Background

In 2024, the Danish Economic Agency in cooperation with the Danish IT Agency (Statens It), and other public authorities, and with the assistance of Kammeradvokaten, published a Transfer Impact Assessment (TIA) as an appendix to the broader Microsoft 365 DPIA. The purpose of the TIA is to evaluate the legality of personal data transfers to third countries under the GDPR, particularly in the context of the Schrems II ruling.

The 99-page TIA has been recently made available on the Statens It website (in Danish) and serves as a valuable resource to draw inspiration for companies completing similar assessments.

While the official document is available only in Danish, Streamlex is providing an unofficial machine translation in English for our readers. Please note that this translation has not been reviewed by a Danish speaker and may contain errors, inaccuracies, or omissions. For accuracy and legal certainty, always refer to the original document before making any decisions or taking action. The translated document is provided for informational purposes only and does not constitute legal advice. Streamlex assumes no responsibility for any consequences resulting from reliance on this translation.

Scope of the TIA and the EU Data Boundary

The TIA focuses on the processing of personal data by Danish public authorities (“Controllers”) when using selected Microsoft 365 applications and related cloud services. Specifically, it covers Word, Excel, Outlook, PowerPoint, Teams, and Office for the Web, along with Exchange Online, OneDrive for Business, SharePoint, Teams Online, and Entra ID (formerly Azure Active Directory).

The TIA confirms that Microsoft Ireland, as data processor providing the services in scope of the assessment, commits to storing and processing personal data within the EU under its “EU Data Boundary” initiative. However, there are a considerable number of exceptions where data may be accessed or transferred outside the EU. These include remote support by non-EU staff, customer-initiated transfers, diagnostic and service-related operations, identity management via Entra ID, and the use of Microsoft’s Professional Services systems.

Data Transfers in Connection with Service Provision

A significant portion of the TIA is dedicated to assessing data transfers that fall outside the EU Data Boundary when Controllers use Microsoft 365 applications and services. While some transfers involve only pseudonymized data, others—such as support-related transfers—may include identifiable personal data, particularly in unresolved or escalated cases.

One of the key challenges in assessing these transfers is the absence of a definitive list of sub-processors and their jurisdictions. Microsoft’s sub-processors are based in several countries, including the United States, India, Israel, and China, making it difficult for Controllers to maintain a complete overview of data flows.

Transfer Bases: Adequacy, SCCs, and the DPF

The TIA outlines the mechanisms for international data transfers used in Microsoft 365:

• Transfers to countries with an EU adequacy decision (e.g. Israel)
• Transfers to Microsoft Corporation (US) certified under the EU-U.S. Data Privacy Framework (DPF)
• Transfers to U.S. sub-processors not DPF-certified are based on Standard Contractual Clauses (SCCs), supplemented by technical, contractual, and organizational measures.
• Transfers to other third countries without adequacy decisions are also based on SCCs, with the supplementary measures identified in the course of the TIA via a so-called “worst case scenario” assessment.

Overview of Risks and Supplementary Measures

The TIA differentiates transfer risks per data category, as outlined in the table below.

The TIA details a range of supplementary measures applied to mitigate the identified risks, with some differences in the application of the measures per data category:

• Technical: Encryption in transit and at rest, pseudonymization, secure admin workstations (SAWs), virtual desktop infrastructure (VDI), Customer Lockbox
• Organizational: Role-based access control, just-in-time access approval, mandatory staff training, internal audit mechanisms
• Contractual: Contractual commitments to EU law, transparency in law enforcement requests, obligations to challenge unlawful data access demands

Data Transfers in Connection with Third-Country Authority Requests

One key focus of the TIA is the potential for personal data to be accessed by authorities in third countries under foreign laws, such as the U.S. CLOUD Act. Microsoft Ireland’s original terms permitted disclosures based on applicable law, including non-EU legislation.

The Danish authorities negotiated a contractual clarification requiring Microsoft Ireland to follow EU law when responding to such requests. This provision is considered important for distinguishing between lawful, intentional transfers and those falling outside GDPR-compliant processing.

Conclusion and Relevance for Companies

The TIA concludes that international data transfers related to Microsoft 365 can be lawfully carried out under the GDPR, provided the safeguards and contractual conditions described are in place.

Although developed for Danish public authorities, the assessment is highly relevant to private companies across the EU. Many organizations face similar challenges in mapping and evaluating Microsoft 365’s global data flows. The Danish TIA provides useful information for documenting transfer risks while applying a risk-based approach to data transfer requirements.

In an upcoming edition of Streamlex Insights newsletter, we will explore two key aspects of this assessment in more detail: the “worst-case scenario” transfer risk methodology and the contractual amendment addressing third-country government access requests. Subscribe to stay informed.