The September update of Microsoft’s Product Terms and Online Service Terms (OST) both include updates related to the GDPR – the General Data Protection Regulation.
The GDPR contains rules – some new, some existing – focused around data protection…something which is key when it comes to Online Services and the Cloud.
Microsoft GDPR Product Terms
As of September 2017, Microsoft have added a 19th section to their “Universal License Terms” which says:
“To the extent Microsoft is a processor or subprocessor of personal data in connection with a Product or the provision of Professional Services, Microsoft makes the commitments in the European Union General Data Protection Regulation Terms in Attachment 4 of the Online Services Terms to all customers effective May 25, 2018.”
“Data Controllers will need to ensure they have worked out the boundaries of the “extent to which Microsoft is a Processor or sub-Processor” though” to ensure compliance.
She goes on to say that “A lot of potential ‘gotchas’ are lurking in generic Ts&Cs” which I think shows that it is important for organisations to ensure they read and understand vendor terms and how they apply in real life scenarios.
Online Service Terms
The Product Terms entry above refers to the OST, and it is there we find more detailed information on page 36, “Attachment 4: European Union General Data Protection Regulation Terms”.
Section C of this attachment covers Microsoft’s obligations in relation to articles 28, 32 and 33 of the GDPR. In here, Microsoft commit to:
- Only transferring Personal Data to a 3rd country only by instruction of the customer, or if required to do so by a Union/Member State law.
- Assisting customers with fulfilling their obligations to respond to requests from data subjects (end users)
- Providing customers with all necessary info to demonstrate compliance with article 28 of the GDPR and also to “ allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.”
- Where Microsoft may engage with another processor for certain activities, they will ensure that the GDPR terms in the Microsoft Online Service Terms also apply to the 3rd party and, if that organisations fails in some way – “Microsoft shall remain fully liable to the Customer for the performance of that other processor’s obligations”.
The GDPR brings with it a requirement for data controllers to notify data subjects (and authorities) in the event of a data breach; something that doesn’t currently exist under the European Data Protection Directive.
Microsoft commit to alerting their customers of such an event “without undue delay” (as per the GDPR) and that this notice will, at a minimum:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
- communicate the name and contact details of the data protection officer or other contact where more information can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Microsoft have made public a list of all their Subprocessors, which is available here – https://aka.ms/Online_Serv_Subcontractor_List
This document shows the company, their location(s) and the function(s) they perform.
Microsoft state that at least 14 days before any new Subprocessor can access Personal Data, the list will be updated and there will be a mechanism for customers to receive notification of these updates.
If a customer doesn’t approve of a Subprocessor, they are entitled to terminate – without penalty or requirement for future payment – any subscriptions for the affected Online Service. If the service is part of a suite (such as Office 365 E3 or E5), the whole suite will be terminated.
This potentially adds an additional governance/compliance element for organisations – ensuring they approve of all potential Subprocessors as part of the product evaluation process.
Doing more than required?
Microsoft certainly seem to be making it clear what they see as their obligations under the new GDPR rules, and making it straightforward to their customers to find.
One thing I don’t know, and would be keen to learn, is whether any of this is over and above what is required by the GDPR. That is, are Microsoft going the extra mile with their GDPR provisions or are they simply complying with the regulations?
I’ll be keeping an eye on the other major Cloud vendors to see how, and when, they make their GDPR terms available – and how they compare.
It’s good to see Microsoft making it straightforward for customers to access this information, and that it’s being included in their 2 “go-to” T&Cs documents.
I think this highlights a couple of things:
- How seriously the GDPR is being taken within the technology industry. There isn’t a “European Data Protection Directive” section in the Online Service Terms for example.
- How the convergence of IT, Software Asset Management & Legal is happening across the industry, and at quite some pace. Knowing if a system in on-premises or in the Cloud is no longer enough – organisations now need to know which Cloud it is in, how it complies with the relevant GDPR terms, what the vendor’s various processes are around data breaches, Subprocessors etc. and more. One of the big questions is who will be responsible for that – will that be the SAM team, the legal team, the IT team or – as I feel would be best – a new, cross-departmental team?
The Microsoft Product Terms and Online Service Terms can be downloaded here.
About Rich Gibbons
A Northerner renowned for his shirts, Rich is a big Hip-Hop head, and loves travel, football in general (specifically MUFC), baseball, Marvel, and reading as many books as possible. Finding ways to combine all of these with ITAM & software licensing is always fun!
Connect with Rich on Twitter or LinkedIn.