by Streamlex 26 March 2025
This is the second part of our series analyzing the Danish public sector’s data protection assessments of Microsoft 365. Part one covered the Data Protection Impact Assessment (DPIA); this article focuses on the Transfer Impact Assessment (TIA), which specifically examines data transfers to third countries.
In 2024, the Danish Economic Agency in cooperation with the Danish IT Agency (Statens It), and other public authorities, and with the assistance of Kammeradvokaten, published a Transfer Impact Assessment (TIA) as an appendix to the broader Microsoft 365 DPIA. The purpose of the TIA is to evaluate the legality of personal data transfers to third countries under the GDPR, particularly in the context of the Schrems II ruling.
The 99-page TIA has been recently made available on the Statens It website (in Danish) and serves as a valuable resource to draw inspiration for companies completing similar assessments.
While the official document is available only in Danish, Streamlex is providing an unofficial machine translation in English for our readers. Please note that this translation has not been reviewed by a Danish speaker and may contain errors, inaccuracies, or omissions. For accuracy and legal certainty, always refer to the original document before making any decisions or taking action. The translated document is provided for informational purposes only and does not constitute legal advice. Streamlex assumes no responsibility for any consequences resulting from reliance on this translation.
Unofficial Translation - Microsoft 365 TIA - Denmark- March 2025
The TIA focuses on the processing of personal data by Danish public authorities (“Controllers”) when using selected Microsoft 365 applications and related cloud services. Specifically, it covers Word, Excel, Outlook, PowerPoint, Teams, and Office for the Web, along with Exchange Online, OneDrive for Business, SharePoint, Teams Online, and Entra ID (formerly Azure Active Directory).
The TIA confirms that Microsoft Ireland, as data processor providing the services in scope of the assessment, commits to storing and processing personal data within the EU under its “EU Data Boundary” initiative. However, there are a considerable number of exceptions where data may be accessed or transferred outside the EU. These include remote support by non-EU staff, customer-initiated transfers, diagnostic and service-related operations, identity management via Entra ID, and the use of Microsoft’s Professional Services systems.
A significant portion of the TIA is dedicated to assessing data transfers that fall outside the EU Data Boundary when Controllers use Microsoft 365 applications and services. While some transfers involve only pseudonymized data, others—such as support-related transfers—may include identifiable personal data, particularly in unresolved or escalated cases.
One of the key challenges in assessing these transfers is the absence of a definitive list of sub-processors and their jurisdictions. Microsoft’s sub-processors are based in several countries, including the United States, India, Israel, and China, making it difficult for Controllers to maintain a complete overview of data flows.
The TIA outlines the mechanisms for international data transfers used in Microsoft 365:
The TIA differentiates transfer risks per data category, as outlined in the table below.
The TIA details a range of supplementary measures applied to mitigate the identified risks, with some differences in the application of the measures per data category:
One key focus of the TIA is the potential for personal data to be accessed by authorities in third countries under foreign laws, such as the U.S. CLOUD Act. Microsoft Ireland’s original terms permitted disclosures based on applicable law, including non-EU legislation.
The Danish authorities negotiated a contractual clarification requiring Microsoft Ireland to follow EU law when responding to such requests. This provision is considered important for distinguishing between lawful, intentional transfers and those falling outside GDPR-compliant processing.
The TIA concludes that international data transfers related to Microsoft 365 can be lawfully carried out under the GDPR, provided the safeguards and contractual conditions described are in place.
Although developed for Danish public authorities, the assessment is highly relevant to private companies across the EU. Many organizations face similar challenges in mapping and evaluating Microsoft 365’s global data flows. The Danish TIA provides useful information for documenting transfer risks while applying a risk-based approach to data transfer requirements.
In an upcoming edition of Streamlex Insights newsletter, we will explore two key aspects of this assessment in more detail: the “worst-case scenario” transfer risk methodology and the contractual amendment addressing third-country government access requests. Subscribe to stay informed.