The data protection conference of the federal and state governments (DSK) has repeatedly stated that institutions such as authorities, schools and companies cannot easily “use Microsoft Office 365 in a legally compliant manner”. Those responsible must therefore definitely take additional protective measures, especially when it comes to order processing requirements relating to the package for office applications with a cloud connection. Lower Saxony’s data protection officer, Denis Lehmkemper, who took office in mid-September, has now published a handout together with six other supervisory authorities. The inspectors primarily want to support the responsible authorities in pushing for contractual changes with Microsoft in the sense of the “problem breakdown” by the DSK.
The data protection requirements for MS 365 are aimed “not only at Microsoft as the manufacturer and distributor of the software”, but also at the public and private bodies that use it “as those responsible for data protection”, the practitioners first explain on the 21 pages. Changes or additions to the contractual terms and conditions with Microsoft are naturally dependent on the software company agreeing to them as a contractual partner. Nevertheless, it is incumbent on those responsible to “use all options available to them” to push for data protection-compliant agreements in the controversial “Microsoft Products and Services Data Protection Addendum” (DPA).
Specifically, according to the paper, the deletion periods must be contractually adjusted, i.e. generally shortened. Exceptions should be “restricted and specified”. If necessary, it is necessary to include “specific measures” in your own deletion processes. The inspectors also describe the necessary requirements for information about the use of sub-processors. For example, their name and address along with details of the contact person would have to be listed. What is also necessary is a description of the processing in question and a clear name of the product or function concerned, including a clear demarcation of responsibilities and shares of responsibility.
Implementation of technical and organizational measures
Another important aspect is how Microsoft handles processing for its own business purposes. Here, the person responsible must first clarify which personal data and to what extent the manufacturer collects and possibly evaluates it. It must then be assessed whether there is a legal basis for making this information available. All processing purposes for which no such basis can be found “must be contractually excluded and technically prevented”. All consent-based processing operations for Microsoft’s own purposes would have to be “able to be activated and deactivated via configuration.” The inspectors are not yet addressing the potential effects of the new transatlantic data protection framework.
A focus is also on the implementation of technical and organizational measures in accordance with Article 32 of the General Data Protection Regulation (GDPR): The contract must therefore specify which personal information, in addition to the user data, serves to ensure security. The person responsible can name content data himself. He will probably need support from Microsoft to list login or diagnostic data. It should also be clarified which information is used and how for “troubleshooting” and “promoting security”. In general, those responsible should check whether solutions that allow Microsoft products to be operated on their own IT structures can be considered. Data protection officers strongly recommend the use of pseudonymous email addresses as well as a ban on the use of private Microsoft accounts and the “Bring your own device” (BYOD) concept in business areas.
To the home page
#Microsoft #Data #protection #officers #give #tips #potentially #legally #compliant