Microsoft has published a new version of the Cloud Compendium as of December 2020. This is prepared by CELA, Microsoft’s legal department. This new compendium contains relevant information on new events such as the Eugh ruling Schrems 2 and information on the Cloud Act
- to what extent is data protection law relevant for customers of Microsoft Enterprise Cloud Services?
2) On what legal basis does Microsoft process personal data in Enterprise Cloud Services?
- what has changed for international data traffic as a result of the judgment of the European Court of Justice (“ECJ”) in the “Schrems II” case of July 16, 2020?
- what has Microsoft done in response to the ECJ’s ruling in the “Schrems II” case?
- why are there still references to the Privacy Shield in the DPA?
- does the contractual relationship change if the cloud services are used by different group companies of the customer?
group companies of the customer?
7) What is the content of the contractual relationships when companies, especially Microsoft partners, use a Microsoft platform such as Microsoft Azure and offer services to their customers based on it?
8) Where is data stored in the Microsoft Enterprise Cloud?
- is there an exchange between Microsoft and data protection regulators?
10) Does Microsoft share customer data with U.S. authorities?
- what is the significance of the American CLOUD Act?
- what are the implications of the CLOUD Act for Microsoft?
- how many requests does Microsoft receive from investigative agencies?
- can Microsoft cloud services be used by professional secrecy agencies?
- how does Microsoft handle encryption?
- how can customers fulfill their obligation to ensure compliance with all agreed technical and organizational measures?
- how can customers store their data in an audit-proof manner?
18) For what purposes does Microsoft process data in order to pursue Microsoft’s legitimate business activities?
- when processing data for legitimate business activities, does Microsoft also process data for advertising?
- when processing data for legitimate business purposes, why is Microsoft an independent
- what other regulatory requirements may come into play in addition to data protection law?