a work group German privacy regulators rule that Microsoft 365 is not GDPR compliant without additional technical measures.
European companies, governments and schools must take action to continue using Microsoft 365. This is the conclusion of a data protection assessment recently approved by Germany’s national and regional privacy regulators.
The conclusion is relevant for German Microsoft 365 customers. Privacy regulators can pressure institutions into new contracts. The same applies to any other European member state, because the AVG/GDPR is valid throughout the EU. Supervisors in the Netherlands are also investigating whether cloud services comply with the rules.
The German research is part of an initiative by the European Data Protection Board (EDPB), the EU’s top privacy regulator. The EDPB monitors the use of cloud services among European governments and agencies.
Data transfers are still an issue
Microsoft published a new version of its data processing agreement in September. The change was necessary to continue serving European customers.
Cloud providers such as Google and Microsoft process European personal data in the US, but this is generally prohibited by the General Data Protection Regulation (GDPR). Standard contractual clauses provide a detour. Microsoft’s revised Data Processing Agreement contains the most recent Standard Contractual Clauses from the European Commission.
Before 2020, it was easier for organizations to exchange data between the US and the EU. That year, the Privacy Shield was declared invalid. Recent legislative changes in the United States have made it possible to create a new privacy shield. Brussels and Washington are currently working on an agreement.
