What are the European Union (EU) Standard Contractual Clauses (also known as the "Model Clauses")?
Customers can comply with cross-border data transfer requirements from the EU’s Data Protection Directive, and after May
25, 2018 the EU General Data Protection Regulation (GDPR), by using the EU Model Clauses.
The Model Clauses, issued by the European Commission, contain provisions to ensure EU personal data is sufficiently protected
when transferred internationally and are a legal mechanism for legitimizing cross-border
Global cloud service providers offering enterprise-level service, availability, and performance, along with ancillary services
such as 24/7 customer and technical support, need flexibility to move personal data of
an EU customer to locations around the world in the course of providing the cloud service.
Microsoft has certified to the Department of Commerce that it adheres to the Privacy Shield Principles and relies on this
framework to legitimize cross-border data transfers of EU personal data.
How do I get the EU Model Clauses?
The EU Model Clauses are included in the Microsoft’s Online Services Terms available to all customers. Customers do not need
to take any action to get the EU Model Clauses. Customers may opt out of the EU Model
Clauses by following the instructions in the Online Services Terms.
It’s important to note that the EU Model Clauses we offer are specifically designed to provide safeguards for data transfers
from controllers in the EU to data processors established outside EEA. For the Online
Services, Microsoft is a data processor (or sub-processor) acting on our customer’s behalf
to process Customer Data, Support Data and Personal Data.
How do I compare Office 365 or Microsoft Dynamics CRM Online with competitors who do not offer the EU Model Clauses? What benefits or additional controls does Office 365 or Microsoft Dynamics CRM Online offer by virtue of offering to sign the EU Model Clauses?
By entering the EU Model Clauses as a data processor,
Microsoft assures customers they will remain in control of their data, and their data
will be processed in accordance with stringent data protection requirements.
The EU Model Clauses contain exacting data protection requirements which require cloud providers to handle Customer Data
in accordance with rigorous technical and organizational controls. To comply with the
EU Model Clauses, Microsoft has made (and continues to make)
significant engineering and operational investments to meet the privacy and security
requirements set forth in the EU model clauses. Our investments include engineering controls
and processes above and beyond those required in order to achieve ISO 27001 certification,
which we have achieved and are audited against each year. In addition, we are transparent
about our data processing activities. For example, we disclose our sub-processors and
share the technical and organizational security measures we take to protect Customer
Data. It is possible cloud service providers who do not offer the EU Model Clauses have
not implemented these controls and processes or have existing business practices that
prevent their compliance with these clauses.
Can an EU customer trust a cloud service provider who does not offer the EU Model Clauses?
The EU Model Clauses can give customers confidence that their data will be properly safeguarded. Unless a cloud service provider
is willing to agree to the EU Model Clauses, it may be difficult for a customer to trust
the cloud service providers’ data protection practices. The EU Model Clauses also help
cloud customers comply with the EU cross-border data transfer requirements. Indeed, the
Article 29 Working Party has emphasized the importance of establishing contractual safeguards
in the data controller–data processor (that is, the customer–cloud service provider)
relationship and has underscored the importance of the EU Model Clauses.
If a cloud service provider claims to encrypt data, does that eliminate the need to have that service provider sign the EU Model Clauses?
No. EU data protection authorities do not generally view encryption as an alternative to adequacy measures for cross-border
transfers of EU personal data.
How does a customer differentiate between cloud service providers when they both offer the EU Model Clauses?
Customers should understand if the cloud service provider enters the EU Model Clauses as a data controller or data processor.
Microsoft enters the EU Model Clauses as a data processor, assuring customers we only
process their data in accordance with their instructions.
If both cloud service providers agree to the EU Model Clauses as data processors, customers should consider the service provider’s
overall commitment to data privacy and security in addition to the EU Model Clauses.
Proactively working with national data protection authorities and the Article 29 Working
Party is evidence of such commitment and helps ensure that the service provider’s offering
meets the expectations of both customers and regulators.
How have EU data protection authorities responded to the Microsoft approach to the EU Model Clauses?
Microsoft has received many favorable reviews from European data protection authorities in support of Office 365’s and Microsoft
Dynamics CRM Online’s strong privacy compliance features, clearly demonstrating again
that Microsoft is engineering its cloud services with compliance in mind.
To date, we have written validation of our data processing approach from data protection authorities in France, Germany (Bavaria),
Denmark, Ireland, Luxembourg, Malta, and Spain on our approach to the EU Model Clauses.
These validations confirm that we help our customers meet their regulatory requirements
regarding the transfer of personal data from the EU to jurisdictions that do not provide
“adequate protection” for personal data.
An EU customer can move to Office 365 or Microsoft Dynamics CRM Online and comply with EU data protection requirements.
Do the privacy features, controls, and processes that Microsoft has implemented to offer the EU Model Clauses apply to all Office 365 customers, or do they apply only to customers that have not opted out of the EU Model Clauses?
Microsoft offers the benefits and safeguards of the EU Model Clauses to all customers. Office 365 is a multi-tenant service,
and Microsoft runs the service with the same privacy features, controls, and processes
for all customers, even those customers that have opted out of the EU Model Clauses.
Was this information helpful?
Great! Any other feedback?
How can we improve it?
Please fill in the feedback field before sending!
To protect your privacy, please do not include contact information in your feedback. Review our