Microsoft has announced that they are updating the terms and conditions that apply to their Commercial Cloud users as a result of an investigation and subsequent agreement with the Dutch Ministry of Justice.
This change has Microsoft taking on the more accountable “controller” role over certain administrative data that they process across a number of their cloud-based services.
Through the OST update we are announcing today we will increase our data protection responsibilities for a subset of processing that Microsoft engages in when we provide enterprise services. In the OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combatting cyberattacks on any Microsoft product or service; and complying with our legal obligations.
Previously, Microsoft had taken the stance of being “processor” only which meant that they could defer the primary responsibility for how data is handled and processed, along with the related data protection to their customers, even in cases where the administrative ownership of the data was related to Microsoft processes and not to customer processes.
This change is positive and places the accountability in a place closer to where the actual controller relationship of the data exists. Microsoft has indicated they are rolling this same change out to all commercial cloud customers globally, even if not formally subjected to GDPR or the agreement with the Dutch Ministry of Justice.
Read blog post: