Data Protection Impact Assessments: Guidance for Data Controllers Using Microsoft data processor service for Windows Enterprise
Under the General Data Protection Regulation (GDPR), data controllers are required to prepare a Data Protection Impact Assessment (DPIA) for processing operations that are “likely to result in a high risk to the rights and freedoms of natural persons.” There is nothing inherent in the data processor service for Windows Enterprise itself that would necessarily require the creation of a DPIA by a data controller using it. Rather, whether a DPIA is required will be dependent on the details and context of how the data controller deploys, configures, and uses the data processor service for Windows Enterprise.
The purpose of this document is to provide data controllers with information about the data processor service for Windows Enterprise that will help them to determine whether a DPIA is needed and, if so, what details to include.
Microsoft is not providing any legal advice in this document. This document is being provided for informational purposes only. Customers are encouraged to work with their privacy officers and legal counsel to determine the necessity and content of any DPIAs related to their use of the data processor service for Windows Enterprise or any other Microsoft online service.
Part 1 – Determining whether a DPIA is needed
Article 35 of the GDPR requires a data controller to create a Data Protection Impact Assessment (DPIA) “[w]here a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.” It further sets out particular factors that would indicate such a high risk, which are discussed in the following table. In determining whether a DPIA is needed, a data controller should consider these factors, along with any other relevant factors, in light of the controller’s specific implementation(s) and use(s) of the data processor service for Windows Enterprise.
Table 1 – Data processor service for Windows Enterprise DPIA risk factors
|High Risk Factor||Relevant Information about the data processor service for Windows Enterprise|
|A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.||The data processor service for Windows Enterprise does not provide capabilities to perform certain automated processing of data.
However, because other services use the data processor service for Windows Enterprise as a data source, a data controller could potentially configure those services to be used for such processing. Controllers should make this determination based on their usage of services connected to the data processor service for Windows Enterprise.
|Processing on a large scale of special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation), or of personal data relating to criminal convictions and offenses.||The data processor service for Windows Enterprise is not specifically designed to process special categories of personal data and the usage of the data processor service for Windows Enterprise does not increase the inherent risk of a controller’s processing.
However, a data controller could use services connected to the data processor service for Windows Enterprise to process the enumerated special categories of data. Services that use the data processor service for Windows Enterprise as a data source may enable the customer to track or otherwise process any type of data, including special categories of personal data. But as the data processor, Microsoft has no control over such use and has little or no insight into such use. It is incumbent upon the data controller to determine appropriate uses of the data controller’s data.
Part 2 – Contents of a DPIA
Article 35(7) mandates that a Data Protection Impact Assessment specify the purposes of processing and a systematic description of the envisioned processing. A systematic description of a comprehensive DPIA might include factors such as the types of data processed, how long data is retained, where the data is located and transferred, and what third parties may have access to the data. In addition, the DPIA must include:
an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
an assessment of the risks to the rights and freedoms of natural persons; and
the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
The table below contains information about the data processor service for Windows Enterprise that is relevant to each of those elements. As in Part 1, data controllers must consider the details provided below, along with any other relevant factors, in the context of the controller’s specific implementation(s) and use(s) of the data processor service for Windows Enterprise.
Table 2 – Data processor service for Windows Enterprise DPIA elements
|Element of a DPIA||Relevant Information About Data processor service for Windows Enterprise|
|Purpose(s) of processing||The purpose(s) of processing diagnostic data using the data processor service for Windows Enterprise is determined by the controller that implements, configures, and uses it.
As specified by the Online Services Terms (OST), Microsoft, as a data processor, processes Customer Data only to provide the requested services to our customer, the data controller. Microsoft will not use Customer Data or information derived from it for any advertising or similar commercial purposes.
|Categories of personal data processed||Customer Data - All data, including all text, sound, video, or image files, and software, that are provided to Microsoft by, or on behalf of, a customer through use of the enterprise service. Customer Data includes identifiable information of end users (e.g., user names and contact information in Azure Active Directory or device information through Windows Diagnostic Data).
System-Generated Data - Data generated by Microsoft that helps Microsoft provide enterprise services to users. System-generated data contain primarily pseudonymized data, such as unique identifiers generated by the system, that cannot on their own identify an individual person but are used to deliver the enterprise services to users. System-generated data may also contain identifiable information about end users, such as a user name.
Support Data - This is data provided to Microsoft by or on behalf of Customer (or that Customer authorizes Microsoft to obtain from an Online Service) through an engagement with Microsoft to obtain technical support for Online Services.
For additional details regarding data processed by the data processor service for Windows Enterprise, see the Online Services Terms, as well as Microsoft Trust Center.
|Data retention||Microsoft will retain and process Customer Data for the duration of the Customer’s right to use the Online Service and until all Customer Data is retrieved by Customer or deleted in accordance with the terms of the OST. At all times during the term of Customer’s subscription, the Customer will have the ability to export Customer Data stored in the data processor service for Windows Enterprise. The customer can delete personal data pursuant to a Data Subject Request using the capabilities described in the data processor service for Windows Enterprise Data Subject Request GDPR Documentation.|
|Location and transfers of personal data||Data processor service for Windows Enterprise customers’ data resides in Microsoft data centers in the United States.|
|Data sharing with third parties||Microsoft shares data with third parties acting as our subprocessors (i.e., subcontractors which process personal data) to support functions such as customer and technical support, service maintenance, and other operations. Any subcontractors to which Microsoft transfers Customer Data or Support Data will have entered into written agreements with Microsoft that are no less protective than the Data Protection Terms of the Online Services Terms. All third-party subcontractors with which Customer Data or Support Data is shared are included in the Lists of subcontractors (see “We limit access by subprocessors”).
Information regarding Microsoft’s response to law enforcement and third party requests for Customer Data and Support Data is located in the Online Services Terms. Unless Microsoft is legally prohibited from doing so, Microsoft will attempt to redirect the law enforcement agency or third party directly to the Customer.
|Data subject rights||When operating as a processor, Microsoft makes available to the customer (the controller) the personal data of its data subjects and the ability to fulfill data subject requests when they exercise their rights under the GDPR. Microsoft does so in a manner consistent with the functionality of the product and its role as a data processor. If Microsoft receives a request from the customer’s data subjects to exercise one or more of its rights under the GDPR, the request will be redirected to the data controller.
The data processor service for Windows Enterprise Data Subject Request GDPR Documentation provides a description of how to support data subject rights using the capabilities in the data processor service for Windows Enterprise.
|An assessment of the necessity and proportionality of the processing operations in relation to the purposes||Such an assessment will depend on the data controller’s needs and purposes of processing.
With regard to the processing carried out by Microsoft, such processing is necessary and proportional for the purpose of providing the services to the data controller. Microsoft makes this commitment in the OST.
|An assessment of the risks to the rights and freedoms of data subjects||The key risks to the rights and freedoms of data subjects from the use of the data processor service for Windows Enterprise will be a function of how and in what context the controller implements, configures, and uses the data processor service for Windows Enterprise.
However, as with any service, personal data held in the service may be at risk of unauthorized access or inadvertent disclosure. Measures Microsoft takes to address such risks are discussed in the OST, as further detailed below.
|The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned||Microsoft is committed to helping protect the security of Customer Data. The security measures Microsoft takes are described in detail in the OST.
Microsoft takes reasonable and appropriate technical and organizational measures to safeguard the personal data that it processes. These measures include, but are not limited to, internal privacy policies and practices, contractual commitments, and international and regional standard certifications. More information is available at Trust Center's Privacy Standards page.
Microsoft provides significant, transparent customer facing security and privacy materials to help explain Microsoft’s use and processing of personal data. Customers are encouraged to contact Microsoft with questions.
Further, Microsoft complies with all other GDPR obligations that apply to data processors, including but not limited to, data protection impact assessments and record keeping.