Microsoft data categories and data protection principles
Microsoft products and platforms can support data protection and help organizations achieve compliance with privacy laws and regulations.
Microsoft data categorization
Microsoft defines the following data categories for online services:
Customer data is all data, including text, sound, video, image files, and software, that customers provide to Microsoft or that is provided on their behalf through their use of Microsoft enterprise online services, excluding Microsoft Professional Services. Customer data also includes customer content, which is the data customers upload for storage or processing and apps customers upload for distribution through a Microsoft enterprise cloud service. For example, customer content includes Microsoft Exchange Online email and attachments, Power BI reports, SharePoint Online site content, and instant-messaging conversations.
Diagnostic data includes all data that's collected or obtained from software that customers locally install to use with Microsoft enterprise online services. Microsoft uses diagnostic data to help ensure that client software is secure and performs correctly. For example, Microsoft collects information about how long it takes to launch an app, whether an add-in has crashed, and the number of sign-in attempts. Diagnostic data is also known as telemetry data, and doesn't include names, email addresses, or file content.
Service-generated data includes all data that Microsoft generates or derives through the operation of its online services. Microsoft uses this data to help ensure that performance, security, scaling, and services that affect customer experience are working effectively. For example, to understand how to improve datacenter capacity to support increased Microsoft Teams usage, Microsoft processes Teams usage log data. Microsoft then reviews the logs for peak usage times and decides which datacenters to add to meet capacity.
System-generated logs are logs and related data that Microsoft and other vendors generate to help provide enterprise services to users. System-generated logs contain primarily pseudonymized data, which replaces data with artificial identifiers or pseudonyms. For example, a unique identifier is typically a number that a system generates that can't identify an individual person. System-generated logs might also contain identifiable information about end users, such as user names.
Professional services data is all data provided to or processed by Microsoft upon authorization and through a customer engagement to obtain professional services. Professional services data includes data that customers provide to Microsoft during technical support for online services. Examples include text, sound, video, image files, or software provided to Microsoft during troubleshooting.
Administrator data is information about administrators that's supplied during signup, purchase, or administration of Microsoft services, such as names, phone numbers, and email addresses. Administrator data also includes aggregated usage information and data associated with an account, such as the controls selected. Microsoft uses administrator data to provide services, complete transactions, maintain accounts, and detect and prevent fraud.
Payment data is the information customers provide when they buy something online from Microsoft. Payment data might include a credit card number and security code, name, billing address, and other financial information. Microsoft uses payment data to complete transactions and to detect and prevent fraud.
Personal data includes any information that pertains to an identified or identifiable natural person, including pseudonymized data. Personal data is a subset of each of the preceding data categories.
Microsoft privacy principles
Microsoft uses the following key privacy principles for protecting and governing customer data:
| Principle | Description |
|---|---|
| Control | Microsoft puts customers in control of their privacy with easy-to-use tools and clear choices. |
| Transparency | Microsoft is transparent about data collection and use, so customers can make informed decisions. |
| Security | Microsoft helps protect the data entrusted to them through strong security and encryption. |
| Legal protection | Microsoft respects local privacy laws and supports legal protection of privacy as a fundamental human right. |
| No content-based targeting | Microsoft doesn't use customers' email, chat, files, or other personal content to target advertisements. |
| Customer benefit | Microsoft uses the data it collects to benefit customers and make their experiences better. |
DSR completion support
Microsoft has products, services, and administrative tools that can help organizations find and act on personal data to respond to data subject requests (DSRs).
Discovery. Use search and discovery tools to find customer data that might be the subject of a DSR. After collecting potentially responsive documents, do other DSR actions, or decide that the request doesn't meet organizational guidelines for responding to DSRs.
Access. Retrieve personal data that resides in the Microsoft cloud and, if requested, make a copy of the data available to the data subject.
Rectification. Make changes or implement other requested actions on the personal data, where applicable.
Restriction. Restrict processing of personal data, either by removing licenses for various Azure services or turning off certain services. Remove the data from the Microsoft cloud and keep it on-premises or at another location.
Deletion. Permanently remove personal data from the Microsoft cloud.
Exporting and receiving (portability). Provide an electronic copy of personal data or personal information in a machine-readable format to the data subject.