European Union Model Clauses

European Union Model Clauses overview

European Union (EU) data protection law regulates the transfer of EU customer personal data to countries outside the European Economic Area (EEA), which includes all EU countries and Iceland, Liechtenstein, and Norway. On a practical level, compliance with EU data protection laws also means that customers need fewer approvals from individual authorities to transfer personal data outside of the EU, since most EU member states don't require additional authorization if the transfer is based on an agreement that complies with the Model Clauses.

Microsoft and European Union Model Clauses

The European Union (EU) General Data Protection Regulation (GDPR) regulates the transfer of customer personal data to countries outside the European Economic Area (EEA), which includes all EU countries and Iceland, Liechtenstein, and Norway. Microsoft offers customers the EU Standard Contractual Clauses (SCC) (also known as EU Model Clauses) that provide specific guarantees around transfers of personal data for in-scope services. The EU Model Clauses are used in agreements between service providers (such as Microsoft) and their customers to ensure that any personal data leaving the EEA will be transferred in compliance with the GDPR.

In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield Framework for transfers of personal data from the EU to the United States. However, the EU Model Clauses continue to provide a valid mechanism for the transfer of personal data from the EU and EEA, as well as from Switzerland and the United Kingdom. Microsoft makes the EU Model Clauses available to customers as described in the Microsoft Online Services Terms (OST) Data Protection Addendum (DPA).

Microsoft in-scope cloud platforms & services

  • Azure and Azure Government
  • Azure DevOps Services
  • Dynamics 365
  • Intune: Cloud service portion of the Intune Add-on Product and Mobile Device Management for Office 365
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint for the following cloud service portions: Endpoint Detection & Response, Automatic Investigation & Remediation, Secure Score.
  • Microsoft Professional Services: Premier and On Premises for Azure, Dynamics 365, Intune, and for Medium Business and Enterprise customers of Microsoft 365 for business
  • Office 365
  • Power Automate (formerly Microsoft Flow) cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite

Office 365 and European Union Model Clauses

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Advanced Threat Protection, Microsoft Entra ID, Azure Information Protection, Bookings, Compliance Manager, Delve, Exchange Online, Exchange Online Protection, Forms, Kaizala, Microsoft Analytics, Microsoft Booking, Microsoft Graph, Microsoft Teams, Microsoft To-Do for Web, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Cloud App Security, Office 365 Groups, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, StaffHub, Stream, Sway, Viva Engage

Audits, reports, and certificates

Microsoft continually assesses the EU standards, and updates its services as needed.

Frequently asked questions

Why is compliance with the Model Clauses important?

A service provider that commits contractually to the Model Clauses gives its customers assurance that personal data will be transferred and processed in compliance with EU data protection law. Use of the Model Clauses also means that customers need to get fewer approvals from individual data-protection authorities to transfer personal data outside the EU.

Where can I see compliance information for Microsoft services?

Compliance is a contractual commitment. Microsoft Standard Contractual Clauses are available to all cloud customers in the Online Services Terms; for other services, see your existing agreement with Microsoft.

What is a 'sub-processor'?

A sub-processor is someone who processes personal data following the data controller's instructions, and the terms of the EU Model Clauses and the subcontract. Microsoft customers—independent software vendors (ISVs), in particular, are sometimes themselves data processors. In those instances, Microsoft is the sub-processor.

Where do I start with my own organization's compliance efforts?

You can enter an agreement such, as the Online Services Terms, or explore amending your existing agreement to incorporate the Standard Contractual Clauses.

Resources