Share via


Microsoft Support and Professional Services accountability readiness checklist for the GDPR

1. Introduction

This accountability readiness checklist provides a convenient way to access information you may need to support GDPR when using Microsoft Professional Services and Support Services. The checklist is organized using the titles and reference number (in parentheses for each checklist article) of a set of privacy and security controls for personal data processors drawn from:

This control structure is also used to organize the presentation of the internal controls that Microsoft Professional Services implements to support GDPR, which you can download from the Service Trust Portal.

2. Conditions for collection and processing

Category Customer Consideration Supporting Microsoft documentation Addresses GDPR Article(s)
Identify and document purpose (7.2.1) The customer should document the purpose for which personal data is processed. A description of the processing Microsoft performs for you, and the purposes of that processing, that can be included in your accountability documentation.
- Microsoft Products and Services Data Protection Addendum [1]
(5)(1)(b), (32)(4)
Identify lawful basis (7.2.2) The customer should understand any requirements related to the lawful basis of processing, such as whether consent must first be given. A description of processing personal data by Microsoft services for inclusion in your accountability documentation.
- Key Information from Microsoft Professional Services for Professional Services Data Protection Impact Assessments [9]
(5)(1)(a), (6)(1)(a), (6)(1)(b), (6)(1)(c), (6)(1)(d), (6)(1)(e), (6)(1)(f), (6)(3), (6)4)(a), (6)(4)(b), (6)(4)(c), (6)(4)(d), (6)(4)(e), (8)(3), (9)(1), (9)(2)(b), (9)(2)(c), (9)(2)(d), (9)(2)(e), (9)(2)(f), (9)(2)(g), (9)(2)(h), (9)(2)(i), (9)(2)(j), (9)(3), (9)(4), (10), (17)(3)(a), (17)(3)(b), (17)(3)(c), (17)(3)(d), (17)(3)(e), (18)(2), (22)(2)(a), (22)(2)(b), (22)(2)(c), (22)(4)
Determine when consent is to be obtained (7.2.3) The customer should understand legal or regulatory requirements for obtaining consent from individuals prior to processing personal data (when it's required, if the type of processing is excluded from the requirement, etc.), including how consent is collected. Microsoft Professional Services doesn't provide direct support for gaining user consent. (6)(1)(a), (8)(1), (8)(2)
Obtain and record consent (7.2.4) When it's determined to be required, the customer should appropriately obtain consent. The customer should also be aware of any requirements for how a request for consent is presented and collected. Microsoft Professional Services doesn't provide direct support for gaining user consent. (7)(1), (7)(2), (9)(2)(a)
Privacy impact assessment (7.2.5) The customer should be aware of requirements for completing privacy impact assessments (when they should be performed, categories of data that might necessitate one, timing of completing the assessment). Microsoft Professional Services provides guidance as to when and how to determine when to perform a DPIA, and an overview of the DPIA program at Microsoft including the involvement of the DPO, which is provided in the Service Trust Portal Data Protection Impact Assessments (DPIAs) page.

For support for your DPIAs see:
- Key Information from Microsoft Professional Services for Professional Services Data Protection Impact Assessments [9]

Article (35)
Contracts with PII Processors (7.2.6) The customer should ensure that their contracts with processors include requirements for aiding with any relevant legal or regulatory obligations related to processing and protecting personal data. The Microsoft contracts that require us to aid with your obligations under the GDPR, including support for the data subject's rights.
- Microsoft Products and Services Data Protection Addendum [1]
(5)(2), (28)(3)(e), (28)(9)
Records related to processing PII (7.2.7) The customer should maintain all necessary and required records related to processing personal data (for example, purpose, security measures, etc.). Where some of these records must be provided by a sub-processor, the customer should ensure that they can obtain such records. Microsoft Professional Services maintains records necessary to demonstrate compliance and support for accountability under the GDPR. See the Microsoft Professional Services Security Documentation [2] (5)(2), (24)(1), (30)(1)(a), (30)(1)(b), (30)(1)(c), (30)(1)(d), (30)(1)(g), (30)(1)(f), (30)(3), (30)(4), (30)(5)

3. Rights of data subjects

Category Customer Consideration Supporting Microsoft documentation Addresses GDPR Article(s)
Determining PII principals' rights and enabling exercise (7.3.1) The customer should understand requirements around the rights of individuals related to the processing of their personal data. These rights may include things such as access, correction, and erasure. Where the customer uses a third-party system, they should determine which (if any) parts of the system provide tools related to enabling individuals to exercise their rights (for example, to access their data). Where the system provides such capabilities, the customer should utilize them as necessary. The capabilities Microsoft provides to help you support data subject rights.
- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7]
- Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability [11]
(12)(2)
Determining information for PII principals (data subjects) (7.3.2) The customer should understand requirements for the types of information about processing of personal data that is to be available to be provided to the individual. This may include things such as:
• Contact details about the controller or its representative;
• Information about the processing (purposes, international transfer, and related safeguards, retention period, etc.);
• Information on how the principal may access and/or amend their personal data; requesting erasure or restriction of processing; receiving a copy of their personal data, and portability of their personal data
• How and from where the personal data was obtained (if not obtained from the principal directly)
• Information about the right to lodge a complaint and to whom;
• Information regarding corrections to personal data;
• Notification that the organization is no longer in position to identify the data subject (PII principal), in cases where the processing no longer requires the identification of the data subject;
• Transfers and/or disclosures of personal data;
• Existence of automated decision making based solely on automated processing of personal data;
• Information regarding the frequency with which information to the data subject is updated and provided (for example 'just in time' notification, organization defined frequency, etc.)
Where the customer uses third-party systems or processors, they should determine which (if any) of this information may need to be provided by them and ensure that they can obtain the required information from the third party.
Information about Microsoft services that you can include in the data you provide to data subjects.
- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7]
- Key Information from Microsoft Professional Services for Customer Data Protection Impact Assessments [9]
(11)(2), (13)(1)(a), (13)(1)(b), (13)(1)(c), (13)(1)(d), (13)(1)(e), (13)(1)(f), (13)(2)(c), (13)(2)(d), (13)(2)(e), (13)(3), (13)(4), (14)(1)(a), (14)(1)(b), (14)(1)(c), (14)(1)(d), (14)(1)(e), (14)(1)(f), (14)(2)(b), (14)(2)(e), (14)(2)(f), (14)(3)(a), (14)(3)(b), (14)(3)(c), (14)(4), (14)(5)(a), (14)(5)(b), (14)(5)(c), (14)(5)(d), (15)(1)(a), (15)(1)(b), (15)(1)(c), (15)(1)(d), (15)(1)(e), (15)(1)(f), (15)(1)(g), (15)(1)(h), (15)(2), (18)(3), (21)(4)
Providing information to PII principals (7.3.3) The customer should comply with any requirements around how/when/in what form the required information is to be given to an individual related to the processing of their personal data. In cases where a third party may provide required information, the customer should ensure that it is within the parameters required by the GDPR. Templated information about Microsoft Professional Services that you can include in the data you provide to data subjects.
- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7]
- Key Information from Microsoft Professional Services for Customer Data Protection Impact Assessments [9]
(11)(2), (12)(1), (12)(7), (13)(3), (21)(4)
Provide mechanism to modify or withdraw consent (7.3.4) The customer should understand requirements for informing users about their right to access, correct, and/or erase their personal data and for providing a mechanism for which them to do so. If a third-party system is used and provides this mechanism as part of its functionality, the customer should utilize that functionality as necessary. Information about capabilities in Microsoft services that you can use when defining the information you provide to data subjects when requesting consent.
- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7]
(7)(3), (13)(2)(c), (14)(2)(d), (18)(1)(a), (18)(1)(b), (18)(1)(c), (18)(1)(d)
Provide mechanism to object to processing (7.3.5) The customer should understand requirements around rights of data subjects. Where an individual has a right to object to processing, the customer should inform them, and have a way for the individual to register their objection. Information about Microsoft services relating to object to processing that you can include in the data you provide to data subjects.
- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7]
(13)(2)(b), (14)(2)(c), (21)(1), (21)(2), (21)(3), (21)(5), (21)(6)
Sharing the exercising of PII principals' rights (7.3.6) The customer should understand requirements for notifying third-parties with whom personal data has been shared of instances of data modification based on the exercise of individual rights (for example, an individual requesting erasure or modification, etc.) Information about capabilities in Microsoft services that allow you to discover personal data that you have shared with third parties.
- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7]
(19)
Correction or erasure (7.3.7) The customer should understand requirements for informing users about their right to access, correct, and/or erase their personal data and for providing a mechanism for which them to do so. If a third-party system is used and provides this mechanism as part of its functionality, the customer should utilize that functionality as necessary. Information about Microsoft services relating to their ability to access, correct, or erase personal data that you can include in the data you provide to data subjects.
- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7]
Providing copy of PII processed (7.3.8) The customer should understand requirements around providing a copy of the personal data being processed to the individual. These may include requirements around the format of the copy (that is, that it's machine readable), transferring the copy, etc. Where the customer uses a third-party system that provides the functionality to provide copies, they should utilize this functionality as necessary. Information about capabilities in Microsoft services to allow you to obtain a copy of their personal data that you can include in the data you provide to data subjects.- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7] (15)(3), (15)(4), (20)(1), (20)(2), (20)(3), (20)(4)
Request management (7.3.9) The customer should understand requirements for accepting and responding to legitimate requests from individuals related to the processing of their personal data. Where the customer uses a third-party system, they should understand whether that system provides the capabilities for such handling of requests. If so, the customer should utilize such mechanisms to handle requests, as necessary. Information about capabilities in Microsoft services that you can use when defining the information you provide to data subjects as you manage data subject requests.- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7] (12)(3), (12)(4), (12)(5), (12)(6), (15)(1)(a), (15)(1)(b), (15)(1)(c), (15)(1)(d), (15)(1)(e), (15)(1)(f), (15)(1)(g), (15)(1)(h)
Automated decision making (7.3.10) The customer should understand requirements around automated personal data processing and where decisions are made by such automation. These may include providing information about the processing to an individual, objecting to such processing, or to obtain human intervention. Where such features are provided by a third-party system, the customer should ensure that the third party provides any required information or support. Information about any capabilities in Microsoft services for that might support automated decision making that you can use in your accountability documentation, and templated information for data subjects about those capabilities.
- Key Information from Microsoft Professional Services for Customer Data Protection Impact Assessments [9]
(13)(2)(f), (14)(2)(g), (22)(1), (22)(3)

4. Privacy by design and default

Category Customer Consideration Supporting Microsoft documentation Addresses GDPR Article(s)
Limit collection (7.4.1) The customer should understand requirements around limits on collection of personal data (for example, that the collection should be limited to what is needed for the specified purpose). A description of the data collected by Microsoft services.
- Microsoft Products and Services Data Protection Addendum [1]
- Key Information from Microsoft Professional Services for Customer Data Protection Impact Assessments [9]]
(5)(1)(b), (5)(1)(c)
Limit processing (7.4.2) The customer is responsible for limiting the processing of personal data so that it's limited to what is adequate for the identified purpose. A description of the data collected by Microsoft services.
- Microsoft Products and Services Data Protection Addendum [1]
- Key Information from Microsoft Professional Services for Customer Data Protection Impact Assessments [9]
(25)(2)
Define and document PII minimization and de-identification objectives (7.4.3) The customer should understand requirements around de-identification of personal data, which may include, when it should be used, the extent to which it should de-identify, and instances when it cannot be used. Customer is responsible for de-identification before transferring data to Microsoft. Microsoft applies de-identification and pseudonymization internally, where appropriate, to provide additional privacy safeguards for personal data. (5)(1)(c)
Comply with identification levels (7.4.4) The customer should use and comply with de-identification objectives and methods set by their organization. Customer is responsible for de-identification before transferring data to Microsoft. Microsoft applies de-identification and pseudonymization internally, where appropriate, to provide additional privacy safeguards for personal data. (5)(1)(c)
PII de-identification and deletion (7.4.5) The customer should understand requirements around the retention of personal data past its use for the identified purposes. Where provided tooling by the system, the customer should utilize those tools to erase or delete as necessary. Capabilities provided by Microsoft Services to support your data retention policies.
- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7]
(5)(1)(c),(5)(1)(e), (6)(4)(e), (11)(1), (32)(1)(a)
Temporary files (7.4.6) The customer should be aware of temporary files that may be sent to Microsoft that could lead to non-compliance with policies around processing of personal data (for example, personal data might be retained in a temporary file longer than required or allowed). A description of capabilities provided by the service to identify personal data to support your temporary file policies.
- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7]
(5)(1)(c)
Retention (7.4.7) The customer should determine how long personal data should be retained, taking into consideration the identified purposes. Information about the retention of personal data by Microsoft services that you can include in documentation provided to data subjects.
- Microsoft Professional Services Data Protection Addendum [1]
(13)(2)(a), (14)(2)(a)
Disposal (7.4.8) The customer should utilize any deletion or disposal mechanisms provided by the system to delete personal data. Capabilities provided by Microsoft Services to support your data deletion policies.
- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7]
(5)(1)(f)
Collection procedures (7.4.9) The customer should be aware of requirements around the accuracy of personal data (for example, accuracy upon collection, keeping data up-to-date, etc.) and utilize any mechanisms provided by the system for such. How Microsoft services support the accuracy of personal data, and any capabilities they provide to support your data accuracy policy.
- Microsoft Professional Services Data Subject Requests for the GDPR and CCPA [7]
(5)(1)(d)
Transmission controls (7.4.10) The customer should understand requirements around safeguarding the transmission of personal data, including who has access to transmission mechanisms, records of transmission, etc. A description of the types of personal data that are transferred by Microsoft services and the locations they are transferred between, and the legal safeguards for the transfer.
- Key Information from Microsoft Professional Services for Customer Data Protection Impact Assessments [9]
(15)(2), (30)(1)(e), (5)(1)(f)
Identify basis for PII transfer (7.5.1) The customer should be aware of requirements for transferring personal data (PII) to a different geographic location and document what measures are in place to meet such requirements. A description of the types of personal data that are transferred by Microsoft services and the locations they are transferred between, and the legal safeguards for the transfer.
- Key Information from Microsoft Professional Services for Customer Data Protection Impact Assessments [9]
Articles (44), (45), (46), (47), (48), and (49)
Countries and organizations to which PII might be transferred (7.5.2) The customer should understand and be able to provide to the individual, the countries to which personal data is or may be transferred. Where a third-party/processor may perform this transfer, the customer should obtain this information from the processor. A description of the types of personal data that are transferred by Microsoft services and the locations they are transferred between, and the legal safeguards for the transfer.
- Key Information from Microsoft Professional Services for Customer Data Protection Impact Assessments [9]
(30)(1)(e)
Records of transfers of PII (personal data) (7.5.3) The customer should maintain all necessary and required records related to transfers of personal data. Where a third-party/processor performs the transfer, the customer should ensure that they maintain the appropriate records and obtain them as necessary. A description of the types of personal data that are transferred by Microsoft services and the locations they are transferred between, and the legal safeguards for the transfer.
- Key Information from Microsoft Professional Services for Customer Data Protection Impact Assessments [9]
(30)(1)(e)
Records of PII disclosure to third parties (7.5.4) The customer should understand requirements around recording to whom personal data has been disclosed. This may include disclosures to law enforcement, etc. Where a third-party/processor discloses the data, the customer should ensure that they maintain the appropriate records and obtain them as necessary. Documentation provided about the categories of recipients of disclosures of personal data including available records of disclosure.
- Who can access your data and on what terms [6]
(30)(1)(d)
Joint controller (7.5.5) The customer should determine whether they are a joint controller with any other organization, and appropriately document and allocate responsibilities. Microsoft is not a joint controller of personal information provided as part of Support and Professional Services Data. (26)(1), (26)(2), (26)(3)

5. Data protection & security

Category Customer Consideration Supporting Microsoft documentation Addresses GDPR Article(s)
Understanding the organization and its context (5.2.1) Customers should determine their role in processing personal data (for example, controller, processor, co-controller) to identify the appropriate requirements (regulatory, etc.) for processing personal data. How Microsoft considers each service as either a processor or controller when processing personal data.
- Microsoft Products and Services Data Protection Addendum [1]
(24)(3), (28)(10), (28)(5), (28)(6), (32)(3), (40)(1), (40)(2)(a), (40)(2)(b), (40)(2)(c), (40)(2)(d), (40)(2)(e), (40)(2)(f), (40)(2)(g), (40)(2)(h), (40)(2)(i), (40)(2)(j), (40)(2)(k), (40)(3), (40)(4), (40)(5), (40)(6), (40)(7), (40)(8), (40)(9), (40)(10), (40)(11), (41)(1), (41)(2)(a), (41)(2)(b), (41)(2)(c), (41)(2)(d), (41)(3), (41)(4), (41)(5), (41)(6), (42)(1), (42)(2), (42)(3), (42)(4), (42)(5), (42)(6), (42)(7), (42)(8)
Understanding the needs and expectations of interested parties (5.2.2) Customers should identify parties that may have a role or interest in their processing of personal data (for example, regulators, auditors, data subjects, contracted personal data processors), and be aware of requirements to engage such parties where required. How Microsoft incorporates the views of all stakeholders in consideration of the risks involved in the processing of personal data.
- Key Information from Microsoft Professional Services for Customer Data Protection Impact Assessments [9]
(35)(9), (36)(1), (36)(3)(a), (36)(3)(b), (36)(3)(c), (36)(3)(d), (36)(3)(e), (36)(3)(f), (36)(5)
Determining the scope of the information security management system (5.2.3, 5.2.4) As part of any overall security or privacy program that a customer may have, they should include the processing of personal data and requirements relating to it. How Microsoft services include the processing of personal data in information security management and privacy programs.
- Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability [11]
- ISO 27001 Audit Report [10]
(32)(2)
Planning (5.3) Customers should consider the handling of personal data as part of any risk assessment they complete and apply controls as they deem necessary to mitigate risk related to personal data they control. How Microsoft services consider the risks specific to the processing of personal data as part of their overall security and privacy program.
- Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability [11]
(32)(1)(b), (32)(2)
Information Security Policies (6.2) The customer should augment any existing information security policies to include protection of personal data, including policies necessary for compliance with any applicable legislation. Microsoft policies for information security and any specific measures for the protection of personal information.
- Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability [11]
- ISO 27001 Audit Report [10]
24(2)
Organization of Information Security Customer consideration (6.3) The customer should, within their organization, define responsibilities for security and protection of personal data. This may include establishing specific roles to oversee privacy-related matters, including a DPO. Appropriate training and management support should be provided to support these roles. Microsoft has published information on the Microsoft Data Protection Officer, the nature of their duties, reporting structure and contact information.
- Microsoft DPO Information [13]
(37)(1)(a), (37)(1)(b), (37)(1)(c), (37)(2), (37)(3), (37)(4), (37)(5), (37)(6), (37)(7), (38)(1), (38)(2), (38)(3), (38)(4), (38)(5), (38)(6), (39)(1)(a), (39)(1)(b), (39)(1)(c), (39)(1)(d), (39)(1)(e), (39)(2)
Human Resource Security (6.4) The customer should determine and assign responsibility for providing relevant training related to protecting personal data. An overview of the role of Microsoft's Data Protection Officer, the nature of their duties, reporting structure and contact information.
- Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability [11]
- Training and Awareness Program Description [3]
(39)(1)(b)
Classification of Information (6.5.1) The customer should explicitly consider personal data as part of a data classification scheme. How Microsoft considers personal data in data classification, tagging and tracking information.
- Key Information from Microsoft Professional Services for Customer Data Protection Impact Assessments [9]
(39)(1)(b)
Management of removable media (6.5.2) The customer should determine internal policies for the use of removeable media as it relates to the protection of personal data (for example, encrypting devices). How Microsoft services protect the security of personal information on any removeable media.
- Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability [11]
- Microsoft Professional Services Control Set [4]
(32)(1)(a), (5)(1)(f)
Physical media transfer (6.5.3) The customer should determine internal policies for protecting personal data when transferring physical media (for example, encryption). How Microsoft services protect personal data during any transfer of physical media.
- Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability [11]
- Microsoft Professional Services Control Set [4]
(32)(1)(a), (5)(1)(f)
User access management (6.6.1) The customer should be aware of which responsibilities they have for access control within the service they are using, and manage those responsibilities appropriately, using the tools available. The tools provided by Microsoft services to help you enforce access control.
- Microsoft Professional Services Security Documentation [2]
(5)(1)(f)
User registration and de-registration (6.6.2) The customer should manage user registration and de-registration within the service they utilize, using the tools available to them. The tools provided by Microsoft services to help you enforce access control.
- Microsoft Professional Services Security Documentation [2]
(5)(1)(f)
User access provisioning (6.6.3) The customer should manage user profiles, especially for authorized access to personal data, within the service they utilize, using the tools available to them. How Microsoft services support formal access control to personal data, including user IDs, roles, and the registration and de-registration of users.
- Microsoft Professional Services Security Documentation [2]
(5)(1)(f)
Management of privileged access (6.6.4) The customer should manage user ID's to facilitate tracking of access (especially to personal data), within the service they utilize, using the tools available to them. How Microsoft services support formal access control to personal data, including user IDs, roles, and the registration and de-registration of users.
- Microsoft Professional Services Security Documentation [2]
(5)(1)(f)
Secure log on procedures (6.6.5) The customer should utilize provided mechanisms in the service to ensure secure log on capabilities for their users where necessary. How Microsoft services support internal access control policies related to personal data.
- Who can access your data and on what terms [6]
(5)(1)(f)
Cryptography (6.7) The customer should determine which data may need to be encrypted, and whether the service they are utilizing offers this capability. The customer should utilize encryption as needed, using the tools available to them. How Microsoft services support encryption and pseudonymization to reduce the risk of processing personal data.
- Microsoft Professional Services Security Documentation [2]
(32)(1)(a)
Secure disposal or reuse of equipment (6.8.1) Where the customer uses cloud computing services (PaaS, SaaS, IaaS) they should understand how the cloud provider ensures that personal data is erased from storage space prior to that space being assigned to another customer. How Microsoft Professional Services ensures that personal data is erased from storage equipment before that equipment is transferred or reused, when utilizing Microsoft Azure cloud computing services during professional services.
- Microsoft Professional Services Security Documentation [2]
(5)(1)(f)
Clear desk and clear screen policy (6.8.2) The customer should consider risks around hardcopy material that displays personal data, and potentially restrict the creation of such material. Where the system in use provides the capability to restrict this (for example, settings to prevent printing or copying/pasting of sensitive data), the customer should consider the need to utilize those capabilities. What Microsoft implements to manage hardcopy.
- Microsoft maintains these controls internally, see Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability [11]
- Microsoft Professional Services GDPR Control Set [4]
(5)(1)(f)
Separation of development, testing, and operational environments (6.9.1) The customer should consider the implications of using personal data in development and testing environments within their organization. How Microsoft ensures that personal data is protected in development and test environments.
- Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability [11]
- Microsoft Professional Services Control Set [4]
(5)(1)(f)
Information backup (6.9.2) The customer should ensure that they use system provided capabilities to create redundancies in their data and test as necessary. How Microsoft ensures the availability of data that may include personal data, how accuracy of restored data is ensured, and the tools and procedures Microsoft services provide to allow you to back up and restore data.
- Microsoft Enterprise Business Continuity Management Documentation [5]
(32)(1)(c), (5)(1)(f)
Event logging (6.9.3) The customer should understand the capabilities for logging provided by the system and utilize such capabilities to ensure that they can log actions related to personal data that they deem necessary. The data Microsoft service records for you, including user activities, exceptions, faults and information security events, and how you can access those logs for use as part of your record keeping.
- Microsoft Professional Services Security Documentation [2]
- Microsoft Professional Services Control Set [4]
(5)(1)(f)
Protection of log information (6.9.4) The customer should consider requirements for protecting log information that may contain personal data or that may contain records related to personal data processing. Where the system in use provides capabilities to protect logs, the customer should utilize these capabilities where necessary. How Microsoft protects logs that may contain personal data.
- Microsoft Professional Services Security Documentation[2]
- Microsoft Professional Services Control Set [4]
(5)(1)(f)
Information transfer policies and procedures (6.10.) The customer should have procedures for cases where personal data may be transferred on physical media (such as a hard drive being moved between servers or facilities). These may include logs, authorizations, and tracking. Where a third-party or other processor may be transferring physical media, the customer should ensure that that organization has procedures in place to ensure security of the personal data. How Microsoft services transfer physical media that may contain personal data, including the circumstances when transfer might occur, and the protective measures taken to protect the data.
- Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability [11]
- Microsoft Professional Services Control Set [4]
(5)(1)(f)
Confidentiality or non-disclosure agreements (6.10.2) The customer should determine the need for confidentiality agreements or the equivalent for individuals with access to or responsibilities related to personal data. How Microsoft services ensure that individuals with authorized access to personal data have committed themselves to confidentiality.
- Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability [11]
- Microsoft Professional Services Control Set [4]
(5)(1)(f), (28)(3)(b), (38)(5)
Securing application services on public networks (6.11.1) The customer should understand requirements for encryption of personal data, especially when sent over public networks. Where the system provides mechanisms to encrypt data, the customer should utilize those mechanisms where necessary. Descriptions of the measures Microsoft services take to protect data in transit, including encryption of the data, and how Microsoft services protect data that may contain personal data as it passes through public data networks, including any encryption measures.
- Microsoft Professional Services Security Documentation [2]
(5)(1)(f), (32)(1)(a)
Secure system engineering principles (6.11.2) The customer should understand how systems are designed and engineered to consider protection of personal data. Where a customer uses a system engineered by a third party, it is their responsibility to ensure that such protections have been considered. How Microsoft services include personal data protection principles as a mandatory part of our secure design/engineering principles.
- Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability [11]
- What is the Security Development Lifecycle?
(25)(1)
Supplier Relationships (6.12) The customer should ensure that any information security and personal data protection requirements and that are the responsibility of a third party are addressed in contractual information or other agreements. The agreements should also address the instructions for processing. How Microsoft services address security and data protection in our agreements with our suppliers and how we ensure that those agreements are effectively implemented.
- Who can access your data and on what terms [6]
(5)(1)(f), (28)(1), (28)(3)(a), (28)(3)(b), (28)(3)(c), (28)(3)(d), (28)(3)(e), (28)(3)(f), (28)(3)(g), (28)(3)(h),(30)(2)(d), (32)(1)(b)
Management of information security incidents and improvements (6.13.1) The customer should have processes for determining when a personal data breach has occurred. How Microsoft services determine if a security incident is a breach of personal data, and how we communicate the breach to you.
- Microsoft Professional Services and Breach Notification Under the GDPR [8]
(33)(2)
Responsibilities and procedures (during information security incidents) (6.13.2) The customer should understand and document their responsibilities during a data breach or security incident involving personal data. Responsibilities may include notifying required parties, communications with processors or other third-parties, and responsibilities within the customer's organization. How to notify Microsoft services if you detect a security incident or breach of personal data.
- Microsoft Professional Services and Breach Notification Under the GDPR [8]
(5)(1)(f), (33)(1), (33)(3)(a), (33)(3)(b), (33)(3)(c), (33)(3)(d), (33)(4), (33)(5), (34)(1), (34)(2), (34)(3)(a), (34)(3)(b), (34)(3)(c), (34)(4)
Response to information security incidents (6.13.3) The customer should have processes for determining when a personal data breach has occurred. Description of the information Microsoft services provides to help you decide if a breach of personal data has occurred.
- Microsoft Professional Services and Breach Notification Under the GDPR [8]
(33)(1), (33)(2), (33)(3)(a), (33)(3)(b), (33)(3)(c), (33)(3)(d), (33)(4), (33)(5), (34)(1), (34)(2)
Protection of records (6.15.1) The customer should understand the requirements for records related to personal data processing that need to be maintained. How Microsoft services store records relating to the processing of personal data.
- Microsoft Professional Services Security Documentation [2]
(5)(2), (24)(2)
Independent review of information security (6.15.2) The customer should be aware of requirements for assessments of the security of personal data processing. This may include internal or external audits, or other measures for assessing the security of processing. Where the customer is dependent on another organization of third party for all or part of the processing, they should collect information about such assessments performed by them. How Microsoft services test and assesses the effectiveness of technical and organizational measures to ensure the security of processing, including any audits by third parties.
- Microsoft Professional Services Data Protection Addendum [1]
(32)(1)(d), (32)(2)
Technical compliance review (6.15.3) The customer should understand requirements for testing and evaluating the security of processing personal data. This may include technical tests such as penetration testing. Where the customer uses a third-party system or processor, they should understand what responsibilities they have for securing and testing the security (for example, managing configurations to secure data and then testing those configuration settings). Where the third party is responsible for all or part of the security of processing, the customer should understand what testing or evaluation the third party performs to ensure the security of the processing. How Microsoft services are tested security based on identified risks, including tests by third parties, and the types of technical tests.
- For a listing of external certifications, see Microsoft Trust Center Compliance offerings [12]
- For more information about vulnerability testing your applications, see Microsoft Professional Services Security Documentation [2]
(32)(1)(d), (32)(2)
ID Description/Links Notes
1 Microsoft Products and Services Data Protection Addendum
2 Microsoft Professional Services Security Documentation
3 Training and Awareness Program Description Available on request through customer's account management team.
4 Microsoft Professional Services GDPR Control Set
5 Microsoft Enterprise Business Continuity Management Documentation Available on request through customer's account management team.
6 Who can access your data and on what terms
7 Microsoft Professional Services Data Subject Requests for the GDPR and CCPA
8 Microsoft Professional Services and Breach Notification Under the GDPR
9 Key Information from Microsoft Professional Services for Customer Data Protection Impact Assessments
10 ISO 27001 Audit Report
11 Microsoft Professional Services ISO/IEC 27001:2013 ISMS Statement of Applicability SOA on request through customer's account management team.
12 Microsoft Trust Center Compliance offerings
13 Microsoft DPO Information

Learn more