The September update of Microsoft’s Product Terms and Online Service Terms (OST) both include updates related to the GDPR – the General Data Protection Regulation.
The GDPR contains rules – some new, some existing – focused around data protection…something which is key when it comes to Online Services and the Cloud.
As of September 2017, Microsoft have added a 19th section to their “Universal License Terms” which says:
“To the extent Microsoft is a processor or subprocessor of personal data in connection with a Product or the provision of Professional Services, Microsoft makes the commitments in the European Union General Data Protection Regulation Terms in Attachment 4 of the Online Services Terms to all customers effective May 25, 2018.”
As Rowenna Fielding, Data Protection Lead at Protecture Limited, commented on LinkedIn,
“Data Controllers will need to ensure they have worked out the boundaries of the “extent to which Microsoft is a Processor or sub-Processor” though” to ensure compliance.
She goes on to say that “A lot of potential ‘gotchas’ are lurking in generic Ts&Cs” which I think shows that it is important for organisations to ensure they read and understand vendor terms and how they apply in real life scenarios.
The Product Terms entry above refers to the OST, and it is there we find more detailed information on page 36, “Attachment 4: European Union General Data Protection Regulation Terms”.
Section C of this attachment covers Microsoft’s obligations in relation to articles 28, 32 and 33 of the GDPR. In here, Microsoft commit to:
The GDPR brings with it a requirement for data controllers to notify data subjects (and authorities) in the event of a data breach; something that doesn’t currently exist under the European Data Protection Directive.
Microsoft commit to alerting their customers of such an event “without undue delay” (as per the GDPR) and that this notice will, at a minimum:
Microsoft have made public a list of all their Subprocessors, which is available here – https://aka.ms/Online_Serv_Subcontractor_List
This document shows the company, their location(s) and the function(s) they perform.
Microsoft state that at least 14 days before any new Subprocessor can access Personal Data, the list will be updated and there will be a mechanism for customers to receive notification of these updates.
If a customer doesn’t approve of a Subprocessor, they are entitled to terminate – without penalty or requirement for future payment – any subscriptions for the affected Online Service. If the service is part of a suite (such as Office 365 E3 or E5), the whole suite will be terminated.
This potentially adds an additional governance/compliance element for organisations – ensuring they approve of all potential Subprocessors as part of the product evaluation process.
Microsoft certainly seem to be making it clear what they see as their obligations under the new GDPR rules, and making it straightforward to their customers to find.
One thing I don’t know, and would be keen to learn, is whether any of this is over and above what is required by the GDPR. That is, are Microsoft going the extra mile with their GDPR provisions or are they simply complying with the regulations?
I’ll be keeping an eye on the other major Cloud vendors to see how, and when, they make their GDPR terms available – and how they compare.
It’s good to see Microsoft making it straightforward for customers to access this information, and that it’s being included in their 2 “go-to” T&Cs documents.
I think this highlights a couple of things:
The Microsoft Product Terms and Online Service Terms can be downloaded here.