Wird diese Nachricht nicht richtig dargestellt, klicken Sie bitte hier.

Heuking Kühn Lüer Wojtek

Update Data Protection
IP, Media & Technology

No. 80 | 2020-07-20


Berlin data protection authority criticizes commissioned data processing aspects of Microsoft Office 365
Dr. Hans Markus Wulf


On July 3, 2020, Berlin’s commissioner for data protection and freedom of information published Advice on providers of videoconferencing services. This advice looked closely at the contractual terms and conditions of the providers Cisco, Google, Zoom, and Microsoft.

Facts of the case

Although there was some consideration of technical details, the main issue was the question of whether the providers are using legally compliant contracts for commissioned data processing pursuant to Art. 28 GDPR. The synopsis that starts on page 10 of the advice concluded that the terms and conditions for commissioned data processing that Microsoft currently uses for the Microsoft Teams video function are not legally compliant.

This assessment is interesting because Microsoft currently uses the terms and conditions for commissioned data processing for the entire Microsoft Office 365 package and not just the Microsoft Teams application. Thus, from the perspective of Berlin’s data protection authority, it is not possible to use Microsoft Office 365 in a legally compliant manner. The reasons for this view include inconsistencies in the structure of the documents, Microsoft’s own rights to use the data (joint data controllers?), and non-compliance with minimum GDPR requirements.

Relevance

If companies are still using an installation version of Microsoft Office (on-premise), the above advice will only matter if data access was granted to Microsoft as part of any service agreements, which does not happen as far as we are aware. However, if Microsoft Office 365 is used in the company, the Berlin data protection authority’s latest advice should be heeded because the authority believes that a GDPR breach has been committed that could attract a fine (infringement of Art. 28 GDPR).

Recommended actions

The Berlin supervisory authority’s advice was issued on the subject of videoconferencing systems, so primarily relates to applications such as Microsoft Teams. There are 15 other supervisory authorities in Germany that may have a different legal opinion (as for instance Hesse did recently, whereby the commissioned data processing terms were worded very similarly at the time). We anticipate that Microsoft will contact the Berlin supervisory authority to agree on a potential amendment to the disputed parts of the contractual documents. Although it is possible that supervisory authorities may implement measures in respect of the use of Microsoft Teams or Office 365 overall as a direct consequence of the Berlin supervisory authority’s advice, we do not anticipate this as an initial course of action. However, we do expect that the various state supervisory authorities will enter into discussions with one another about Microsoft and commissioned data processing in the near term. That being so, this subject will be monitored over coming weeks – in particular the pending ECJ judgment (“Schrems II”) on data transfer to third countries on the basis of the EU standard contractual clauses (scheduled for July 16, 2020). In the meantime, companies that continue to use Office 365 and especially Microsoft Teams should again review whether the necessary internal measures have been taken to ensure that Office 365 is deployed in a legally compliant manner, so for instance by using the Microsoft Compliance Manager (if available in the subscribed package), reducing the corporation’s address book to the national company, deactivating activity and usage reports (to the extent that this enables performance/conduct monitoring), or including the individual Office functionalities (including Teams) in the company’s internal data processing register.


Author


Dr. Hans Markus Wulf is a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.

Contact

T +49 211 600 55-168
F +49 211 600 55-160
E datenschutz@heuking.de

Visit our Website with focus on Data Protection Law:
Microsite Data Protection

Task Force Data Protection
Heuking Kühn Lüer Wojtek
Dr. Christian Appelbaum
Heuking Kühn Lüer Wojtek
Dr. Ubbo Aßmus
Heuking Kühn Lüer Wojtek
Dr. Felix Drefs
Heuking Kühn Lüer Wojtek
Alexa Finke, LL.M.
Heuking Kühn Lüer Wojtek
Regina Glaser, LL.M.
Heuking Kühn Lüer Wojtek
Torsten Groß, LL.M.
Heuking Kühn Lüer Wojtek
Maike Katharina Hinz
Heuking Kühn Lüer Wojtek
Britta Hinzpeter, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Thomas Jansen
Heuking Kühn Lüer Wojtek
Dr. Philip Kempermann, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Lutz Martin Keppeler
Heuking Kühn Lüer Wojtek
Dr. Markus Klinger
Heuking Kühn Lüer Wojtek
Michael Kuska, LL.M., LL.M.
Heuking Kühn Lüer Wojtek
Astrid Luedtke
Heuking Kühn Lüer Wojtek
Marcel Maybaum
Heuking Kühn Lüer Wojtek
Antje Münch, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Søren Pietzcker, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Wolfgang G. Renner, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Dirk Stolz
Heuking Kühn Lüer Wojtek
Dr. Frederik Wiemer
Heuking Kühn Lüer Wojtek
Dr. Florian Winzer
Heuking Kühn Lüer Wojtek
Dr. Hans Markus Wulf





I want to
unsubscribe

subscribe









Heuking Kühn Lüer Wojtek
© 2020 Heuking Kühn Lüer Wojtek

PartGmbB von Rechtsanwälten und Steuerberatern*
Georg-Glock-Str. 4, 40474 Düsseldorf

* Data protection information / register details / list of partners: www.heuking.de

Information on how Heuking Kühn Lüer Wojtek handles your personal data,
the purposes for processing your data, the legal basis for processing,
and on your rights can be found at www.heuking.de.

datenschutz@heuking.de