Data Subject Requests and the GDPR and CCPA

The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located. You can find more details in the GDPR Summary article.

Similarly, the California Consumer Privacy Act (CCPA) provides privacy rights and obligations to California consumers. These rights include rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information. The CCPA also provides for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out/ opt-in" requirements for certain data transfers classified as "sales". This document guides you to information on the completion of Data Subject Requests (DSRs) under the GDPR and CCPA using Microsoft products and services.

For GDPR terminology definitions, see General Data Protection Regulation. For information about Microsoft's role as a data processor, see Microsoft as data processor.

What is a DSR?

The General Data Protection Regulation (GDPR) gives rights to people (known in the regulation as data subjects) to manage the personal data that an employer or other type of agency or organization (known as the data controller or just controller) collects about them. The GDPR gives data subjects specific rights to their personal data. These rights include obtaining copies of their personal data, requesting changes to it, restricting the processing of it, deleting it, or receiving it in an electronic format so they can move it to another controller.

As a controller, you're obligated to promptly consider each DSR and provide a substantive response either by taking the requested action or by providing an explanation for why the DSR can't be accommodated by the controller. Consult with your own legal or compliance advisers regarding the proper disposition of any given DSR.

Several processes might be involved in completing a DSR, subject to your organization's GDPR-compliance rules.

  • Discover: Use search and discovery tools to more easily find customer data that might be the subject of a DSR. Once you collect potentially responsive documents, you can perform one or more of the DSR actions described in the following steps to respond to the request. Alternatively, you might determine that the request doesn't meet your organization's guidelines for responding to DSRs.
  • Access: Retrieve personal data that resides in the Microsoft cloud and, if requested, make a copy of it that the data subject can access.
  • Rectify: Make changes or implement other requested actions on the personal data, where applicable.
  • Restrict: Restrict the processing of personal data, either by removing licenses for various Azure services or turning off the desired services where possible. You can also remove data from the Microsoft cloud and retain it on-premises or at another location.
  • Delete: Permanently remove personal data that resided in the Microsoft cloud.
  • Export/Receive (Portability): Provide an electronic copy (in a machine-readable format) of personal data or personal information to the data subject.

Each section in the product-specific guides outlines the technical procedures that a data controller organization can take to respond to a DSR for personal data in the Microsoft cloud.

How to use the product-specific guides

Each product-specific guide consists of two parts:

  • Part 1: Responding to Data Subject Requests for Customer Data: Part 1 discusses how to access, rectify, restrict, delete, and export data from applications in which you authored data. This section details how to execute DSRs against both Customer Content and also identifiable information of users.
  • Part 2: Responding to Data Subject Requests for System-Generated Logs: When you use Microsoft's enterprise services, Microsoft generates some information, known as System-Generated Logs, in order to provide the service. Part 2 discusses how to access, delete, and export such information.

Understand DSRs for Microsoft Entra ID and Microsoft service accounts

By using the Extended Directory Direct Token (EDDT), guest users within a tenant can initiate DSRs across multiple tenants. Any user-initiated DSRs execute against all the tenants where the user is authorized by the corresponding tenant administrator.

The same process also applies for Microsoft Service Accounts (MSA) within the context of services provided to an enterprise customer. Execution of a DSR against an MSA account associated with a Microsoft Entra tenant only pertains to data within the tenant. In addition, it's important to understand the following when handling MSA accounts within a tenant:

  • If an MSA user creates an Azure subscription, the subscription is handled as if it were a Microsoft Entra tenant. Consequently, DSRs are scoped within the tenant as described above.
  • If an Azure subscription created via an MSA account is deleted, it doesn't affect the actual MSA account. Again, as noted above, DSRs executing within the Azure subscription are limited to the scope of the tenant itself.

Users execute DSRs against an MSA account itself, outside a given tenant, via the Consumer Privacy Dashboard.

Specific DSR considerations

Insights generated by Microsoft products or services

Insights may be generated by services such as Viva Personal Insights. Office 365 includes online services that provide insights to users and organizations that use them. Data generated by these services might produce personal data relevant to a DSR. For details regarding service-specific DSR processes, see the following section.

DSRs for system-generated logs

Logs and related data that Microsoft generates might contain data that GDPR considers personal. You can't restrict or rectify data in system-generated logs. Data in system-generated logs is factual actions conducted within the Microsoft cloud and diagnostic data. Modifications would compromise the historical record of actions and increase fraud and security risks. Microsoft provides the ability to access, export, and delete system-generated logs that you might need to complete a DSR. Examples of such data include:

  • Product and service usage data such as user activity logs
  • User search requests and query data
  • Data generated by products and services that result from system functionality and interaction by users or other systems.

For more information about system-generated logs from a Data Subject Right (DSR) export, see Overview of system-generated logs from a Data Subject Request (DSR) export.

Viva Engage

Deleting a user's account doesn't remove system-generated logs for Viva Engage. To remove the data from these applications, see one of the following resources:

National Clouds

In some national clouds, a global IT Administrator needs to delete system-generated logs.

Microsoft Services

If your organization or users engage with Microsoft to receive support related to Microsoft products and services, some of this data might contain personal data. For more information, see Microsoft Support and Professional Services Data Subject Requests for the GDPR.

Microsoft Controller Products

In some circumstances, your organization's users might access Microsoft products or services for which Microsoft is the data controller. In those cases, your users need to initiate their own DSRs directly to Microsoft, and Microsoft fulfills the requests directly to the user.

Third-party products

For third-party products and services accessed through Microsoft account authentication, direct any data subject requests to the applicable third party.

Data Subject Request admin tools

Learn more

  • Last updated on