Share via

Data Subject Requests and the GDPR and CCPA

The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located. You can find more details in the GDPR Summary article.

Similarly, the California Consumer Privacy Act (CCPA) provides privacy rights and obligations to California consumers. These rights include rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information. The CCPA also provides for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out/ opt-in" requirements for certain data transfers classified as "sales". This document guides you to information on the completion of Data Subject Requests (DSRs) under the GDPR and CCPA using Microsoft products and services.

Terminology

Helpful definitions for GDPR terms used in this document:

  • Data Controller (Controller): A legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Personal data and data subject: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly.
  • Processor: A natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller.
  • Customer Data: Data produced and stored in the day-to-day operations of running your business.

What is a DSR?

The General Data Protection Regulation (GDPR) gives rights to people (known in the regulation as data subjects) to manage the personal data that an employer or other type of agency or organization (known as the data controller or just controller) collects about them. The GDPR gives data subjects specific rights to their personal data. These rights include obtaining copies of their personal data, requesting changes to it, restricting the processing of it, deleting it, or receiving it in an electronic format so they can move it to another controller.

As a controller, you're obligated to promptly consider each DSR and provide a substantive response either by taking the requested action or by providing an explanation for why the DSR can't be accommodated by the controller. Consult with your own legal or compliance advisers regarding the proper disposition of any given DSR.

Several processes might be involved in completing a DSR, subject to your organization's GDPR-compliance rules.

  • Discovery. The process of determining what data is needed to complete a DSR.
  • Access. Retrieval and potential transmission to the data subject of discovered information.
  • Rectify. Implement changes or other requested personal data changes.
  • Restrict. Changing the access or processing of personal data by restricting access, or removing data from the Microsoft cloud.
  • Export. Providing a "structured, commonly used, machine-readable format" of personal data to the data subject, as provided by the GDPR's "right of data portability."
  • Delete. Permanent removal of personal data from the Microsoft cloud.

Specific DSR considerations

Insights generated by Microsoft products or services

Insights may be generated by services such as Viva Personal Insights. Office 365 includes online services that provide insights to users and organizations that use them. Data generated by these services might produce personal data relevant to a DSR. For details regarding service-specific DSR processes, see the following section.

DSRs for system-generated logs

Logs and related data that Microsoft generates might contain data that GDPR considers personal. You can't restrict or rectify data in system-generated logs. Data in system-generated logs is factual actions conducted within the Microsoft cloud and diagnostic data. Modifications would compromise the historical record of actions and increase fraud and security risks. Microsoft provides the ability to access, export, and delete system-generated logs that you might need to complete a DSR. Examples of such data include:

  • Product and service usage data such as user activity logs
  • User search requests and query data
  • Data generated by products and services that result from system functionality and interaction by users or other systems.

For more information about system-generated logs from a Data Subject Right (DSR) export, see Overview of system-generated logs from a Data Subject Request (DSR) export.

Viva Engage

Deleting a user's account doesn't remove system-generated logs for Viva Engage. To remove the data from these applications, see one of the following resources:

National Clouds

In some national clouds, a global IT Administrator needs to delete system-generated logs.

Microsoft Services

If your organization or users engage with Microsoft to receive support related to Microsoft products and services, some of this data might contain personal data. For more information, see Microsoft Support and Professional Services Data Subject Requests for the GDPR.

Microsoft Controller Products

In some circumstances, your organization's users might access Microsoft products or services for which Microsoft is the data controller. In those cases, your users need to initiate their own DSRs directly to Microsoft, and Microsoft fulfills the requests directly to the user.

Third-party products

For third-party products and services accessed through Microsoft account authentication, direct any data subject requests to the applicable third party.

Data Subject Request admin tools

Learn more

  • Last updated on