On September 15, 2021, Microsoft announced a new version of the Data Protection Addendum to comply with the EU Standard Contractual Clauses
Microsoft has set up and has changed and will maintain appropriate technical and organizational measures to protect Customer Data, Professional Services Data, and Personal Data from unintended or unlawful scenes such as loss, alteration, unauthorized disclosure, or access to personal data transmitted or stored.
The company will make that policy, as well as any information reasonably requested by the Customer about Microsoft security practices and procedures, available to the Customer.
The DPA (Data Protection Addendum) will enter into force soon to all customers involved in numerous license agreements (the biggest MS clients). This pattern is related to how the DPA was previously included in the Online Services Terms. Customers with volume license agreements do not need to take any action for the new DPA to apply to their data processing.
Microsoft has provided an essential update to the addendum that has been there for a long time, and it is the delta that we must take from this situation. It is well known that Microsoft has a privacy protection addendum that is widely applicable.
It's worth mentioning the following differences:
- Uniform DPA for products and services
These are support concerns that have been referred to a product engineering team by the standard support staff. Other non-standardized consulting and support services provided by Microsoft are also included.
- Data transfers under processor to processor standard contract clauses
The adoption of the new EU Standard Contractual Clauses as a mechanism for transferring Customer Data, Professional Services Data, and Personal Data to so-called insecure third countries was the principal cause for the DPA’s amendment and renewal.
- Additional safeguards now at DPA level
As a result, the scope of application of the extra protection is significantly expanded. The additional protections now apply to all personal data managed by Microsoft, not only transfers of personal data under the Standard Contractual Clauses.
- https://privacy.microsoft.com/de-de/updates (Information on the update itself)
- https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA?year=2021 (DPA)