Background

In 2024, the Danish Economic Agency in cooperation with the Danish IT Agency (Statens It), and other public authorities, and with the assistance of Kammeradvokaten, completed an “umbrella” Data Protection Impact Assessment (DPIA) of Microsoft 365 under Article 35 of the GDPR.

The 115-page DPIA along with the appendices, including a Transfer Impact Assessment (TIA), has been recently made available on the Statens It website (in Danish) and serves as a valuable resource to draw inspiration for companies completing similar assessments.

While the official document is available only in Danish, Streamlex is providing an unofficial machine translation in English for our readers. Please note that this translation has not been reviewed by a Danish speaker and may contain errors, inaccuracies, or omissions. For accuracy and legal certainty, always refer to the original document before making any decisions or taking action. The translated document is provided for informational purposes only and does not constitute legal advice. Streamlex assumes no responsibility for any consequences resulting from reliance on this translation.

Scope of the DPIA

The DPIA focuses on the processing of personal data by Danish public authorities (“Controllers”) when using selected Microsoft 365 applications and related cloud services. Specifically, it covers Word, Excel, Outlook, PowerPoint, Teams, and Office for the Web, along with Exchange Online, OneDrive for Business, SharePoint, Teams Online, and Entra ID (formerly Azure Active Directory).

The assessment is limited to cloud-based processing by users within the Controllers’ organizations. It does not include Microsoft AI tools (e.g. Copilot), Microsoft Unified Support, use of EDRMS systems, processing related to national security, or browser-specific analysis.

While the DPIA provides a general framework for the entire public sector, each Controller is expected to supplement it based on their own legal duties, data types, and internal procedures.

Data Controllers & Processors

• Data Controllers: Danish public authorities and affiliated institutions (e.g. ministries, agencies, educational institutions) using Microsoft 365 under a shared framework agreement. Each Controller independently determines the purposes and means of data processing under GDPR Article 4(7). There is no joint controllership.
• Data Processors:
  • Statens It acts as a data processor, managing the shared Microsoft 365 tenant and user access on behalf of the Controllers.
  • Microsoft Ireland: Primarily acts as a data processor under the Controllers’ instructions. May act as an independent data controller for its own use of pseudonymized diagnostic data, such as when aggregating usage data for internal business purposes.

Key Risks Identified in the DPIA

The DPIA identifies four key risk areas related to Microsoft 365.

1. Lack of transparency in processing system-generated personal data of system users and handling data subject rights

Microsoft 365 generates extensive logs and metadata about user activity for operational and security purposes. However, users — including public sector employees — are often not informed about what specific personal data is collected, how it is processed, or how long it is retained.

This lack of transparency creates uncertainty for Controllers when responding to data subject rights requests under the GDPR, particularly access and erasure. If the logs are not clearly documented or interpretable, it may be difficult for Controllers to ensure full compliance with their obligations under Articles 12–15.

2. Non-compliance with the purpose limitation principle

The DPIA raises concerns that Microsoft may process personal data for purposes beyond those explicitly agreed upon in the data processing agreement. While Microsoft Ireland is designated as a data processor, some diagnostic and usage data may be reused for Microsoft’s own business purposes.

This could lead to a situation where personal data is processed for secondary purposes that are not transparent to the Controllers or the data subjects, posing a risk to the GDPR’s purpose limitation principle and the trustworthiness of the data processing framework.

3. Collection of Excessive Diagnostic Data & System-Generated Logs Contrary to Data Minimization

Microsoft 365 collects large volumes of diagnostic and telemetry data, some of which may include pseudonymized identifiers linked to individual users. Although this data supports security and performance monitoring, its scope may exceed what is strictly necessary for those purposes.

This raises concerns about compliance with the data minimization principle under Article 5(1)(c) of the GDPR. Without clear limitations and visibility into what is collected, Controllers may find it difficult to assess whether the amount and nature of data processing is proportionate.

4. Ineffective Anonymization of Aggregated Usage Data

Microsoft aggregates diagnostic and usage data for business analytics, claiming it is anonymized and no longer subject to the GDPR. However, the DPIA questions whether this anonymization is sufficiently robust and irreversible.

If the data can be re-identified — either through retained metadata or by combining datasets — it may still constitute personal data. This introduces risk for Controllers who rely on the assumption that Microsoft’s aggregated data falls outside the scope of data protection requirements.

Risk Ratings & Mitigation Measures

The DPIA assessed each risk, and identified relevant mitigation measures summarized below.

Overall Conclusion & Relevance for Companies

The DPIA concludes that public authorities can generally use Microsoft 365 in compliance with the GDPR, provided they implement the mitigating measures described. The overall residual risk to data subjects is assessed as low to medium, which is considered acceptable. No high residual risks were identified, and no consultation with the Danish Data Protection Agency was deemed necessary.

While the DPIA is tailored to public authorities, its findings are also highly relevant for private companies across the EU. Many of the identified risks — particularly those related to system-generated data, diagnostic logs, and Microsoft’s dual roles — are not unique to the public sector. Organizations in the private sector using Microsoft 365 face similar compliance challenges and can draw on the Danish approach as a reference for their own DPIAs.

In part two of this series, we will examine the findings of the Transfer Impact Assessment (TIA), which addresses data transfers to third countries when using Microsoft 365, and evaluates the sufficiency of legal safeguards such as Standard Contractual Clauses and technical security measures.