MICROSOFT WILL AMEND the privacy policies on its commercial cloud computing contracts in the EU following the investigation by the European Data Protection Supervisor (EDPS).
That investigation was announced in April, with concerns raised in October that Microsoft's EU contracts were not compliant with GDPR in a preliminary opinion from the EDPS.
The company's changes to its ‘Online Services Terms' in the EU were announced by Microsoft's chief privacy officer Julie Brill, who claimed that it was a result of "additional feedback we've heard from our customers".
"Our updated OST will reflect contractual changes we have developed with one of our public sector customers, the Dutch Ministry of Justice and Security (Dutch MoJ)," she said. "The changes we are making will provide more transparency for our customers over data processing in the Microsoft cloud.
"Microsoft is currently the only major cloud provider to offer such terms in the European Economic Area (EEA) and beyond."
The company is also updating its privacy policies on a global basis, across both public and private sectors.
"In anticipation of the General Data Protection Regulation (GDPR), Microsoft designed most of its enterprise services as services where we are a data processor for our customers, taking the necessary steps to comply with the new data protection laws in Europe," added Brill.
"At a basic level, this means Microsoft collects and uses personal data from its enterprise services to provide the online services requested by our customers and for the purposes instructed by our customers. As a processor, Microsoft ensures the integrity and safety of customer data, but that data itself is owned, managed and controlled by the customer."
Through the update announced this week, Microsoft will be increasing its data protection responsibilities "for a subset of processing that Microsoft engages in when we provide enterprise services… we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes" relating to the provision of cloud services, Brill continued.
EDPS announced its investigation into software contractual agreements in April this year. This focused purely on deals between Microsoft and EU institutions and Regulation 2018/1725, which came into force on 11 December 2018.
"EU institutions rely on Microsoft services and products to carry out their daily activities. This includes the processing of large amounts of personal data," claimed the EDPS in a statement announcing the investigation.
"Considering the nature, scope, context and purposes of this data processing, it is vitally important that appropriate contractual safeguards and risk-mitigating measures are in place to ensure compliance with the new Regulation.
"The EDPS investigation will therefore assess which Microsoft products and services are currently being used by the EU institutions, and whether the contractual arrangements concluded between Microsoft and the EU institutions are fully compliant with data protection rules."
Firm's first high-end speaker gets the thumbs up from us
Yes. Yes you can
A fantastic ultraportable that's almost devoid of innovation
Screen if you want to go faster