Microsoft 365 GDPR Compliancy

As an IT manager, we are often asked about Microsoft 365 GDPR compliancy, also referred to as the General Data Protection Regulation or the European Data Privacy Law. The answer in short is yes, if you use Microsoft 365, you are able to comply with the GDPR. But what exactly do we mean by that?


Which standards does the GDPR stipulate?

The Privacy Act stipulates that organisations have more accountability when it comes to the processing of personal data. For example, personal data may only be stored and used with the consent of the parties concerned and organisations must take appropriate technical and organisational measures to safeguard the personal data that they have received. The GDPR stipulates, among other things, that you, as an organisation, may not share personal data with third parties without being asked to, that you may not keep personal data longer than deemed necessary, that you must be able to change or delete data if requested to do so and that you are held liable in the event of a data breach.

A data breach occurs when someone gains unauthorised access to the data that is held by the organisation. This can be caused by, for example, an inattentive employee who inadvertently sends an email with privacy-sensitive attachments, an unsecured USB stick that is lying around, or a break-in by hackers or malware. In order to prevent a data breach, files and data must be kept in a secure location; a place where as few people as possible have access to. It is also vital to know who has access to what data and how this data can be shared.


Where does Microsoft store Cloud files?

Cloud files are always stored somewhere in the world in one or more data centres. In countries such as the United States and China, different rules apply than in the European Union. In the US, the government can access corporate data much more easily than here in Europe. That is why it is important for European organisations that data is stored in a data centre within the European Union. Data belonging to Dutch Microsoft 365 customers is therefore stored by default in the Microsoft data centres in the EU. Microsoft guarantees that data is only stored in these locations.


Does Microsoft have access to your data?

The answer is no, Microsoft systems are set up in such a way that Microsoft employees do not have access to the data belonging to customers. Only in exceptional cases can they access a limited amount of data for a limited period of time after obtaining special permission. Also, governments (such as the American and British) are only able to gain temporary access to a limited amount of data in exceptional cases and under strict conditions.


Securing files

Not only is it possible to control exactly who has access to specific data in Microsoft 365, it is also possible to see who has carried out certain operations, see where data is located and to classify files. Files can be encrypted and an expiry date can be set, after which the document will be deleted automatically. The precise features depend on the subscription that is selected. A proper back-up is essential in order to prevent accidental deletion of data, which is also seen as a data breach. Microsoft does not offer this service itself, but your IT manager is able to do this for you.


Safely share files and data in Microsoft 365

When files and data are shared, for example by email, you are dependent on the security of the medium you are using. Outlook 365 meets all applicable security standards. We recommend using an extra form of email security if your organisation works with special personal data, such as information about people’s health.


Compliance management in Microsoft 365

The Microsoft 365 subscriptions E3 and E5 provide you with access to advanced analysis and reporting tools designed to simplify compliance management. The management options are extremely wide-ranging.


Individual responsibility

Whether you, as an organisation, are GDPR compliant in using Office 365 depends on the implemented security policy and the manner in which you work with it. Microsoft offers the tools; as an organisation, you are responsible for their use and application.


Recommendations about Microsoft 365 GDPR compliancy

TinkConnect’s consultants offer advice and support in drawing up or implementing your security policy on Microsoft 365. We can be reached at +31 85 77 35 333 or email


About TinkConnect

TinkConnect is an IT partner specialising in the digital and physical security of Cloud services and corporate networks. We improve our customers’ information security by providing services such as Microsoft 365, Workplace Management, Secure Internet and Multi Factor Authentication. Our security services prevent unauthorised access and safeguard against any data loss. Moreover, by using our back-up, the legally required retention period for business administrative records can be met. In addition, we offer specialist legal and technological advice on the implementation of security standards stemming from the GDPR. Please feel free to contact us.


Related articles

  • How does switching to Microsoft 365 (formerly Office 365) work?

    Cloud computing Microsoft 365 - Office 365

    Are you planning to work (together) in the Cloud with Microsoft 365? Switching to Microsoft 365 is a sensible…

    More info

    More info
  • Which Microsoft 365 package (formerly Office 365) ?

    Cloud computing Microsoft 365 - Office 365

    The business version of Microsoft 365 has several variants, ranging from € 4.20 for working with Office applications in…

    More info

    More info