Microsoft’s GDPR Commitments to Customers of our Generally Available Enterprise Software Products

Introduction

The European Union’s General Data Protection Regulation (GDPR) sets a new bar globally for privacy rights, information security, and compliance. At Microsoft, we believe privacy is a fundamental right and that the GDPR is an important step forward in protecting and enabling the privacy rights of individuals.

Microsoft is committed to its own compliance with the GDPR, as well as to provide an array of products, features, documentation, and resources to support our customers in meeting their compliance obligations under the GDPR. Following is a description of Microsoft’s contractual commitments to its customers concerning personal data collected from enterprise software:

Does Microsoft make commitments to its customers with regard to the GDPR?

Yes. The GDPR requires that controllers (such as organizations and developers using Microsoft’s enterprise online services) only use processors (such as Microsoft) that process personal data on the controller’s behalf and provide sufficient guarantees to meet key requirements of the GDPR. Microsoft has taken the proactive step of providing these commitments to all enterprise online service customers as part of their subscription agreements and to volume licensing customers as part of their enterprise agreements. Customers of other generally available enterprise software licensed by Microsoft or our affiliates also enjoy the benefits of Microsoft’s GDPR commitments, as described in this notice, to the extent the software processes personal data.

Where can I find Microsoft’s contractual commitments with regard to the GDPR?

You can find Microsoft’s contractual commitments with regard to the GDPR in the Online Services Terms, which provide Microsoft’s privacy and security commitments, data processing terms and GDPR Terms for Microsoft-hosted services to which customers subscribe under a volume licensing agreement. The GDPR Terms are in Attachment 4 to the Online Services Terms, at the end of the document, and they commit Microsoft to the requirements of processors in GDPR Article 28 and other relevant articles of the GDPR.

Microsoft extends the GDPR Terms to all customers of generally available enterprise software products licensed by us or our affiliates under Microsoft software license terms, effective as of May 25, 2018, regardless of the applicable version of the enterprise software, to the extent Microsoft is a processor or subprocessor of personal data in connection with such software, and so long as Microsoft continues to offer or support the version. Support details can be found in the Microsoft Lifecyle Policy at https://support.microsoft.com/en-us/lifecycle.

For clarity, different or lesser commitments may apply to beta or preview software, software that has been materially modified, or any software licensed by Microsoft or our affiliates that is not made generally available to the public or otherwise not licensed under Microsoft software license terms. Some products may collect and send to Microsoft telemetry or other data by default; product documentation provides information and instructions for how to turn off or configure such telemetry collection.

What commitments are in the GDPR Terms?

Microsoft’s GDPR Terms reflect the commitments required of processors in Article 28 of the GDPR. Article 28 requires that processors commit to:

  • only use subprocessors with the consent of the controller and remain liable for subprocessors;
  • process personal data only on instructions from the controller, including with regard to transfers;
  • ensure that persons who process personal data are committed to confidentiality;
  • implement appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk;
  • assist the controller in its obligations to respond to data subjects’ requests to exercise their GDPR rights;
  • meet the GDPR’s breach notification and assistance requirements;
  • assist the controller with data protection impact assessments and consultation with supervisory authorities;
  • delete or return personal data at the end of provision of services; and
  • support the controller with evidence of compliance with the GDPR.