Data protection impact assessment (DPIA) using Microsoft 365 as an example

Why is a Data Protection Impact Assessment (DPIA) so important for Microsoft 365?

The DPIA is an integral part of the mandatory data protection programme. It identifies and evaluates particularly risky processing operations, ultimately helping to reduce risks effectively.

With regard to Microsoft 365, the DPIA is also coming into focus because critical voices have identified data protection risks in the cloud software suite, which comprises many applications, including Word, Excel, Outlook, OneDrive, and the video conferencing tool Teams (see, for example, the statement by the Data Protection Conference (DSK)).

These data protection concerns and risks will still essentially exist in 2025. Microsoft has already made improvements in many areas, such as introducing a new 'data protection addendum' to address concerns about contracts and the EU Data Boundary programme, which ensures that the majority of processing for EU customers takes place within the EU. Nevertheless, customers responsible for data protection must fulfil their legal obligations in order to use Microsoft 365 legally, and the DSFA can provide crucial assistance in this regard.

Copilot for M365

Additionally, M365 raises new questions regarding the use of artificial intelligence. This is because its various services and functions are regularly updated and expanded. One significant innovation is Microsoft Copilot, which enhances various Microsoft applications with AI chat capabilities, particularly Office applications and Microsoft Teams.

This raises specific challenges regarding access permissions, meeting recordings and evaluations, and linking to third-party services, which we discuss in detail in a separate blog post.

Microsoft 365 in schools

The 2023 Annual Report of the Berlin Commissioner for Data Protection and Freedom of Information contains a particularly significant negative data protection assessment of the use of Microsoft 365 in schools. Not only does Microsoft process personal data within the scope of the contract awarded to the responsible body (i.e. the respective schools), it also processes personal data for its own purposes.

Some data protection supervisory authorities hold the opinion that Microsoft 365 cannot currently be used in schools in compliance with data protection regulations. A particular problem is establishing whether there is an adequate legal basis. The extent to which this criticism is justified, and whether Microsoft 365 can be used in a way that complies with data protection regulations, will be explained below.

The necessity of a DPIA for MS365

According to Art. 35(1) of the GDPR, it must be conducted only if these operations are likely to result in a high risk to the rights and freedoms of natural persons, 'particularly when using new technologies, due to the nature, scope, context and purposes of the processing'.

This can involve direct risks to personal data (e.g. disclosure, loss of control or surveillance), as well as economic and societal damage (e.g. fraud or discrimination).

However, the specific scope of data processing depends on the modules used, licence agreements concluded, settings configured and numerous other variables. Therefore, when using Microsoft 365, there is no automatic obligation to conduct a DPIA; rather, it must be assessed in advance for each individual case. To determine whether a DPIA is necessary, a three-step approach is recommended:

1. Authorities' positive list: The Data Protection Conference's (DSK) positive list contains binding processing activities for which a DPIA is mandatory. Examples of cases on the positive list include processing data subject to social, professional or official secrecy; biometric and genetic data; processing using artificial intelligence or algorithms; and merging large amounts of data.
2. Legal necessity: Article 35(3) of the GDPR also lists other mandatory data protection activities, such as profiling, processing special categories of personal data (Article 9 of the GDPR) and the systematic and extensive monitoring of publicly accessible areas.
3. Threshold analysis: If the intended data processing is not mandatory either by law or according to the authorities' positive list, a threshold analysis must be conducted based on a list of criteria published by the Article 29 Data Protection Working Party and approved by the European Data Protection Board (see p. 10 ff.). These criteria include systematic monitoring, evaluating natural persons (e.g. through profiling), processing highly personal data, and using new technological solutions (e.g. fingerprint and facial recognition). If at least two of these criteria are met, a DPIA should be conducted.
4. General necessity test: If the threshold analysis is negative, the necessity of the DPIA should be reviewed based on the general criteria of Art. 35(1) GDPR.

Using Microsoft 365 does not clearly fall under any of the case groups on the DSK's positive list. However, the threshold analysis generally indicates that a Data Protection Impact Assessment (DPIA) must be conducted for the use of Microsoft 365 in companies. For example, when using Outlook or Teams, large-scale data processing quickly occurs (criterion 5 from the threshold analysis), involving the data of employees, external partners and guests.

Microsoft 365 processes contact data such as email addresses, usage data such as metadata on the creation and modification of files, and content data such as documents and files on a significant scale and over a long period of time. Furthermore, the supervisory authorities consider employees to be data subjects requiring particular protection due to their special dependency on their employer (criterion 7 from the threshold analysis). These two aspects alone regularly require a DPIA when using Microsoft 365.

If Copilot is also used with M365, the criterion 'innovative use or application of new technological or organisational solutions' will also generally be relevant. This is another criterion for conducting a DPIA as part of the threshold analysis.

Nevertheless, a preliminary assessment of whether a DPIA is necessary should be carried out for each individual case based on the specific planned use and comprehensively documented. The threshold analysis can determine the focus of the DPIA. If a DPIA is necessary due to the volume of data and processing of employee data, this should be the focus.

The methodology of a data protection impact assessment (DPIA)

The DPIA methodology can be found in Articles 35(2) and (7) of the GDPR. Four mandatory components can be derived from these articles. First, there must be a systematic description of the data processing operations and their purposes, as well as an assessment of their necessity and proportionality. Next comes the central component of the risk analysis. As the GDPR itself does not provide precise methodological specifications, the risk analysis can be based on the standard data protection model of the Data Protection Authority (DSK), for example, or comparable methods. The probability of damage occurring and its likely extent can then be determined using eight safeguarding objectives from the areas of information security and data protection. The more these objectives are met, the lower the risk is assessed.

• Confidentiality: Data access only by authorised persons
• Data availability
• Resilient technical systems
• Integrity: No unauthorised modification of data
• Transparency: Traceability of who processes which data for what purpose and comprehensive information for data subjects
• Data minimisation: Data processing is only carried out to the extent necessary for the originally intended purposes
• Intervention capability: Guaranteeing the rights of data subjects
• Non-linking: Preventing unauthorised linking with other data and use for other purposes

Initially, it is important to conduct the analysis according to the DSK methodology without including any remedial measures. These are then determined based on the probability of occurrence and severity of the potential risk. The residual risk is then assessed, taking into account the technical and organisational measures taken or planned to mitigate the risks. If high residual risk remains and data processing is to be carried out anyway, the data protection authority must be consulted.

DPIA for Microsoft 365

The extent to which Microsoft 365 is used varies from case to case. The DPIA assessment changes depending on various factors, such as the number of employees using the software, the modules deployed and the processing purposes pursued. These factors should always be taken into account. Software such as 'Power BI' is also part of Microsoft 365 but serves different purposes to the classic Office suite of Word, Excel and PowerPoint.

What data is processed, and for what purposes?

First and foremost, it is important to document the data being processed. This should include a record of which Microsoft 365 tools are in use, who uses them, and who has access to them. Microsoft 365 processes many different types of data.

This can include content and customer data, such as text, chat, audio, video and image files, as well as usage data, such as telemetry, diagnostic and metadata, including information about software usage and the time of file creation. Temporary functional data may also be collected, particularly for internet-based services, such as logging in. Accordingly, the purposes of this data processing must also be differentiated.

For example, diagnostic data could be collected to provide the necessary support through measures such as troubleshooting. OneDrive collects data to synchronise it with data on the PC in the cloud, while Teams offers a chat function and serves as a platform for audiovisual communication between different people. The overarching purpose of Microsoft 365 components is often to facilitate collaboration and communication between employees, customers, partners and service providers of the respective company via a single platform. However, the purpose description should be specified further depending on the intended use.

Risk analysis and remedial measures

Once the risk has been determined based on criteria such as the number of people involved or the type of data processed, appropriate remedial measures must be defined in light of the safeguarding objectives. As technical measures are primarily implemented by Microsoft itself, companies are primarily limited to organisational measures. The level of data protection can be increased via the Microsoft 365 settings, in particular.

Additionally, the licensee can select the data centres in which Microsoft stores the data. In principle, this allows the data to be processed in the EU. However, it should be noted that there is still a possibility that data could be transferred to the USA via access by external service providers or Microsoft Corporation.

Even after the introduction of the EU data border in 2023, a small number of use cases involving third-country data will remain, either because there are a few exceptions to the transfer of data to the USA under the EU data border, or because certain services are exempt from it. Nevertheless, the adequacy decision for transferring data to the USA has been in effect since 2023, as Microsoft Corporation is certified under the EU-US Data Privacy Framework.

The following settings can be configured or deactivated to counteract data protection risks when using Microsoft 365, for example:

• The processing of diagnostic data should be kept to a minimum. The settings provide the option to specify 'Neither' for diagnostic data processing.
• Telemetry data synchronisation should be deactivated. Select the 'Security' setting here.
• Microsoft's Customer Experience Improvement Program (CEIP) is an application designed to improve the user experience. It automatically transmits information about software usage, components and devices. This includes information such as the type and number of errors that occur, and the speed of Microsoft services. According to Microsoft, this data is anonymous, but transmission can and should be deactivated.
• Connected Experiences analyse user content to 'provide design recommendations, editing suggestions, data insights, and similar functions'. As this involves processing content data, this application should also be deactivated without prior review. However, this can have negative consequences in certain circumstances, as some services, such as 3D maps, the embedding of online images and videos, and translators, will no longer be available.
• Integration of employee accounts with LinkedIn should also be disabled.
• Viva Insights provides analytics tools for evaluating work behaviour by merging information from email accounts, documents and calendars, such as meeting duration, appointment numbers or email interaction intensity. These tools should generally not be used as they could lead to behavioural and performance monitoring.
• Usernames should be hidden in activity reports, which provide information about which employees use which services and how frequently.

In addition to adjusting Microsoft's settings, companies can implement various other mitigating measures. For instance, creating a comprehensive role and permissions concept is crucial to ensure that data is only accessible to those who require it for their tasks.

Furthermore, data retention and deletion should be reviewed and regulated through retention identifiers and policies, for example. Measures to increase IT security are also relevant, particularly with regard to encryption, multi-factor authentication and device management, such as the use of Intune.

Finally, employees should also be considered. Effective measures that licensees can take include providing appropriate data protection notices and guidelines for using Microsoft 365, as well as risk awareness training. With regard to the use of AI, additional guidelines for using artificial intelligence with Copilot are also recommended.

Conclusion on the DPIA for M365

Returning to the DSK's criticism: The assessment does not differentiate between the various Microsoft 365 applications, nor does it refer to the latest version of Microsoft's standard contracts. Furthermore, the relevant data processing activities were not reviewed. Due to the many options for increasing the level of data protection, legally compliant use is certainly possible.

However, a DPIA with concrete remedial measures is likely to be a prerequisite in many cases. Companies should address this early on in practice to avoid the risk of legal violations and associated fines. While a certain amount of effort is to be expected, the DPIA can identify, reassess and resolve not only data protection-related issues, but also organisational and other problems.

We would be happy to advise you on all DPIA-related matters and, drawing on our many years of experience, help you to implement it professionally, successfully and efficiently. Therefore, a DPIA can lead not only to a higher level of data protection, but also to improved processes and better overall compliance within the company.