Back in November, Microsoft announced that it is updating the privacy provisions in the Microsoft Online Services Terms (OST) for commercial cloud customers. Microsoft today announced that this OST change is now available to all its commercial customers globally – public sector and private sector, large enterprises and small and medium businesses. Microsoft believes that the change will bring more transparency for customers over data processed in the Microsoft cloud.
In the OST update, Microsoft has made the following changes:
- Microsoft will clarify that Microsoft assumes the role of data controller when it process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combatting cyberattacks on any Microsoft product or service; and complying with our legal obligations.
- The change to assert Microsoft as the controller for this specific set of data uses will serve our customers by providing further clarity about how we use data, and about our commitment to be accountable under GDPR to ensure that the data is handled in a compliant way.
- Meanwhile, Microsoft will remain the data processor for providing the services, improving and addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date.
“We remain committed to listening closely to our customers’ needs and concerns regarding privacy. Whenever customer questions arise, we stand ready to focus our engineering, legal and business resources on implementing measures that our customers require. At Microsoft, this is part of our mission to empower every individual and organization on the planet to achieve more,” wrote Julie Brill, Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer, Microsoft.