A data processing impact assessment report commissioned by the Dutch government found that Microsoft breached the European privacy rules. According to the report, Microsoft collects and stores personal data regarding the behaviour of its users without any public documentation.

The report found that Microsoft collects data on a large scale regarding the individuals' use of its Office software Word, Excel, PowerPoint and Outlook. Said collection is carried out without providing any prior information, or offering any choice to opt-out, as well as the ability to see what data has been collected. Microsoft also records and stores individuals' use of connected services, such as translation services through the Office software. The report found that Microsoft collects up to 25,000 types of Office events, data that is made available to up to 30 engineering teams. In addition, according to the report, the telemetry data collection system sends the data of Dutch users to servers in the US, making it possible for the information to be seized or queried by US law enforcement.

Moreover, the report states that the qualification of Microsoft as data processor is incorrect. Since Microsoft determines the purposes of the processing and the means of the retention period of such data, Microsoft acts as a controller. This fact leads to the conclusion that government organisations that enable Microsoft to process personal data, are joint controllers with Microsoft.

In response to the report, Microsoft announced it is committed to submitting these changes for verification in April 2019 and that in the meantime, the company offers government administrators 'zero exhaust' settings, by which they can shut down the data collection.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.