Data protection and data stewardship in Microsoft online services

Microsoft supports a wide range of international, European and German data protection standards for online services from the global Microsoft Cloud. More details can be found on this Microsoft page. This forms the basis for ensuring that the use of these services complies with the requirements of the GDPR. However, the customer is ultimately responsible for ensuring that data is handled in accordance with the GDPR. Microsoft and Deutsche Telekom support this with appropriately certified services and platforms as well as security and data protection features.

Comprehensive information about Microsoft's data protection policy can be found on this page.

Microsoft's cloud services are subject to strict rules to protect customer data from unauthorised access, including access restrictions for Microsoft employees and contractors. The conditions for government requests are also defined in detail. However, as a customer, you can access your own customer data at any time and for any reason.

The data trustee model, which guarantees access to data exclusively in accordance with German law, is only available in the Microsoft Cloud Germany and can no longer be offered for the global Microsoft Cloud platform.

Customer data is protected in Microsoft Cloud data centres by a variety of technologies and processes, including various forms of encryption.

Enhanced requirements for the protection of stored data are made possible by end-to-end encryption, which is available on a software/client basis as well as on a network basis. The difference to encryption by Microsoft is that only the customer is in possession of the key and the data cannot be decrypted by Microsoft at any point during data processing or storage.

Our cloud experts will be happy to advise you if required.

Microsoft has a comprehensive security concept to protect the data stored in its German and international data centres. This includes the physical protection of the data centres using a multi-layer principle, including barriers, fences, motion sensors, video surveillance and alarm systems.

Access to data is controlled via role-based access control for authorised experts and employees, including measures for geo-redundancy and disaster recovery to ensure uninterrupted operation of Microsoft Cloud services.

Microsoft complies with international data protection laws governing the cross-border transfer of customer data. To ensure that data can flow freely, for example in international companies, many of Microsoft's cloud services offer EU standard contractual clauses, which have been implemented in conjunction with EU data protection authorities and comply with the strict data protection standards to which companies in EU member states are subject with regard to international data transfers. Microsoft assures that it will not transfer any data to third parties that customers provide to Microsoft through the use of Business Cloud Services and that are subject to the Microsoft Online Services Terms of Use.

In its Online Services Terms of Use, Microsoft describes the processes for handling customer data if a customer terminates their use of a cloud service or a subscription expires.

If a subscription ends or is terminated, Microsoft stores data for 90 days (retention period) under an account with limited functionality, except for free trial versions, to allow time to extract the data or renew the subscription. During this period, you will receive several notifications from Microsoft informing you of the upcoming deletion of your data.

After the 90-day retention period, Microsoft will deactivate the account and delete the customer data, including all cached data and backup copies. For services included in the scope of services, deletion takes place within 90 days after the end of the retention period.

If a drive used for storage fails due to a hardware error, the data it contains will be deleted or the device will be rendered unusable before it is returned by Microsoft to the manufacturer for replacement or repair. The data on the drive will be completely overwritten to ensure that it cannot be recovered under any circumstances.

In addition to supporting a wide range of international and European data protection standards and certifications, the new German data centres also support the following standards:

Cloud Computing Compliance Controls Catalogue (C5) of the BSI

The German Federal Office for Information Security (BSI) created the Cloud Computing Compliance Controls Catalogue (C5) in 2016. The C5 is a certified standard that sets binding minimum requirements for cloud security and the introduction of public cloud solutions for German government agencies and organisations that work with the government. The C5 is also increasingly being used in the private sector.
The aim of the C5 catalogue is to provide a uniform security framework for the certification of cloud service providers and to assure customers that their data is being managed securely. Read here to find out how Microsoft
proceeds after C5 certification and how it supports customer certification.

IT baseline protection (BSI)

To support organisations in identifying and implementing measures to protect IT systems, the Federal Office for Information Security (BSI) has developed basic standards for protecting information technology, known as IT baseline protection. These BSI standards include:

• An Information Security Management System (ISMS) in accordance with ISO/IEC 27001 standards (BSI Standard 100-1)
• The IT baseline protection methodology, which describes the establishment and operation of an ISMS (BSI Standard 100-2)
• A method for risk analysis (BSI Standard 100-3)
• The IT Baseline Protection Catalogues, a standard set of potential threats and corresponding protective measures for typical business environments.

Read here to find out how Microsoft supports IT baseline protection certification.

Automotive: Trusted Information Security Assessment Exchange (TISAX)

To ensure the ever-increasing connectivity in the automotive industry, the German Association of the Automotive Industry (VDA) has developed a set of criteria for assessing information security. The VDA Information Security Assessment (German and English) is based on the international standards ISO/IEC 27001 and 27002, which have been adapted to the automotive industry. It was updated in 2017 to cover controls for the use of cloud services. Details of which Microsoft services have undergone a TISAX assessment can be found here.

Institute of Public Auditors in Germany: PS 951 (IDW)

Auditing Standard 951 of the Institute of Public Auditors in Germany, usually abbreviated as IDW PS 951 n.F., is an auditing standard published by the Institute of Public Auditors in Germany (IDW) that regulates the auditing of an outsourced internal control system at a service company.