<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt=""> Is Microsoft O365 GDPR Compliant? The Answer in Germany May Surprise You.

Is Microsoft O365 GDPR Compliant? The Answer in Germany May Surprise You.


    See Virtru In Action

    { content.featured_image.alt }}

    Is Microsoft Office 365 GDPR compliant? It’s a question that has been debated for nearly two years by German data protection regulators and Microsoft. As it turns out, the answer may be surprising.

    In a report published last week, the Datenschutzkonferenz (DSK), Germany’s data protection supervisory agency, essentially stated that public organisations in Germany cannot currently use Microsoft Office 365 in a lawfully compliant way under the GDPR. Shortly following this announcement, Germany banned the use of Microsoft 365 in schools.

    DSK’s Finding: Microsoft Office 365 Isn’t Compliant with GDPR

    There are three main reasons why the DSK has reported that Microsoft Office 365 “remains in breach” of GDPR:

    • Uncertainties exist where Microsoft acts as a data processor and data controller.
    • The report found that “many of the services included in Microsoft 365 require Microsoft to access the unencrypted, non-pseudonymized data.”
    • The report brings into question the sovereignty of EU data flowing through Microsoft 365, and whether unencrypted personal information truly remains in the EU at all times. The DSK claims it is “not possible to use Microsoft 365 without transferring personal data to the USA.”

    The ambiguity of Microsoft’s practices underscores the DSK’s assessment that Microsoft Office 365 cannot meet GDPR controller obligations.

    So, what should EU-based Microsoft users do now?

    GDPR Compliance Options for Microsoft Users in the EU

    While not stated in law, this ruling will create ripples through the supply chain—from consumers to business partners and suppliers seeking assurance that their data is not being passed to Microsoft, or being stored or transmitted through the United States in such a way that breaches GDPR compliance.

    Thus, there are two things organisations must now do as result of the ruling:

    1. Consider moving off of Microsoft Office 365 to Google Workspace or other cloud collaboration services compliant with GDPR
    2. Stay on Microsoft Office 365 and investigate end-to-end encryption solutions where sensitive or personally identifiable data is protected from the moment it is created —adding a layer of security to make GDPR compliance possible in Office 365

    Affordable, Easy Encryption to Support GDPR Compliance in Microsoft 365

    Virtru is a remarkably simple way for Microsoft users to protect access to sensitive data for compliance with GDPR.

    Our end-to-end Microsoft encryption and access controls are embedded where users already work (in this case, directly within the Outlook interface), allowing sensitive data to be protected quickly and easily at the point of collection and throughout its lifecycle.

    With a seamless web-based recipient experience and many deployments up and running in less than a day, organisations can act fast to protect their data, without disrupting their normal business workflows.

    For the strongest data sovereignty and security, you also have the option to host your own encryption keys, which helps ensure that no third party can access your private data.

    At a time when there is increasing confusion on what access Microsoft might have to your data, Virtru cuts through the noise to provide clarity and ensures that you, and only you, can always control who can access your organisation’s sensitive information. 

    Ready to take the next step to strengthen data sovereignty and security? Contact our team to start the conversation.  

    Editorial Team

    Editorial Team

    The editorial team consists of Virtru brand experts, content editors, and vetted field authorities. We ensure quality, accuracy, and integrity through robust editorial oversight, review, and optimization of content from trusted sources, including use of generative AI tools.

    View more posts by Editorial Team

    See Virtru In Action