Important changes in Microsoft Online Service Terms

Microsoft announces significant changes to Online Service Terms (OST) called cloud contracts for its enterprise customers in a blog article. These new data protection provisions result from the investigations of the European Data Protection Supervisor into possible infringements of the Basic Data Protection Regulation (DSGVO), which were triggered last year by a data protection impact assessment by the Dutch Ministry of Justice. According to this assessment, the collection of telemetry data from Office 365 ProPlus and Office 365 users was regarded as a violation of the applicable European Data Protection Basic Regulation.

Together with the Dutch judiciary, the software company has worked out changes to its OST to ensure greater transparency of data processing in the Microsoft cloud. So far, Microsoft has regarded itself exclusively as a contract data processor for its services such as Azure or Microsoft 365 within the meaning of the DSGVO. The group has now moved away from this to some extent and announces its responsibility under data protection law with the amended OST. This applies when data is processed for specific administrative or operational purposes, such as account management, financial reporting, countering cyber attacks on Microsoft products and services, and compliance with legal obligations.

However, these new rules apply not only to EU institutions, but to all commercial customers in the public and private sectors worldwide, regardless of the size of the company or organization. Microsoft will offer the new contracts to all customers from early 2020.

Source: Microsoft (German blog article)