Microsoft US retrieves, pseudonymises and aggregates

Transferred to Microsoft USA but expected to change by end of 2022, as can be seen in the public announcement on the ‘EU Data Boundary for the Microsoft Cloud’

Transferred to Microsoft USA but expected to change by end of 2022, as can be seen in the public announcement on the ‘EU Data Boundary for the Microsoft Cloud’

Transferred to Microsoft USA but expected to change by end of 2022, as can be seen in the public announcement on the ‘EU Data Boundary for the Microsoft Cloud’

Transferred to Microsoft USA but expected to change by end of 2022, as can be seen in the public announcement on the ‘EU Data Boundary for the Microsoft Cloud’

ILA, uses Standard Contractual Clauses 2010/87/EU (Controller to Processor) . Data exporter for the transfers which take place under the ILA is the processor (Microsoft Ireland Operations Ltd.) and the data importer the sub-processor (Microsoft Corp.). Onward transfers from Microsoft Corp. to sub- processors use adequacy decisions or other agreements #. DIGIT and Microsoft are amending the ILA to reflect the introduction of the new SCCs

DPA allows MS Ireland to process for some authorised purposes

Additional technical measures: Strong encryption in transit and at rest. Communications between Microsoft’s servers take place over TLS (Transport Layer Security) or IPSec worldwide

Microsoft is not under any specific legal obligation to decrypt any information prior to its disclosure to the US authorities.

the transfer of the personal data concerned to the United States is effectively subject to appropriate safeguards

Public announcement on the ‘EU Data Boundary for the Microsoft Cloud’

The processing data for Microsoft’s business operations 1, 2, 3, 5 and 6, Microsoft de-identifies the data (generally by relying on aggregated statistical data based on data containing pseudonymous identifiers)