Germany: Published German Data Protection Conference Report on Microsoft 365 and GDPR compliance

On 25 November 2022, the German Data Protection Conference (Datenschutzkonferenz, DSK), comprised of German data protection regulators, published a report concerning Microsoft Online Services. The report concludes that Microsoft 365 has not been able to provide proof of compliance with the EU General Data Protection Regulation (GDPR). In particular, the DSK noted that the necessary transparency about the processing of personal data from commissioned processing for Microsoft's purposes cannot be established, and its lawfulness cannot be proven. The DSK stated that it was unable to determine in which cases Microsoft acts as a data controller and in which cases it acts as a data processor. Moreover, the DSK raised concerns about Microsoft's large-scale collection of telemetry and diagnostic data for self-interested purposes and also regarding data transfers by Microsoft outside the EU in countries where data would not be adequately protected.