Microsoft Learn Data Access and Sharing Agreement
2.2. The following terms have the meanings assigned to them in the CCPA: “business,” “business purpose,” “intentionally interacts,” “sale,” and “third party.”
2.3. The following terms have the meanings assigned to them in the GDPR: “Controller,” “Processor,” and “Subprocessor.”
2.4. “Customer End User” means an End User who accesses or uses Microsoft Learn or begins a Microsoft Learn module with a Microsoft account that is provided to the End User by Customer for purposes of conducting Customer’s business.
2.5. “California Consumer Privacy Act” (“CCPA”) means Cal. Civ. Code Title 1.81.5, § 1798.100 et seq.
2.6. “General Data Protection Regulation” (“GDPR”) means Regulation (EU) 2016/679.
2.7. “Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2.8. “Data Protection Law” means any applicable law, rule, regulation, decree, statute, or other enactment, order, mandate or resolution relating to data security, data protection and/or privacy, including the GDPR and CCPA, and any implementing, derivative or related legislation, rule, and regulation as amended, extended, repealed and replaced, or re-enacted.
2.9. “End User” means a person who accesses or uses Microsoft Learn or begins a Microsoft Learn module.
2.10. “Personal Data” means any data or information that constitutes personal data or personal information under any applicable Data Protection Law, including any information relating to a Data Subject.
2.11. “Process” and its cognates means any operation or set of operations that is performed on Personal Information, including storage, disclosure, erasure, and destruction.
2.12. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, whether transmitted, stored, or otherwise Processed.
2.13. “Standard Contractual Clauses” (“SCCs”) means the European Union standard contractual clauses for the transfer of personal data from the European Economic Area to third countries. Unless otherwise specified, a reference to “SCCs” means the controller-to-controller version (Commission Decision 2004/915/EC).
2.14. “Supervisory Authority” means an independent public authority which is established by a Member State of the European Union (“EU”) pursuant to Article 51 of the GDPR.
3. Status of the Parties and Scope
The parties agree that, with respect to all Personal Data and purposes of Processing described in Appendix 1, Microsoft is a business and Controller, and Customer is a third party and Controller.
3.1. GDPR Roles. The parties agree that for purposes of the GDPR (where applicable), with respect to all Customer End User Data, including Personal Data, disclosed to Customer by Microsoft pursuant to this Agreement, and Processing purposes described herein, that: (i) the parties are each a separate and independent Controller; (ii) the parties do not and will not Process the data as joint Controllers; (iii) each party shall comply with the obligations that apply to it as a Controller; and (iv) each party shall be individually and separately responsible for its own compliance.
3.2. CCPA Roles. The parties agree that for purposes of the CCPA (where applicable), with respect to all Customer End User Data, including Personal Data, disclosed to Customer by Microsoft pursuant to this Agreement, Customer End User Data is made available to Customer by Microsoft only after the Customer End User intentionally interacts with Customer through the access or use of a Microsoft API, including Microsoft Learn.
4. Microsoft Obligations
4.1. Data Access. Microsoft will grant Customer access to and use of certain information, including Personal Data, relating to each Customer End User who has accessed or used Microsoft Learn or started a Microsoft Learn module within the preceding 30 (thirty) day period (“Customer End User Data”). With respect to each Customer End User, Customer End User Data shall include activity, completion, and certification data without exposing any personal information. Customer End User Data will be refreshed by Microsoft every 30 (thirty) days, beginning on 12/1/2020. Microsoft may change or discontinue Customer’s access to Customer End User Data, or the information that is disclosed by Microsoft as Customer End User Data, at any time for any reason, with or without notice.
4.2. End User Notification. Microsoft will notify End Users that certain information relating to their access to and use of Microsoft Learn, which may include Personal Data, shall be made available to Customer if the End User accesses or uses Microsoft Learn or begins a Microsoft Learn module with a Microsoft account that is provided to an End User by Customer for purposes of conducting Customer’s business.
4.3. Compliance. Microsoft will comply with Data Protection Law.
5. Customer Obligations
5.1. Responsibilities. Customer is solely responsible for determining the purposes and means of Customer’s Processing of Customer End User Data, including Personal Data, that is made available to Customer by Microsoft pursuant to this Agreement. This includes, but is not limited to: (i) Obtaining all necessary consents before Processing the data and obtaining additional consent if the Processing changes. (ii) Determining the lawful purposes of Processing the data as required under Data Protection Law. (iii) In the event Customer stores the data locally, ensuring that data is kept up to date and implement corrections, restrictions to data, or the deletion of data, including in connection with individual requests received with regard to the data under Data Protection Law. (iv) Implementing proper retention, maintenance, security, and deletion policies. (v) Maintaining and complying with a written statement available to Customer End Users that describes Customer’s privacy practices regarding data and information that Customer collects and uses, including with respect to Customer End User Data. (vi) Any further transfer or disclosure of the data within Customer’s organization or to any other party. (vii) Any onward international transfers of the data, including onward transfers to a third country outside of the EEA, United Kingdom, or Switzerland if Customer is located within the EEA, United Kingdom, or Switzerland.
5.3. Compliance. Customer will: (i) comply with Data Protection Law; and (ii) immediately inform Microsoft if, in its opinion, Customer is unable to satisfy the obligations, requirements, or allocation of responsibilities regarding Customer End User Data set forth herein.
6. Data Transfers from the European Economic Area, United Kingdom, or Switzerland to the United States.
To the extent that Microsoft discloses Personal Data to Customer where Microsoft is located in the European Economic Area (“EEA”), United Kingdom, or Switzerland and Customer is located in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Information from the other party in the EEA, United Kingdom, or Switzerland, the parties will comply with the obligations of the form of SCCs applicable to the parties’ status as either data importer or data exporter. Appendix 1 sets forth the parties’ statuses and respective obligations and the information required by the SCCs’ Annexes. The SCCs are hereby incorporated into this Agreement, and the parties agree that by executing this Agreement they are accepting their respective obligations under the SCCs.
7.2. Certification. By signing this Agreement, Customer certifies that it understands and will comply with the obligations, requirements, and allocation of responsibilities regarding Customer End User Data set forth herein.
7.4. Construction. Neither party has entered this Agreement in reliance on any promise, representation, or warranty not contained herein. This Agreement will be interpreted according to its plain meaning without presuming that it should favor either party.
7.5. Entire agreement. This Agreement supersedes all prior and contemporaneous communications, whether written or oral, regarding the subject matter covered in this Agreement.
APPENDIX 1: INFORMATION REQUIRED BY SCCS
1. The Parties’ Roles
1.1. The parties agree that, with respect to the Controller-to-Controller SCCs (Commission Decision 2004/915/EC), Microsoft is a data exporter and Customer is a data importer regardless of their location.
2. Applicable SCCs Provisions
2.1. The parties agree that, with respect to the Controller-to-Controller SCCs (Commission Decision 2004/915/EC), for the purposes of Clauses 9 and 11(3), the governing law will be the country in which the data exporter is established.
The following chart includes the information required by Annex B of the controller-to-controller standard contractual clauses. Categories of Personal Data Personal Data about any Customer End User that that Contractor receives from Microsoft regarding the End User’s access to or use of Microsoft Learn or commencement a Microsoft Learn module within the preceding 30 (thirty) day period (“Customer End User Data”). With respect to each Customer End User, Customer End User Data shall include first and last name, e-mail address, and [training module records]. Customer End User Data will be refreshed by Microsoft every 30 (thirty) days, beginning when the data share is created.
Processing Activities Microsoft will enable Customer to access and download Customer End User Data, including any Personal Data contained therein, to further Process for Customer’s own purposes. Recipients of Personal Data Data importer (Customer) or data importer’s Subprocessors. Data Subjects Customer End Users. Special Categories of Data None. Purposes of the Transfer To facilitate the Processing Activities described above.
Description of the technical and organizational security measures implemented by the data importer Customer will maintain security measures at least as protective as those described under Section  of this Agreement and the Terms of Service.