What are Microsoft’s responsibilities?
Microsoft offers both standard and specially tailored right to be forgotten help data protection options in its engineering and business branches. As part of these efforts, Microsoft conducts comprehensive privacy reviews of processing operations that may impact individuals’ rights and freedoms. Privacy teams embed in the service group review the design and implementation of service to ensure that personal data is process in a respectful manner that is consistent with international law, user expectations and our express commitments.
These privacy reviews tend to be detail – a give service may be review dozen or hundred of time. Microsoft aggregates these in-depth privacy reviews into privacy impact assessments that encompass larger processing grouping, which are then review by the Microsoft EU Data Protection Officer. The Data Protection Officer assesses the risks associated with data processing to ensure appropriate remedial actions are in place. If the data protection officer find unavoidable risks, recommendation are made to the engineering group. As privacy-relate risk change, the privacy impact assessment are review and update.
In the role of data processor, Microsoft is obligate to support data controller in fulfilling the requirement for data protection impact assessment formulate in the GDPR. To assist our customer, the relevant section of the DPIA summary by Microsoft and will be provide in this section in future update to allow Controllers to leverage Microsoft service to use the summary to create their own DPIA.
The GDPR provides for an information obligation for data controllers. And data processors for the breach of the protection of personal data. As a data processor, Microsoft ensures our customers meet GDPR breach notification requirements. Data controllers are responsible for assessing the privacy, Risks and whether a customer needs to be notified of a data breach. Microsoft will provide the information necessary for this assessment. For more information about how Microsoft detects and responds to a personal data breach, see GDPR data breach notification .
What constitutes a personal data breach under the GDPR?
Personal data refers to any information relating to an individual. That can be use to directly or indirectly identify that individual. A personal data breach is “a breach of security resulting in the accidental or unlawful destruction. Loss alteration unauthorize disclosure of or access to personal data transmit stored or otherwise process”.
What are your responsibilities as controller?
If a personal data breach that potentially affects the rights and freedoms of individuals. (e.g. discrimination, identity theft, fraud, financial loss or damage to their reputation) occurs, the GDPR requires you to.
- Notify the appropriate data protection authority within 72 hours of becoming aware of the incident—for example. After you have been notified by Microsoft. If you do not notify the data protection authority within this period, you must provide a statement to that effect. This declaration to the data protection authority is require even if the risk to individual is not high.
- Notify affected individuals of the breach immediately.
- Document the violation, including a description of the nature of the violation – e.g. For example how many people were affect the number of record affect. The impact of the breach, and any remedial action your organization propose take.
What are Microsoft’s responsibility as a processor?
After Microsoft is make aware of a personal data breach, the GDPR require us to notify you immediately. When Microsoft is in the role of data processor. Our obligations reflect both GDPR requirements and our proprietary global standard contractual terms. In our view, this applies to all confirmed personal data breaches, regardless of the potential risk of harm. We inform our customers whether the personal data breach occurred at Microsoft itself or at one of our sub-processors. We have implement process that allow us to quickly identify and contact those responsible. For security incidents in your organization Right to be Forgotten Meaning.