European Union Model Clauses
European Union Model Clauses overview
European Union (EU) data protection law regulates the transfer of EU customer personal data to countries outside the European Economic Area (EEA), which includes all EU countries and Iceland, Liechtenstein, and Norway. The EU Model Clauses are standardized contractual clauses used in agreements between service providers (such as Microsoft) and their customers to ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law and meet the requirements of the EU Data Protection Directive 95/46/EC.
On a practical level, compliance with EU data protection laws also means that customers need fewer approvals from individual authorities to transfer personal data outside of the EU, since most EU member states do not require additional authorization if the transfer is based on an agreement that complies with the Model Clauses.
Microsoft and European Union Model Clauses
Microsoft has invested in the operational processes necessary to meet the exacting requirements of the Model Clauses for the transfer of personal data to processors. Microsoft offers customers Model Clauses, referred to as Standard Contractual Clauses, that make specific guarantees around transfers of personal data for in-scope Microsoft services. This ensures that Microsoft customers can freely move data through the Microsoft cloud from the EEA to the rest of the world.
However, Microsoft enterprise customers, who are the controllers of the personal data, carry the primary obligation to protect that data. This means that EEA enterprise customers have a strong interest in ensuring that their service provider abides by EU data protection laws, or the customer can face liability — and even blockage of its ability to use a service.
Microsoft provided its Standard Contractual Clauses to the EU's Article 29 Working Party for review and approval. The Article 29 Working Party includes representatives from the European Data Protection Supervisor, the European Commission, and each of the 28 EU data protection authorities (DPAs).
The group determined that implementation of the provisions in Microsoft agreements was in line with their stringent requirements. (Microsoft was the first cloud service provider to receive a letter of endorsement and approval from the group.) Approval covered the engagements reflected in Model Clauses 2010/87/EU but not in the appendices, which describe the transfers of data and the security measures implemented by the data importer. The appendices may be analyzed separately by the DPA.
Microsoft in-scope cloud services
- Azure and Azure Government
- Microsoft Cloud App Security
- Microsoft Professional Services: Premier and On Premises for Azure, Dynamics 365, Intune, and for Medium Business and Enterprise customers of Microsoft 365 for business
- Dynamics 365
- Intune: Cloud service portion of the Intune Add-on Product and Mobile Device Management for Office 365
- Power Automate (formerly Microsoft Flow) cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Office 365
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
- Azure DevOps Services
- Windows Defender Advanced Threat Protection for the following cloud service portions: Endpoint Detection & Response, Automatic Investigation & Remediation, Secure Score.
Audits, reports, and certificates
Microsoft continually assesses the EU standards, and updates its services as needed.
Frequently asked questions
What is the EU Data Protection Directive 95/46/EC?
This directive sets the baseline for handling personal data in the EU. It provides the regulatory framework under which Microsoft transfers personal data out of the EU. Under this directive and our contractual agreements, Microsoft acts as the data processor of customer data. The customer acts as the data controller, with final ownership and responsibility for ensuring that the data can be legally provided to Microsoft for processing outside of the EEA.
Why is compliance with the Model Clauses important?
A service provider that commits contractually to the Model Clauses gives its customers assurance that personal data will be transferred and processed in compliance with EU data protection law. Use of the Model Clauses also means that customers need to get fewer approvals from individual data-protection authorities to transfer personal data outside the EU.
Where can I see compliance information for Microsoft services?
Compliance is a contractual commitment. Microsoft Standard Contractual Clauses are available to all cloud customers in the Online Services Terms; for other services, see your existing agreement with Microsoft.
What is a 'sub-processor'?
A sub-processor is someone who processes personal data following the data controller's instructions, and the terms of the EU Model Clauses and the subcontract. Microsoft customers—independent software vendors (ISVs), in particular — are sometimes themselves data processors. In those instances, Microsoft is the sub-processor.
Where do I start with my own organization's compliance efforts?
You can enter an agreement such, as the Online Services Terms, or explore amending your existing agreement to incorporate the Standard Contractual Clauses.
- EU Standards Organization
- EU Model Clauses
- EU Data Protection Directive
- European Data Protection Board
- EU Model Clauses FAQ for Dynamics 365 and Office 365
- Microsoft and the EU-U.S. Privacy Shield
- Microsoft Common Controls Hub Compliance Framework
- Microsoft Online Services Terms
- Compliance on the Microsoft Trust Center