Respond to GDPR Data Subject Rights (DSRs) requests

Note

Microsoft Flow is now Power Automate. For more information, see this blog.

This content will be updated to reflect the branding change in the coming days.

This article describes the European Union's General Data Protection Regulation (GDPR) and provides steps you can take to support GDPR compliance for Power Automate users who authenticate with Microsoft Accounts (MSA).

Prerequisites

You need an MSA with a free Power Automate license to perform the steps in this article.

Tip

GDPR compliance information is also available for users who authenticate with Azure Active Directory accounts.

Respond to DSRs for Power Automate customer data

A data subject's formal request to a controller to take an action on their personal data is called a Data Subject Rights (DSR) request. GDPR defines personal data as any data that relates to an identified or identifiable natural person. The GDPR gives people (known as data subjects) rights to manage the personal data that's collected by an employer, agency, or organization (known as the data controller or the controller). These rights include:

  • Obtaining copies of personal data.
  • Requesting corrections to personal data.
  • Restricting processing of personal data.
  • Deleting personal data.
  • Receiving personal data in an electronic format so that it can be moved to another controller.

Microsoft provides products, services, and tools to help controllers find and act on personal data when responding to DSRs requests for data that lives in the cloud.

Here’s an overview of the processes outlined in this guide:

  1. Discover: Use search and discovery tools to easily find customer data that may be the subject of a DSR request. If you determine that the documents you collect meet your controller guidelines for taking action, you can perform one or more of the DSR actions described in the following steps. Learn more in the Power Automate DSR Discovery documentation for Microsoft Accounts. Alternatively, you may determine that the request doesn’t meet your controller guidelines for responding to DSR requests.

  2. Access: Retrieve personal data that resides in the Microsoft cloud and, if requested, make a copy of it so that can be available to the data subject.

  3. Rectify: Make changes or implement other requested actions on the personal data, where applicable.

  4. Restrict: Restrict the processing of personal data, either by removing licenses for various online services or turning off the desired services where possible. You can also remove data from the Microsoft cloud and retain it on-premises or at another location.

  5. Delete: Permanently remove personal data that resides in Microsoft's cloud. Learn more about deleting personal data for Microsoft Accounts. Learn more about closing a Microsoft Account.

  6. Export: Provide an electronic copy (in a machine-readable format) of personal data. Learn more about exporting personal data for Microsoft Accounts.