Microsoft releases privacy aids for M365 and Copilot

Microsoft has released three new privacy aids for companies using Microsoft 365 and Copilot. The package includes the M365 Kit with sample templates for GDPR documentation, an updated Cloud Compendium, and customizable templates for Data Protection Impact Assessments (DPIAs). The M365 Kit was developed in consultation with the Bavarian State Office for Data Protection Supervision and the Hessian Commissioner for Data Protection and Information Security.

The new documentation aids aim to support companies in fulfilling their accountability obligations under the General Data Protection Regulation. Especially when using AI services like Microsoft 365 Copilot, those responsible face the challenge of documenting data processing in a legally compliant manner and being able to prove it during audits by data protection supervisory authorities.

M365 Kit offers sample texts and documentation building blocks

The M365 Kit forms the core of the new privacy aids. It contains examples and sample texts for central building blocks of privacy documentation when using Microsoft 365 Copilot. Specifically, Microsoft provides templates for entries in the register of processing activities, threshold analyses for checking the need for a DPIA, legal bases for typical use cases, and privacy notices. The materials are linked on the website aka.ms/mit-sicherheit and companies can adapt them to their specific requirements.

Sebastian Dürdoth, Senior Corporate Counsel at Microsoft Germany, emphasizes: "With our new materials, companies have all the central building blocks at hand to document, for example, their data protection-compliant handling of personal data when using Microsoft 365 Copilot." The consultation with the data protection authorities in Bavaria and Hesse is intended to provide additional legal certainty.

As a second component, Microsoft has comprehensively updated the Cloud Compendium. The 26-page document answers frequently asked questions about the use of cloud services such as Microsoft 365 Copilot or Azure and places the answers within the legal and regulatory framework. It refers to applicable provisions and standards, so that companies are prepared for typical questions in compliance audits. The Compendium is available for download as a PDF and is aimed at IT managers and data protection officers.

DPIA templates for various use cases

The third pillar consists of customizable templates for Data Protection Impact Assessments according to Article 35 of the GDPR. Microsoft provides four separate sample documents: a DPIA template for Office 365 and Microsoft 365 Copilot each, differentiated by corporate customers and public sector customers. The templates contain structured information for systematic risk assessment and cover different requirements and use cases. Companies can use these as a basis and adapt them to their specific data processing.

All materials are available for download in the Microsoft Service Trust Portal. Further information can be found in the Microsoft announcement.

(fo)