At Microsoft, we listen to our customers and strive to address their questions and feedback, because one of our foundational principles is to help our customers succeed. Today Microsoft is announcing an update to the privacy provisions in the Microsoft Online Services Terms (OST) in our commercial cloud contracts that stems from additional feedback we’ve heard from our customers.

Our updated OST will reflect contractual changes we have developed with one of our public sector customers, the Dutch Ministry of Justice and Security (Dutch MoJ). The changes we are making will provide more transparency for our customers over data processing in the Microsoft cloud.

Microsoft is currently the only major cloud provider to offer such terms in the European Economic Area (EEA) and beyond.

We are also announcing that we will offer the new contractual terms to all our commercial customers – public sector and private sector, large enterprises and small and medium businesses – globally. At Microsoft we consider privacy a fundamental right, and we believe stronger privacy protections through greater transparency and accountability should benefit our customers everywhere.

Clarifying Microsoft’s responsibilities for cloud services under the OST update

In anticipation of the General Data Protection Regulation (GDPR), Microsoft designed most of its enterprise services as services where we are a data processor for our customers, taking the necessary steps to comply with the new data protection laws in Europe. At a basic level, this means Microsoft collects and uses personal data from its enterprise services to provide the online services requested by our customers and for the purposes instructed by our customers. As a processor, Microsoft ensures the integrity and safety of customer data, but that data itself is owned, managed and controlled by the customer.

Through the OST update we are announcing today we will increase our data protection responsibilities for a subset of processing that Microsoft engages in when we provide enterprise services. In the OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combatting cyberattacks on any Microsoft product or service; and complying with our legal obligations.

The change to assert Microsoft as the controller for this specific set of data uses will serve our customers by providing further clarity about how we use data, and about our commitment to be accountable under GDPR to ensure that the data is handled in a compliant way.

Meanwhile, Microsoft will remain the data processor for providing the services, improving and addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date.

As noted above, the updated OST reflects the contractual changes we developed with the Dutch MOJ. The only substantive differences in the updated terms relate to customer-specific changes requested by the Dutch MOJ, which had to be adapted for the broader global customer base.

The work to provide our updated OST has already begun. We anticipate being able to offer the new contract provisions to all public sector and enterprise customers globally at the beginning of 2020.

Working with our customers to strengthen privacy



Before and after GDPR became law in the EU, Microsoft has taken steps to ensure that we protect the privacy of all who use our products and services. We continue to work on behalf of customers to remain aligned with the evolving legal interpretations of GDPR. For example, customer feedback from the Dutch MoJ and others has led to the global roll out of a number of new privacy tools across our major services, specific changes to Office 365 ProPlus as well as increased transparency regarding use of diagnostic data.

We remain committed to listening closely to our customers’ needs and concerns regarding privacy. Whenever customer questions arise, we stand ready to focus our engineering, legal and business resources on implementing measures that our customers require. At Microsoft, this is part of our mission to empower every individual and organization on the planet to achieve more.

This post is also available in Dutch, French and German.

Tags: GDPR, OST, privacy