Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This guide discusses how to use Microsoft Intune products, services, and administrative tools to help controller customers find and act on personal data to respond to Data Subject Requests (DSRs).
For GDPR terminology definitions, see General Data Protection Regulation. For information about Microsoft's role as a data processor, see Microsoft as data processor.
For general DSR process information including the DSR lifecycle steps, how to use the product-specific guides, and how DSRs apply within Microsoft Entra ID tenants, see Data Subject Requests and the GDPR and CCPA.
How to use this guide
This guide consists of two parts:
- Part 1: Responding to Data Subject Requests for Customer Data: Part 1 of this guide discusses how to access, rectify, restrict, delete, and export data from applications in which you have authored data. This section details how to execute DSRs against both Customer Content and also identifiable information of users.
- Part 2: Responding to Data Subject Requests for System-Generated Logs: When you use Microsoft's enterprise services, Microsoft generates some information, known as System-Generated Logs, in order to provide the service. Part 2 of this guide discusses how to access, delete, and export such information for Azure.
Understand DSRs for Microsoft Entra ID and Microsoft Intune
When you consider Microsoft Intune provided to an enterprise customer, execution of a DSR against an Intune account associated with a Microsoft Entra tenant only pertains to data within the tenant. In addition, understand the following when handling Intune accounts within a tenant:
- If an Intune user creates an Azure subscription, the subscription is handled as if it were a Microsoft Entra tenant. So, DSRs are scoped within the tenant as described previously.
- If an Azure subscription created via an Intune account is deleted, it will not affect the actual Intune account. Again, as noted previously, DSRs executing within the Azure subscription are limited to the scope of the tenant itself.
You execute DSRs against an Intune account itself, outside a given tenant, via the Consumer Privacy Dashboard. For further details, see the Windows Data Subject Request Guide.
Part 1: DSR Guide for Customer Data
Execute DSRs against Customer Data
Microsoft provides the ability to access, delete, and export certain Customer Data through the Azure portal and also directly via pre-existing application programming interfaces (APIs) or user interfaces (UIs) for specific services (also referred to as in-product experiences). Details regarding such in-product experiences are described in the respective services' reference documentation.
Important
Services that support in-product DSRs require direct usage of the service's application programming interface (API) or user interface (UI), describing applicable CRUD (create, read, update, delete) operations. So, you must execute DSRs within a given service in addition to execution of a DSR within the Azure portal to complete a full request for a given data subject. For further details, see the specific services' reference documentation.
Step 1: Discover
The first step in responding to a DSR is to find the personal data that is the subject of the request. This first step - finding and reviewing the personal data at issue - helps you determine whether a DSR meets your organization's requirements for honoring or declining a DSR. For example, after finding and reviewing the personal data at issue, you might determine the request doesn't meet your organization's requirements because fulfilling the request might adversely affect the rights and freedoms of others.
After you find the data, you can then perform the specific action to satisfy the request by the data subject. For details, see the following resources:
Step 2: Access
After you find Customer Data containing personal data that is potentially responsive to a DSR, you and your organization decide which data to provide to the data subject. You can provide them with a copy of the actual document, an appropriately redacted version, or a screenshot of the portions you deem appropriate to share. For each of these responses to an access request, you must retrieve a copy of the document or other item that contains the responsive data.
When you provide a copy to the data subject, you might need to remove or redact personal information about other data subjects and any confidential information.
The following sections explain how to get a copy of data in response to a DSR access request.
Microsoft Entra ID
Microsoft offers both a portal and in-product experiences that provide the enterprise customer's tenant administrator the capability to manage DSR access requests. DSR access requests allow for access to the personal data of the user, including: (a) identifiable information about an user and (b) system-generated logs.
Service-Specific Interfaces
Microsoft Intune provides the ability to discover Customer Data directly via user interfaces (UIs) or pre-existing application programming interfaces (APIs).
Step 3: Rectify
If a data subject asks you to rectify the personal data that resides in your organization's data, you and your organization determine whether it's appropriate to honor the request. Rectifying the data might include taking actions such as editing, redacting, or removing personal data from a document or other type or item.
As a data processor, Microsoft doesn't offer the ability to correct system-generated logs as they reflect factual activities and constitute a historical record of events within Microsoft services. With respect to Intune, admins can't update device or app-specific information. If an user wants to correct any personal data (like the device name), they must do so directly on their device. Such changes are synchronized the next time they connect to Intune.
Step 4: Restrict
Data subjects might request that you restrict processing of their personal data. We provide both the Azure portal and pre-existing application programming interfaces (APIs) or user interfaces (UIs). These experiences provide the enterprise customer's tenant administrator the capability to manage such DSRs through a combination of data export and data deletion. For details, see Processing personal data.
Step 5: Delete
The GDPR protects the "right to erasure" by requiring the removal of personal data from an organization's Customer Data. Removing personal data includes deleting all personal data and system-generated logs, except audit log information. For details, see Delete user personal data.
Part 2: System-Generated Logs
Audit logs give tenant admins a record of activities that generate a change in Microsoft Intune. Many manage activities have audit logs. These logs typically include create, update (edit), delete, and assign actions. Admins can also review remote tasks that generate audit events. These audit logs might contain personal data from users whose devices are enrolled in Intune. Admins can't delete audit logs. For details, see Audit personal data.
Notify about exporting or deleting issues
If you run into issues while exporting or deleting data from the Azure portal, go to the Azure portal Help + Support blade. Submit a new ticket under Subscription Management > Privacy and compliance requests for Subscriptions > Privacy Blade and GDPR Requests.