Genvejsmenu:
S - Indhold
1 - Forside
2 - Nyheder
3 - Oversigt
4 - Søg

Processing of personal data in the Office 365 cloud solution

Date of letter: 6 June 2012

J.no. 2011-082-0216

This version is translated for the Danish Data Protection Agency. Only the official letter in Danish has legal validity.

1. The Danish Data Protection Agency hereby resumes the case regarding the processing of personal data in Microsoft’s cloud solution, Office 365. 

2. Details of the case
Microsoft has stated that it has joined the Safe Harbor scheme. Microsoft has in addition implemented the European Commission’s standard contractual clauses for the transfer of personal data to processors established in third countries.1  Danish users of Office 365 will thus be able to conclude an agreement with Microsoft on the transfer of personal data to third countries based on the European Commission’s standard contractual clauses.

Microsoft has submitted copies of an agreement based on the European Commission’s standard contractual clauses, and of the processor agreement that will be concluded with Microsoft’s customers. The agreement based on the European Commission’s standard contractual clauses will be concluded between the customer (the controller) and Microsoft Corporation in the USA, while the processor agreement will be concluded between the customer (the controller) and Microsoft Ireland Operations Ltd. in Ireland.

The Danish Data Protection Agency has noted that these agreements relating to the online purchase of Office 365 services are not presented to the customer automatically, but can be found and selected on Microsoft’s website under ‘Optional privacy and security contract supplements concerning the protection of personal data and security in Office 365’. Microsoft has explained by telephone that, in the case of large customers, subscription does not take place via the website, but via a manual licence procedure, of which the contracts are part. 

It is stated that – in order to create transparency concerning the processing of data in Office 365 – Microsoft has established The Office 365 Trust Center on its website. This presents general information regarding, among other things, the countries in which Microsoft’s data centres, including back-up data centres, are located; what Microsoft does to ensure that customers (controllers) comply with the data protection legislation of the country in which they are established; how Microsoft administers access to the data processed; and information on security measures, certifications and audits. On Microsoft’s Danish website there is a Danish version of the Office 365 Trust Center, called ‘Office 365 Sikkerhedscenter’. 

The document ‘Customer Data Flows in Office 365 – Europe, Middle East, Africa’, which is available in the Office 365 Trust Center, states that Microsoft’s primary data centres are located in Ireland, the Netherlands and the USA. It is also stated that Microsoft has back-up data centres in Ireland, the Netherlands and the USA; and that there is access to ‘Service Logs Containing Customer Data’ in Ireland, the Netherlands, the USA and Canada. Finally, it is stated that customer support personnel in Bulgaria, Ireland, the USA and Canada may have access to customers’ data.

Concerning processing outside the EU, Microsoft has stated that, even when a European cloud solution is chosen, it is possible that processing will take place outside the EU, for example in back-up data centres outside the EU.

Microsoft has furthermore stated that its use of subcontractors (sub-processors) will be based on the appropriate model set out in the European Commission’s standard contractual clauses. A list of all sub-processors (names of companies) is available on Microsoft’s website. 

In addition, Microsoft has stated that, if a customer so requests, the company will send a copy of sub-processor agreements, as well as addresses of sub-processors, to the customer.

The processor agreement, of which Microsoft has sent a copy to the Danish Data Protection Agency, includes clauses on data security and audit, whereby Microsoft is obliged to allow, among other things, the security of the actual solution and of the data centres to be audited at least once a year, in accordance with the ISO27001 standard and by third party security professionals at Microsoft’s selection and expense.

Microsoft has stated in this respect that the company recognises that the standard contractual clauses grant the customer (the controller), and the data protection authorities, the right to audit Microsoft’s data centres, as well as any sub-processors used by Microsoft. If a customer wishes to inspect a data centre, however, Microsoft will in the first instance refer the customer to the annual audit performed by the British Standards Institution (BSI).

Microsoft has furthermore stated that in such case it will cooperate with customers (controllers) whose special requirements have not been met in conjunction with BSI’s audit. 

The copy of the processor agreement submitted shows that, on request, customers (controllers) may receive a summary of BSI’s inspection report. In addition, Microsoft has stated that customers (controllers) furthermore, on request, will be able to view BSI’s inspection report via an online meeting at which Microsoft will provide explanatory discussion in real time.

Microsoft has furthermore stated that upon written request from the Danish Data Protection Agency to Microsoft Ireland Operations Ltd. in Ireland, Microsoft will provide the Agency the addresses of the data centres at which the processing of the personal data may take place. In certain circumstances, customers (controllers) with specific needs will be allowed to inspect one or several data centres.

Microsoft has also stated that – if so requested by customers (controllers) – the information and documents necessary for the customers’ required risk assessment of Office 365 may be issued. In the first instance, Microsoft will, however, refer to the information at the Office 365 Trust Center and the available audit reports.

3. The Data Protection Agency has discussed the matter at a meeting of the Data Protection Council and, on this basis, provides the following opinion:

3.1. By way of introduction it is stated that the Danish companies and public authorities that will use the Office 365 solution are responsible for compliance with the requirements of the Danish Act on Processing of Personal Data2.

In this opinion, the Danish Data Protection Agency will present remarks concerning Microsoft’s responsibility as processor and controller, respectively (see section 3.2 and 3.3). The Danish Data Protection Agency will furthermore refer to a number of issues that Danish controllers will be required to take into consideration when they use Office 365 (see section 3.4). 

It must also be noted that the Danish Data Protection Agency does not approve processor agreements, nor shall such agreements be submitted to the Agency. The consideration of the case and this opinion do not, therefore, reflect that the Danish Data Protection Agency has approved the processor agreement submitted, which is concluded with Microsoft Ireland3

3.2. Microsoft’s obligations as processor
The requirements of the Act on Processing of Personal Data that appropriate technical and organisational security measures must be implemented to protect data against accidental or unlawful destruction, loss or alteration and against unauthorised disclosure, abuse or other processing in violation of the provisions laid down in the Act also apply to processors. This is stipulated in Section 41(3), sentence 2, of the Act on Processing of Personal Data.

If the processor is established in a different Member State, the provisions on security measures that are laid down by law in the Member State in question shall apply. 

The Data Protection Agency therefore assumes that Microsoft in Ireland will live up to the requirements of Irish data protection legislation concerning the security measures of processors in Ireland. 

3.3. Microsoft’s obligations as controller
To the extent that the customer is a physical person (including a sole proprietor of a company), or when data concerning administrators is processed, Microsoft will process personal data on its administration of the customer account in question. In this connection the Danish Data Protection Agency considers Microsoft to be the controller for the administration of the solution.

As Danish customers’ subscription agreements are concluded with Microsoft in Ireland, the Agency will assume that, with regard to customers that are physical persons, Microsoft in Ireland observes the Irish data protection legislation.

3.4. The duty of Danish companies and public authorities to comply with the requirements of the Act on Processing of Personal Data
3.4.1. The third country contract submitted
3.4.1.1.
 With regard to the submitted contract on the transfer of data to Microsoft in the USA4 , the Danish Data Protection Agency notes that the contract is equivalent to the European Commission’s standard contract for the transfer of personal data to processors. 

A Danish controller company or public authority will, however, require the permission of the Danish Data Protection Agency, in accordance with Section 27(4) of the Act on Processing of Personal Data, to transfer personal data to third countries on the basis of the contract. 

On using a contract that has not been amended from the European Commission’s standard contract, the Danish controller company or public authority is solely required to submit a form to the Danish Data Protection Agency with a declaration that the standard contract is used without any amendments. The contract itself is not required to be submitted to the Danish Data Protection Agency5.  

It is emphasised that the requirement of permission from the Danish Data Protection Agency in accordance with Section 27(4) of the Act on Processing of Personal Data applies to the transfer of both sensitive and non-sensitive personal data, and to both public authorities and private companies, etc.

3.4.1.2. As stated in section 2 above, the Danish Data Protection Agency has noted that, in connection with online purchase of Office 365 services, Microsoft’s customers are not presented automatically with the third country contract (or the processor agreement). On the contrary, the customer must find and select these agreements on Microsoft’s website under ‘Optional privacy and security contract supplements concerning the protection of personal data and security in Office 365’.

Data controller companies and public authorities must thus be aware that these agreements are not concluded automatically in conjunction with online purchase of Office 365 services, but must, on the contrary, be concluded using the optional contract supplements. It is the controllers’ responsibility to ensure that these agreements are concluded with Microsoft.

It is the view of the Danish Data Protection Agency that Microsoft should provide easily understandable information to this effect before a customer in Denmark concludes an agreement on use/purchase of Office 365 services. The customer must at this time be informed clearly that the customer must conclude a third country contract and processor agreement. 

3.4.2. The requirements of data security set out in the Act on Processing of Personal Data
3.4.2.1.
 The rules of the Act on the Processing of Personal Data entail that a Danish company or public authority using Office 365 must, as controller, ensure that the personal data is protected by the required security measures. The more detailed rules are presented in Sections 41 and 42 of the Act. 

For public authorities, the security requirements of the Act on Processing of Personal Data are further implemented in the Executive Order on Security  and the Guidance to the Executive Order on Security6.

There is no equivalent executive order on security for the private sector, but the Data Protection Agency recommends generally that, to the greatest possible extent, private controllers arrange security measures in accordance with the Executive Order on Security.

Depending on the concrete processing of personal data, the security requirements of the Act on Processing of Personal Data in particular include the following: 

1. the obligation to lay down more detailed internal provisions describing how the required security measures are actually established in the organisation; 
2. the requirement of instruction of employees;
3. the requirement of written agreements with processors to ensure that the data security complies with the Act on Processing of Personal Data, and that the controller ensures that this is the case;
4. the requirement of special guidelines on access to personal data on using IT equipment outside the controller’s premises (home workspaces, etc.);
5. the requirement concerning physical security;
6. the requirement to observe the required security measures in connection with repair and service, and on the sale and discarding of used data media;
7. the requirement of a formal authorisation procedure to ensure that only persons so authorised have access to personal data, and that only persons for whom access is necessary as part of their job function are so authorised, that they are assigned an individual personal login, and that the authorisation issued is amended or revoked when the employee leaves or is transferred within the organisation;
8. the requirements that on transmission via the Internet (or other open networks) a risk assessment is performed that includes all elements of the solution; that the necessary security measures are implemented to counter the existing risks, including the use of encryption if confidential or sensitive personal data is transferred via the Internet (or other open networks); and to ensure authenticity (the sender and recipient’s identities) and integrity (the authenticity of the data transmitted) to the extent required, by applying appropriate security measures;
9. the requirement of control of refused attempts at access, including blocking further attempts after a number of refused attempts at access; and
10. the requirement of registration (logging) of all instances of the use of personal data. 

3.4.2.2. Re: the requirement of agreement and control of processors (clause 3)
3.4.2.2.1. The execution of processing by a processor must take place in accordance with a written agreement between the parties. The agreement must state that the processor acts only on instructions from the controller and that the rules laid down in Section 41(3)-(5) shall also apply to the processing by way of the processor. This is stipulated in Section 42(2) of the Act on Processing of Personal Data. 

It is furthermore stipulated in Section 7(1) of the Executive Order on Security that if personal data is processed by a processor on behalf of the controller there must be a written contract stating that the rules of the regulations of the Executive Order on Security also apply to processing by the processor.

Furthermore, in accordance with both Section 42(2) of the Act on Processing of Personal Data and Section 7(1) of the Executive Order on Security, it is required that if the processor is established in a different Member State, the contract must stipulate that the provisions on security measures laid down by law in the Member State in which the processor is established applies to the processor.

3.4.2.2.2. In cases where a Danish company is subject to terms set by the Danish Data Protection Agency on granting an authorisation, the controller company is also responsible for compliance with these terms, regardless of whether a processor within or outside Denmark is used. The same applies to public authorities, which must in addition ensure that the Executive Order on Security is complied with. 

The Danish controllers must, among other things, consider whether use may be made of sub-processors. When this is the case, as for Office 365, this must also be handled in processor agreements. 

The Danish Data Protection Agency draws attention to the fact that in such case the model applied in the European Commission’s standard contract may be used8. The Danish Data Protection Agency hereby assumes that all elements in the standard contract concerning sub-processors are used.  The Danish Data Protection Agency draws particular attention to standard clause 5(j) which states that the data importer (Microsoft) must promptly send the data exporter (the customer) a copy of sub-processor agreements it concludes under the standard clauses.

It is the immediate view of the Danish Data Protection Agency that it must be up to the individual controller company or public authority to decide how broad a mandate the processor is to hold. The controller must thus decide whether general advance consent or specific consent for each new sub-processor is to be given9.  

As emphasised above in section 3.1, the Danish Data Protection Agency does not approve processor agreements and such agreements shall not be submitted to the Agency.

3.4.2.2.3. The companies and public authorities that use Microsoft as processor are obliged to ensure that the provisions concerning security measures are complied with by the processor, cf. the final clause of Section 42(1) of the Act on Processing of Personal Data. 

As stated in the Danish Data Protection Agency’s Guidance to the Executive Order on Security, in this context it can be relevant to obtain an annual auditor’s declaration from an independent third party. The written agreement between the parties may, among other things, include the preparation of this audit declaration as a condition for processing to be undertaken by the processor.

On this basis, the Danish Data Protection Agency has no immediate objections to a model whereby the control by Danish controllers in principle takes place by using audit declarations from an independent third party. 

In this respect, the Danish Data Protection Agency has noted that Microsoft has stated that it will cooperate with customers whose specific needs have not been met in connection with the annual audit and that, in special situations, customers themselves will be able to undertake control.

3.4.2.3. Re: the requirement concerning risk assessment (clause 8)
In order to comply with the security requirements in the Act on Processing of Personal Data, in the view of the Danish Data Protection Agency the controller must perform a risk assessment concerning all aspects of the planned use of the cloud solution.

In this connection the Danish Data Protection Agency has noted that – if customers (controllers) so request – Microsoft will issue the information and documents necessary for customers to perform a risk assessment.

3.4.2.4. Re: the requirement concerning logging (clause 10)
The logging requirement in Section 19(1) of the Executive Order on Security applies solely to authorities’ registration of data that is subject to the obligation of notification to the Danish Data Protection Agency. In general terms, this means on the processing of confidential and sensitive personal data. 

There are a number of exemptions to the logging requirement, cf. Section 19(2)-(5) of the Executive Order on Security. 

Based on the information disclosed, it is the Danish Data Protection Agency’s view that Office 365 does not include a logging function as required in accordance with the Executive Order on Security. 

It is therefore important that a Danish controlling authority that processes data that might be subject to the logging requirement – such as sensitive personal data in documents and e-mails – ensures that no registration triggering a logging requirement takes place in the solution.

There is no logging requirement for the processing of personal data that takes place when the data is included in text processing documents, spreadsheets and similar, for as long as these documents are under preparation, or function as work documents to which new information is continuously added when the individual case is processed. There is no logging requirement either for such documents in their final version if they are erased within a short deadline as determined by the controlling authority. This is stipulated in Section 19(2) of the Executive Order on Security. 

The Danish Data Protection Agency’s Guidance to the Executive Order on Security states that the controller must consider the length of the aforementioned shorter period, which should generally be at most one month, and prepare guidelines for the procedure that employees are to follow. 

It should be noted that there is nothing to prevent completed documents from not being erased, but transferred to document archives for longterm storage. In this case, however, this will constitute processing (storage) that will be subject to the logging requirement.

If personal data is processed in electronic calendars the controller must ensure that this data is only accessible to the persons who are engaged in the purposes for which the personal data is processed. This applies to confidential and sensitive data in particular. The circumstance that the employees are subject to a duty of confidentiality does not alter the fact that an assessment must be made of who is to have access to the data. Reference is hereby made to item 7 above in section 3.4.2.1.

It should be noted that even the information that a member of the general public has a case that is being processed by a public authority, or that the public authority is in contact with the person concerned, may constitute data of a confidential or sensitive nature that is no concern of the other employees of the public authority. The public authority must therefore consider how broad an access the calendar system gives to the individual case officer’s calendar registration, and which information the calendar system should include, just as the possibility of “screening off appointments” vis-à-vis a wider circle should be considered.

4. Concluding remarks
The Danish Data Protection Agency can inform that the Article 29 Working Party10 is currently working on an opinion concerning cloud computing. 

The Danish Data Protection Agency must reserve its position concerning the use of Office 365 by Danish companies and public authorities if there should prove to be shortcomings in the use of the solution in relation to the Act on Processing Personal Data, just as the Agency reserves the opportunity to present further remarks once the Article 29 Working Party’s opinion is available. 

The Danish Data Protection Agency can furthermore state that the socalled Berlin Group11 has prepared a working document with a number of recommendations, etc. on the use of cloud computing.12 The working document of 24 April 2012 is available at http://www.datenschutz-berlin.de/content/europa-international/international-working-group-on-data-protection-in-telecommunications-iwgdpt/working-papers-and-common-positions-adopted-by-the-working-group.

For the sake of good order, the Danish Data Protection Agency can inform that it expects to publish this letter on its website. The Agency also expects to publish an English version of the letter on its website.

 

Cf. Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EU of the European Parliament and of the Council

2 Act no. 429 of 31 May 2000 on Processing of Personal Data, with subsequent revisions
3 ‘Office 365 Data Processing Agreement with Model Clauses’, part 1 of 2
4 ‘Office 365 Data Processing Agreement with Model Clauses’, part 2 of 2 (Annex 1)

For further information (in Danish) concerning the simplified procedure for third country transfer based on the European Commission’s standard contractual clauses see the Danish Data Protection Agency’s website: http://www.datatilsynet.dk/nyheder/seneste-nyheder/artikel/forenklet-procedure-for-tredjelandsoverfoersel-baseret-paa-eu-standardkontrakter/
6 The Danish Ministry of Justice’s Executive Order no. 528 of 15 June 2000, as amended by Executive Order no. 201 of 22 March 2001, on security measures for protection of personal data that is processed on behalf of the public administration

7 The Data Protection Agency’s Guidance no. 37 of 2 April 2001 to Executive Order no. 528 of 15 June 2000 on security measures for protection of personal data that is processed on behalf of the public administration

The Danish Data Protection Agency has previously made positive statements on such a procedure in the case with j. no. 2010-321-0348
9 Cf. hereby the Article 29 Working Party’s WP 176 of 12 July 2010 (‘FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC’)

10 Pursuant to Directive 95/46/EU of 24 October 1995 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the data protection directive) a ‘Working Party on the Protection of Individuals with regard to the Processing of Personal Data’, called the ‘Article 29 Working Party’ has been appointed
11 The Berlin Group is the International Working Group on Data Protection in Telecommunications which was established in 1983 at the initiative of the Data Protection Commissioners of a number of countries, including Danmark
12 ‘Working Paper on Cloud Computing – Privacy and data protection issues’ of 24 April 2012 (the socalled ‘Sopot Memorandum’)