Change History for Microsoft Data Privacy Notice

• Why We Process Personal Data updated to include internal usage data.
• Workplace Security and Monitoring updated to include usage of badge scans for workplace analytics and corporate workplace policy compliance.

• Added Canada addendum.
• Updated EU and UK addendum to include Switzerland.
• Where We Store and Process Personal Data updated to include language regarding our liability for onward transfers.

• Covid-19 addendum removed.
• Where We Store and Process Personal Data language updated to reflect Data Privacy Framework.
• Workplace Security and Monitoring updated to include usage of badge scans for campus utilization trends.

• Remote working location included in the definition of employment detail.
• Equity and incentive compensation included in the definition of financial information.
• Workplace, Device, Usage, and Content data section has been updated to include additional context on the use of applications and technical data.
• Why We Process Personal Data updated to include space planning and allocation, administration of business applications and systems, whistleblowing procedures, and AI to facilitate certain features and experiences deployed on the Microsoft tenant.
• How and Why We Share Personal Data updated to include internal and external audits.
• Where We Store and Process Personal Data language regarding Privacy Shield Framework updated.
• EU and UK addendum updated with how to locate contact information of the controller of data.

• Added Employee Privacy Principles.

• Added California addendum.

• We have updated Why We Process Personal Data section to provide details for when data may be used for scientific research and what requirements must be met to enable this use.
• Specific reference made to processing of employee data to support Hybrid workplace and other facility and building management activities.

• Added China Privacy Notice addendum.

• With GIVE campaign going global we have updated Why We Process Personal Data section by adding information related to GIVE processing.
• Added addendum covering processing of personal data related to COVID-19 pandemic.

Per request of the Privacy Shield team at the U.S. Department of Commerce’s International Trade Administration (ITA), changes include a statement that:

• Swiss individuals have the right to complain to their relevant data protection supervisory authority;
• Microsoft is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), and binding arbitration, under certain conditions.

• Specific reference made to former employee data being in scope for the DPN.
• Inclusion of “data subject rights” as an example of Microsoft’s legal obligations to process data and specific reference to global diversity and inclusion initiatives as a legitimate business purpose for processing personal data.
• Specific reference to feedback and sentiment data as a category of personal data that Microsoft processes.
• Specific reference to the availability of Microsoft’s Model Clauses for data transfers from the EU to other countries and non-reliance on the EU-U.S. Privacy Shield Framework as a legal basis for personal data transfers in light of the Schrems II decision.
• Identification of the controllers of personal data in the EU and UK addendum.

• Gender, gender identity, parental and military status were included in the definition of demographic data.

• Specific reference made to the personal data of “guests” being in scope for the DPN.

We added 2 addenda:

• Learning and Skills Data Addendum
• Microsoft Data Program (MDP) Addendum

In Where we store and process personal data, we clarified that our commitment to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks extends to personal information received from the United Kingdom.

We published a new Global Data Employee, Candidate and External Staff Privacy Notice that brought together many privacy statements that historically covered groups separately (e.g. candidates, EU employees) and created one privacy notice to collectively address all audiences and also reflect employee DSR rights for the EU and Turkey.