination of the customer's subscription so that the customer may extract the data. After the 90-day retention period ends, Microsoft will disable the customer's account and delete the Customer Data.
The customer can delete Customer Data and Pseudonymous data at any time using the capabilities described in the Dynamics' Data Subject Rights Guide.
|Location and transfers of personal data||If Customer provisions its instance of Dynamics 365 Core Services in Australia, Canada, the European Union, India, Japan, the United Kingdom, or the United States, Microsoft will store Customer Data at rest within the specified geographic area, subject to certain exceptions as set out in the Online Services Terms. Detailed information about Customer Data storage can be found in the Trust Center.
For personal data from the European Economic Area, Switzerland, and the United Kingdom, Microsoft will ensure that transfers of personal data to a third country or an international organization are subject to appropriate safeguards as described in Article 46 of the GDPR. In addition to Microsoft's commitments under the Standard Contractual Clauses for processors and other model contracts, Microsoft continues to abide by the terms of the Privacy Shield framework but will no longer rely on it as a basis for the transfer of personal data from the EU/EEA to the United States.
|An assessment of the necessity and proportionality of the processing operations in relation to the purposes||Such an assessment will depend on the controller's needs and purposes of processing.
In its processor capacity, Microsoft offers D365 to process personal data only to provide customers its online services, including purposes compatible with providing those services such as personalization to the customer, security, fraud and malware prevention, troubleshooting and improvement. Microsoft processes data on behalf of the customer (tenant) as necessary to provide the requested service as set forth in our Product Terms.
|An assessment of the risks to the rights and freedoms of data subjects||The key risks to the rights and freedoms of data subjects from the use of Dynamics 365 will be a function of how and in what context the data controller implements, configures, and uses it.
Microsoft takes measures such as the anonymization or aggregation of personal data used by Microsoft to support legitimate business operations to support provision of the services, minimizing the risk of such processing to data subjects that use the service.
However, as with any service, personal data held in the service may be at risk of unauthorized access or inadvertent disclosure. Measures Microsoft takes to address such risks are discussed below.
|Data sharing with third-party subprocessors||Microsoft shares data with third parties acting as our subprocessors to support functions such as customer and technical support, service maintenance, and other operations. Any subcontractors to which Microsoft transfers Customer Data, Support Data or Personal Data will have entered into written agreements with Microsoft that are no less protective than the Data Protection Terms of the Online Services Terms. All third-party subprocessors with which Customer Data from Microsoft's Core Online Services is shared are included in the Online Services Subcontractor list. All third-party subprocessors that may access Support Data (including Customer Data that customers choose to share during their support interactions) are included in the Microsoft Commercial Support Contractors list.|
|Data subject rights||When operating as a processor, Microsoft makes available to customers (data controllers) the personal data of its data subjects and the ability to fulfill data subject requests when they exercise their rights under the GDPR. We do so in a manner consistent with the functionality of the product and our role as a processor. If we receive a request from the customer's data subjects to exercise one or more of its rights under the GDPR, we redirect the data subject to make its request directly to the data controller. The Dynamics 365 Data Subject Requests for the GDPR and CCPA provides a description to the data controller on how to support data subject rights using the capabilities in Dynamics 365.
Requests from a data subject to exercise rights under the GDPR for personal data processed to support the legitimate business processes should be directed to Microsoft, as clarified in the Microsoft Privacy Statement.
Microsoft generally aggregates personal before using it for our legitimate business operations and is not in a position to identify personal data for a specific individual in the aggregate. This significantly reduces the privacy risk to the individual. Where Microsoft is not in a position to identify the individual, it cannot support data subject rights for access, erasure, portability, or the restriction or objection of processing.
|The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned||Microsoft is committed to helping protect the security of Customer's information. In compliance with the provisions of Article 32 of the GDPR, Microsoft has implemented and will maintain and follow appropriate technical and organizational measures intended to protect Customer Data and Support Data against accidental, unauthorized, or unlawful access, disclosure, alteration, loss, or destruction.
For detailed list of Microsoft-managed controls (technical and business process controls) for security implemented by Dynamics 365, visit the Service Trust Portal. Further, Microsoft complies with all other GDPR obligations that apply to data processors, including but not limited to, providing data protection impact assessments and accurate record keeping.
Where Microsoft processes personal data for its legitimate business operations, it complies with GDPR obligations that apply to data controllers.