GDPR compliant businesses that are using Microsoft cloud products like Azure and Office 365 may need to modify their data processing agreements.  Microsoft is making changes to their cloud computing service terms that will go into effect in this new year that may have broad implications, as it will soon be changing their role from data processor to controller in certain respects. This will mean that Microsoft will have more obligations in those areas, but also means customers will have less control over how they are provided online services and can provide less instruction on purposes for processing.

Article 28 of the GDPR sets out that “processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

Microsoft announced an update to the privacy provisions in the Microsoft Online Services Terms (OST) in their commercial cloud contracts to all commercial customers. Microsoft served as a data processor for customers, which meant it was collecting and using personal data from its enterprise services to provide the online services requested by customers and for the purposes instructed by its customers. Data processors processes personal data on behalf of the controller. These terms meant that the customer was the data controller. Data controllers determine the purposes and means of such processing.

The OST update revises their responsibilities for a subset of cloud enterprise services. Microsoft assumes the role of data controller when processing specific administrative and operational purposes incident to providing the cloud services such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combatting cyberattacks on any Microsoft product or service; and complying with its legal obligations. Microsoft remains the data processor for addressing bugs or other issues related to the service.

If your business is using Microsoft cloud computing services, it is imperative that you review your business’ obligations in relation to the data held by Microsoft. If Microsoft’s obligations have changed, data processing agreements may require amendments or addendums as well.