EU Model Clauses—frequently asked questions

Show all

Customers can comply with cross-border data transfer requirements from the EU’s Data Protection Directive, and after May 25, 2018 the EU General Data Protection Regulation (GDPR), by using the EU Model Clauses.

The Model Clauses, issued by the European Commission, contain provisions to ensure EU personal data is sufficiently protected when transferred internationally and are a legal mechanism for legitimizing cross-border transfers.

Global cloud service providers offering enterprise-level service, availability, and performance, along with ancillary services such as 24/7 customer and technical support, need flexibility to move personal data of an EU customer to locations around the world in the course of providing the cloud service.

Microsoft has certified to the Department of Commerce that it adheres to the Privacy Shield Principles and relies on this framework to legitimize cross-border data transfers of EU personal data.

The EU Model Clauses are included in the Microsoft’s Online Services Terms available to all customers. Customers do not need to take any action to get the EU Model Clauses. Customers may opt out of the EU Model Clauses by following the instructions in the Online Services Terms.

It’s important to note that the EU Model Clauses we offer are specifically designed to provide safeguards for data transfers from controllers in the EU to data processors established outside EEA. For the Online Services, Microsoft is a data processor (or sub-processor) acting on our customer’s behalf to process Customer Data, Support Data and Personal Data.

By entering the EU Model Clauses as a data processor, Microsoft assures customers they will remain in control of their data, and their data will be processed in accordance with stringent data protection requirements.

The EU Model Clauses contain exacting data protection requirements which require cloud providers to handle Customer Data in accordance with rigorous technical and organizational controls. To comply with the EU Model Clauses, Microsoft has made (and continues to make) significant engineering and operational investments to meet the privacy and security requirements set forth in the EU model clauses. Our investments include engineering controls and processes above and beyond those required in order to achieve ISO 27001 certification, which we have achieved and are audited against each year. In addition, we are transparent about our data processing activities. For example, we disclose our sub-processors and share the technical and organizational security measures we take to protect Customer Data. It is possible cloud service providers who do not offer the EU Model Clauses have not implemented these controls and processes or have existing business practices that prevent their compliance with these clauses.

The EU Model Clauses can give customers confidence that their data will be properly safeguarded. Unless a cloud service provider is willing to agree to the EU Model Clauses, it may be difficult for a customer to trust the cloud service providers’ data protection practices. The EU Model Clauses also help cloud customers comply with the EU cross-border data transfer requirements. Indeed, the Article 29 Working Party has emphasized the importance of establishing contractual safeguards in the data controller–data processor (that is, the customer–cloud service provider) relationship and has underscored the importance of the EU Model Clauses.

No. EU data protection authorities do not generally view encryption as an alternative to adequacy measures for cross-border transfers of EU personal data.

Customers should understand if the cloud service provider enters the EU Model Clauses as a data controller or data processor. Microsoft enters the EU Model Clauses as a data processor, assuring customers we only process their data in accordance with their instructions.

If both cloud service providers agree to the EU Model Clauses as data processors, customers should consider the service provider’s overall commitment to data privacy and security in addition to the EU Model Clauses. Proactively working with national data protection authorities and the Article 29 Working Party is evidence of such commitment and helps ensure that the service provider’s offering meets the expectations of both customers and regulators.

Microsoft has received many favorable reviews from European data protection authorities in support of Office 365’s and Microsoft Dynamics CRM Online’s strong privacy compliance features, clearly demonstrating again that Microsoft is engineering its cloud services with compliance in mind.

To date, we have written validation of our data processing approach from data protection authorities in France, Germany (Bavaria), Denmark, Ireland, Luxembourg, Malta, and Spain on our approach to the EU Model Clauses. These validations confirm that we help our customers meet their regulatory requirements regarding the transfer of personal data from the EU to jurisdictions that do not provide “adequate protection” for personal data.

An EU customer can move to Office 365 or Microsoft Dynamics CRM Online and comply with EU data protection requirements.

Microsoft offers the benefits and safeguards of the EU Model Clauses to all customers. Office 365 is a multi-tenant service, and Microsoft runs the service with the same privacy features, controls, and processes for all customers, even those customers that have opted out of the EU Model Clauses.