Response to German findings regarding Microsoft 365

Dec. 20, 2022 - In a report dated Nov. 2, 2022, the Confederation of German Privacy Supervisors (hereafter; DSK) stated that the use of Microsoft 365 in Germany violates the General Data Protection Regulation (AVG).

Man aan laptop met mobiel van bovenaf gefotografeerd

Dec. 20, 2022 - In a report dated Nov. 2, 2022, the Association of German Privacy Supervisors (hereafter; DSK) stated that the use of Microsoft 365 in Germany violates the General Data Protection Regulation (AVG). SURF, APS IT Services, SLB Services and SIVON have read the DSK report with interest and have ordered an investigation in response to these DSK findings.

Conclusion: legitimate use of Microsoft 365 in Dutch education

Following the investigation, SURF, APS IT-diensten, SLBdiensten and SIVON conclude that there is no reason to doubt the lawfulness of the use of Microsoft 365 by Dutch education and research institutions. In 2019, SURF, APS IT-diensten and SLBdiensten (note 1) have already reached agreements with Microsoft regarding the use of Microsoft 365 within the central government and the Dutch education and research sector, which include additional privacy agreements. Many of the findings mentioned by DSK in the report were already identified in previously conducted Data Protection Impact Assessments (DPIAs) and subsequently mitigated in additional agreements. In addition, in response to the EDPB (European Data Protection Board) guidelines regarding processing outside the EEA in July 2021, we have again made additional privacy agreements with Microsoft where necessary.

Continuous monitoring of legitimacy of great importance

SURF, APS IT-diensten, SLBdiensten and SIVON recognize the importance of privacy and strive to embed privacy agreements in contracts with suppliers. We therefore attach great importance to the continuous evaluation of (cloud) services and assessing their legitimacy. Together with SIVON, SURF, APS IT-diensten and SLBdiensten keep an eye on changing laws and regulations, periodically testing them against existing contracts and adjusting them where necessary. In addition, we remain in constant discussion and negotiation with suppliers to ensure that services can be used securely and responsibly.

Note 1: Educational and research institutions use these contracts through SURF, APS IT Services and SLBdiensten.