Microsoft Learn Data Access and Sharing Agreement

This Microsoft Learn Data Access and Sharing Agreement (“Agreement”) is between Microsoft Corporation, a Washington corporation (“Microsoft”), and the Microsoft customer accessing and receiving data from Microsoft Learn (“Customer”) (each a “party,” and collectively the “parties”). The terms and conditions of this Agreement apply to Microsoft (or any Microsoft Affiliate) and Customer (or any Customer Affiliate) where either party (or a party’s Affiliate) Processes Personal Data in connection with Customer’s access or use of Microsoft Learn. Customer’s access or use of Microsoft Learn is governed by the Microsoft Docs Terms of Use (”Terms of Use”), available at https://docs.microsoft.com/legal/termsofuse, which includes, as applicable, the Microsoft Learn API terms of use, available at https://docs.microsoft.com/legal/microsoft-apis/terms-of-use. If you are a third-party contractor authorized by Customer (or a Customer Affiliate) to implement and access Microsoft Learn Organizational Reporting on behalf of Customer (or such Customer Affiliate), you are subject to, and you hereby agree to be bound by, the Terms of Use. Customer will at all times remain responsible for the acts or omissions of any such third-party contractor. Except as expressly stated otherwise, in the event of a conflict between the terms of the Terms of Use and the terms of this Agreement, the terms of this Agreement will take precedence to the extent necessary to resolve the conflict. The attachments referred to herein will be construed with, and as an integral part of, this Agreement.

1. Purpose

This Agreement modifies and supplements the terms and conditions in the Terms of Use as they relate to the parties’ Processing of Personal Data and compliance with Data Protection Law. Notwithstanding anything to the contrary in the Terms of Use, if there is a conflict between this Agreement and the Terms of Use, this Agreement will control.

2. Definitions

2.1. Terms that are capitalized but not defined have the meanings assigned to them in the Terms of Use.

2.2. The following terms have the meanings assigned to them in the CCPA: “business,” “business purpose,” “intentionally interacts,” “sale,” and “third party.”

2.3. The following terms have the meanings assigned to them in the GDPR: “Controller,” “Processor,” and “Subprocessor.”

2.4. “Customer End User” means an End User who accesses or uses Microsoft Learn or begins a Microsoft Learn module with a Microsoft account that is provided to the End User by Customer for purposes of conducting Customer’s business.

2.5. “California Consumer Privacy Act” (“CCPA”) means Cal. Civ. Code Title 1.81.5, § 1798.100 et seq.

2.6. “General Data Protection Regulation” (“GDPR”) means Regulation (EU) 2016/679.

2.7. “Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2.8. “Data Protection Law” means any applicable law, rule, regulation, decree, statute, or other enactment, order, mandate or resolution relating to data security, data protection and/or privacy, including the GDPR and CCPA, and any implementing, derivative or related legislation, rule, and regulation as amended, extended, repealed and replaced, or re-enacted.

2.9. “End User” means a person who accesses or uses Microsoft Learn or begins a Microsoft Learn module.

2.10. “Personal Data” means any data or information that constitutes personal data or personal information under any applicable Data Protection Law, including any information relating to a Data Subject.

2.11. “Process” and its cognates means any operation or set of operations that is performed on Personal Information, including storage, disclosure, erasure, and destruction.

2.12. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, whether transmitted, stored, or otherwise Processed.

2.13. “Standard Contractual Clauses” (“SCCs”) means the European Union standard contractual clauses for the transfer of personal data from the European Economic Area to third countries. Unless otherwise specified, a reference to “SCCs” means the controller-to-controller version (Commission Decision 2004/915/EC).

2.14. “Supervisory Authority” means an independent public authority which is established by a Member State of the European Union (“EU”) pursuant to Article 51 of the GDPR.

3. Status of the Parties and Scope

The parties agree that, with respect to all Personal Data and purposes of Processing described in Appendix 1, Microsoft is a business and Controller, and Customer is a third party and Controller.

3.1. GDPR Roles. The parties agree that for purposes of the GDPR (where applicable), with respect to all Customer End User Data, including Personal Data, disclosed to Customer by Microsoft pursuant to this Agreement, and Processing purposes described herein, that: (i) the parties are each a separate and independent Controller; (ii) the parties do not and will not Process the data as joint Controllers; (iii) each party shall comply with the obligations that apply to it as a Controller; and (iv) each party shall be individually and separately responsible for its own compliance.

3.2. CCPA Roles. The parties agree that for purposes of the CCPA (where applicable), with respect to all Customer End User Data, including Personal Data, disclosed to Customer by Microsoft pursuant to this Agreement, Customer End User Data is made available to Customer by Microsoft only after the Customer End User intentionally interacts with Customer through the access or use of a Microsoft API, including Microsoft Learn.

4. Microsoft Obligations

4.1. Data Access. Microsoft will grant Customer access to and use of certain information, including Personal Data, relating to each Customer End User who has accessed or used Microsoft Learn or started a Microsoft Learn module within the preceding 30 (thirty) day period (“Customer End User Data”). With respect to each Customer End User, Customer End User Data shall include activity, completion, and certification data without exposing any personal information. Customer End User Data will be refreshed by Microsoft every 30 (thirty) days, beginning on 12/1/2020. Microsoft may change or discontinue Customer’s access to Customer End User Data, or the information that is disclosed by Microsoft as Customer End User Data, at any time for any reason, with or without notice.

4.2. End User Notification. Microsoft will notify End Users that certain information relating to their access to and use of Microsoft Learn, which may include Personal Data, shall be made available to Customer if the End User accesses or uses Microsoft Learn or begins a Microsoft Learn module with a Microsoft account that is provided to an End User by Customer for purposes of conducting Customer’s business.

4.3. Compliance. Microsoft will comply with Data Protection Law.

5. Customer Obligations

5.1. Responsibilities. Customer is solely responsible for determining the purposes and means of Customer’s Processing of Customer End User Data, including Personal Data, that is made available to Customer by Microsoft pursuant to this Agreement. This includes, but is not limited to: (i) Obtaining all necessary consents before Processing the data and obtaining additional consent if the Processing changes. (ii) Determining the lawful purposes of Processing the data as required under Data Protection Law. (iii) In the event Customer stores the data locally, ensuring that data is kept up to date and implement corrections, restrictions to data, or the deletion of data, including in connection with individual requests received with regard to the data under Data Protection Law. (iv) Implementing proper retention, maintenance, security, and deletion policies. (v) Maintaining and complying with a written statement available to Customer End Users that describes Customer’s privacy practices regarding data and information that Customer collects and uses, including with respect to Customer End User Data. (vi) Any further transfer or disclosure of the data within Customer’s organization or to any other party. (vii) Any onward international transfers of the data, including onward transfers to a third country outside of the EEA, United Kingdom, or Switzerland if Customer is located within the EEA, United Kingdom, or Switzerland.

5.2. Without limiting Customer’s obligation to comply with the Agreement or Terms of Service, in its capacity as a Controller and third party with respect to the Customer End User Data, including Personal Data, that is made available to Customer by Microsoft pursuant to this Agreement, Customer will: (i) Confidentiality. Ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (ii) Security. Take all measures required in accordance with good industry practice and by Data Protection Law relating to data security (including, but not limited to, Article 32 of the GDPR), which must be at least as protective as the security requirements set forth in the Terms of Use; (iii) Designated Contact. Act and put itself forward as the designated contact point for Data Subjects with respect to Customer End User Data, including Personal Data, disclosed to Customer by Microsoft pursuant to this Agreement, always provided that Data Subject can exercise their rights under the GDPR vis-à-vis each individual Controller. (iv) Individual Requests. Implement and maintain technical and organizational means to obtain information necessary to respond to requests from individuals to exercise rights afforded to them under Data Protection Law or Customer’s privacy policies, including rights of access, deletion, modification, portability, opt-out, limitation of Processing, or objection. In the event that Customer receives a request from a Data Subject relating to the Processing of their Personal Data by Microsoft under this Agreement: (i) promptly notify Microsoft of such request, (ii) direct the individual to Microsoft in order to enable Microsoft to respond directly to the request, and (iii) reasonably cooperate with Microsoft in responding to such request. Without limiting the foregoing, Customer agrees that it will promptly (and in any event within five (5) business days) notify Microsoft of any request pursuant to Article 16 (Right to rectification), Article 17 (Right to erasure), or Article 18 (Right to restriction of processing) of the GDPR that relates in any way to Customer End User Data. Without limiting the foregoing, promptly delete and, if applicable, cease all sales of, any Personal Data for which Microsoft notifies Customer that Microsoft has received a valid deletion or opt-out request, and will indemnify Microsoft for any claims relating to Customer’s breach of the foregoing. (v) Cooperation and Assistance. Assist Microsoft in ensuring compliance with data security, Personal Data Breach, data protection impact assessments, and engaging in other consultations, pursuant to Data Protection Law (including Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Customer). (vi) Breach Notification. Upon becoming aware of any actual or suspected Personal Data Breach affecting Customer End User Data disclosed to Customer by Microsoft pursuant to this Agreement, notify Microsoft without undue delay and immediately make best efforts secure its systems. (vii) Audit. Without limiting any of Microsoft’s existing audit rights under the Terms of Use, make available to Microsoft all information necessary to demonstrate compliance with Data Protection Law (including, but not limited to, the obligations laid down in Article 28 of the GDPR) and allow for and contribute to audits, including inspections, conducted by Microsoft or another auditor mandated by Microsoft; and treat all such information as Confidential Information. (viii) Governmental Requests. If Customer receives any type of request or inquiry from a governmental authority (e.g., the Federal Trade Commission, the Attorney General of a U.S. state, or a European Supervisory Authority) in connection with the parties’ Processing of Personal Data under this Agreement, immediately inform Microsoft and reasonably cooperate to provide Microsoft with records related to its Processing activities in connection with the Terms of Use and this Agreement, including information on the categories of Personal Data Processed and the purposes of the Processing, the use of Subprocessors with respect to such Processing, any data disclosures or transfers to third parties, and a general description of technical and organizational measures used to protect the security of such data. (ix) Legal Claims. Where Microsoft or a Microsoft Affiliate faces an actual or potential claim arising out of or related to violation of any Data Protection Law (e.g., Article 82 of the GDPR) concerning products, services, or data provided or made available to Customer by Microsoft or a Microsoft Affiliate, promptly provide all materials and information requested by Microsoft that is relevant to the defense of such claim and the underlying circumstances concerning the claim.

5.3. Compliance. Customer will: (i) comply with Data Protection Law; and (ii) immediately inform Microsoft if, in its opinion, Customer is unable to satisfy the obligations, requirements, or allocation of responsibilities regarding Customer End User Data set forth herein.

6. Data Transfers from the European Economic Area, United Kingdom, or Switzerland to the United States.

To the extent that Microsoft discloses Personal Data to Customer where Microsoft is located in the European Economic Area (“EEA”), United Kingdom, or Switzerland and Customer is located in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Information from the other party in the EEA, United Kingdom, or Switzerland, the parties will comply with the obligations of the form of SCCs applicable to the parties’ status as either data importer or data exporter. Appendix 1 sets forth the parties’ statuses and respective obligations and the information required by the SCCs’ Annexes. The SCCs are hereby incorporated into this Agreement, and the parties agree that by executing this Agreement they are accepting their respective obligations under the SCCs.

7. Miscellaneous

7.1. Expiration or Termination. At the expiration or termination of this Agreement or application of the Terms of Use (e.g., if Customer does not agree to the Terms or Use or if Microsoft terminates the Terms of Use), or upon request by Microsoft or a Microsoft Affiliate, Microsoft will terminate Customer’s access to Customer End User Data. Notwithstanding expiration or termination, Microsoft may change or discontinue Customer’s access to Customer End User Data, or the information that is disclosed as Customer End User Data, at any time for any reason, with or without notice.

7.2. Certification. By signing this Agreement, Customer certifies that it understands and will comply with the obligations, requirements, and allocation of responsibilities regarding Customer End User Data set forth herein.

7.3. Indemnification. Without limiting Customer’s obligations under the Terms of Use, Customer will defend, hold harmless, and indemnify Microsoft from any claim or action brought by a third party, including all damages, liabilities, costs and expenses, and reasonable attorney fees, to the extent resulting from, alleged to have resulted from, or in connection with Customer’s breach of the obligations herein.

7.4. Construction. Neither party has entered this Agreement in reliance on any promise, representation, or warranty not contained herein. This Agreement will be interpreted according to its plain meaning without presuming that it should favor either party.

7.5. Entire agreement. This Agreement supersedes all prior and contemporaneous communications, whether written or oral, regarding the subject matter covered in this Agreement.

7.6. No further amendment. Except as modified by this Agreement, the Terms of Use remains unmodified and in full force and effect.  

APPENDIX 1: INFORMATION REQUIRED BY SCCS

1. The Parties’ Roles

1.1. The parties agree that, with respect to the Controller-to-Controller SCCs (Commission Decision 2004/915/EC), Microsoft is a data exporter and Customer is a data importer regardless of their location.

2. Applicable SCCs Provisions

2.1. The parties agree that, with respect to the Controller-to-Controller SCCs (Commission Decision 2004/915/EC), for the purposes of Clauses 9 and 11(3), the governing law will be the country in which the data exporter is established.  

APPENDIX 1A

The following chart includes the information required by Annex B of the controller-to-controller standard contractual clauses. Categories of Personal Data Personal Data about any Customer End User that that Contractor receives from Microsoft regarding the End User’s access to or use of Microsoft Learn or commencement a Microsoft Learn module within the preceding 30 (thirty) day period (“Customer End User Data”). With respect to each Customer End User, Customer End User Data shall include first and last name, e-mail address, and [training module records]. Customer End User Data will be refreshed by Microsoft every 30 (thirty) days, beginning when the data share is created.

Processing Activities Microsoft will enable Customer to access and download Customer End User Data, including any Personal Data contained therein, to further Process for Customer’s own purposes. Recipients of Personal Data Data importer (Customer) or data importer’s Subprocessors. Data Subjects Customer End Users. Special Categories of Data None. Purposes of the Transfer To facilitate the Processing Activities described above.

Description of the technical and organizational security measures implemented by the data importer Customer will maintain security measures at least as protective as those described under Section [5] of this Agreement and the Terms of Service.