In recent months, there has been and still is an increasing number of discussions about data protection and privacy-friendly use of Microsoft 365 and Azure. This discussion has not only increased due to the Schrems 2 ruling on July 16, 2020, but also due to checklists and statements by the European Data Protection Board.
Microsoft is the first company to respond to the obligations of the European DSB
This time Microsoft reacted very quickly to the comments of the European Data Protection Board (11.11.2020), which commissioned the transfer of personal data to unsafe third countries in response to the Schrems 2 ruling of the European Court of Justice of 16 July 2020.
In December 2020, Microsoft is expanding its agreement with new DPAs and a new addendum to the OSts, thereby attempting to regulate existing challenges under private law in the USA and counteracting the corresponding risks, especially the Cloud Act/FISA702, i.e. the penetration of data in Europe by the US authorities.
- Right to compensation for damage suffered by the data subject whose data have been unlawfully processed and who has suffered material or non-material damage as a result;
- Information to the data subject if Microsoft has been legally bound by a government order to release data to U.S. security authorities;
- requiring Microsoft to take legal action and to bring an action in the U.S. courts to challenge the government order to release the data.
- we encrypt customer data both during transmission and at rest with a high encryption standard.
- we do not grant any government direct, unrestricted access to customer data.
These guarantees should then be included in the AdditionalSafeguards and agreed under private law.
We will get the new contracts: December 2020
The German Data Protection Board
“Before the end of the year, the Data Protection Conference (Conference of Data Protection Officers of the German Federal States and the Federal Government, DSK) will continue its talks with Microsoft on the Office package – the progress now achieved promises to provide “tailwind” for this. LDSB BW
MSAddendum-DE – Translation / German
Press Announcement Microsoft Germany https://news.microsoft.com/de-de/neue-massnahmen-zum-schutz-von-daten/
State Data Protection BW: https://www.baden-wuerttemberg.datenschutz.de/dsgvowirkt/
Julie Brill Chief Privacy Officer. Microsoft Corp.
New Addendum Draft
Additional Safeguards Addendum to Standard Contractual Clauses
By this Additional Safeguards Addendum to Standard Contractual Clauses (this “Addendum”), Microsoft Corp. (“Microsoft”) provides additional safeguards to Customer and additional redress to the data subjects to whom Customer’s personal data relates.
This Addendum supplements and is made part of, but is not in variation or modification of, the Standard Contractual Clauses in Attachment 2 of the Microsoft Online Services Data Protection Addendum (the “Standard Contractual Clauses”).
1. Challenges to Orders. In addition to Clause 5(d)(i) of the Standard Contractual Clauses, in the event Microsoft receives an order from any third party for compelled disclosure of any personal data that has been transferred under the Standard Contractual Clauses, Microsoft shall:
For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
2. Indemnification of Data Subjects. Subject to Sections 3 and 4, Microsoft shall indemnify a data subject for any material or non-material damage to the data subject caused by Microsoft’s disclosure of personal data of the data subject that has been transferred under the Standard Contractual Clauses in response to an order from a non-EU/EEA government body or law enforcement agency (a “Relevant Disclosure”). Notwithstanding the foregoing, Microsoft shall have no obligation to indemnify the data subject under this Section 2 to the extent the data subject has already received compensation for the same damage, whether from Microsoft or otherwise.
3. Conditions of Indemnification. Indemnification under Section 2 is conditional upon the data subject establishing, to Microsoft’s reasonable satisfaction, that:
(a) Microsoft engaged in a Relevant Disclosure;
(b) the Relevant Disclosure was the basis of an official proceeding by the non-EU/EEA government body or law enforcement agency against the data subject; and
(c) the Relevant Disclosure directly caused the data subject to suffer material or non-material damage.
The data subject bears the burden of proof with respect to conditions (a) though (c).
Notwithstanding the foregoing, Microsoft shall have no obligation to indemnify the data subject under Section 2 if Microsoft establishes that the Relevant Disclosure did not violate its obligations under Chapter V of the GDPR.
4. Scope of Damages. Indemnification under Section 2 is limited to material and non‑material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from Microsoft’s infringement of the GDPR.
5. Exercise of Rights. Rights granted to data subjects under this Addendum may be enforced by the data subject against Microsoft irrespective of any restriction in Clauses 3 or 6 of the Standard Contractual Clauses. The data subject may only bring a claim under this Addendum on an individual basis, and not part of a class, collective, group or representative action. Rights granted to data subjects under this Addendum are personal to the data subject and may not be assigned.
6. Notice of Change. In addition to Clause 5(b) of the Standard Contractual Clauses, Microsoft agrees and warrants that it has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which personal data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from the data exporter and its obligations under this Addendum or the Standard Contractual Clauses and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this Addendum or the Standard Contractual Clauses, it will promptly notify the change to Customer as soon as it is aware, in which case Customer is entitled to suspend the transfer of data and/or terminate the contract.
7. Termination. This Addendum shall automatically terminate if the European Commission, a competent Member State supervisory authority, or an EU or competent Member State court approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the Standard Contractual Clauses (and if such mechanism applies only to some of the data transfers, this Addendum will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Addendum.