Microsoft Global Data Privacy Notice for Employees, External Staff, Candidates and Guests

Your privacy is important to Microsoft (“we”, “us”, “our” or “Microsoft”). We respect the privacy rights of all individuals and we are committed to handling personal data responsibly and in accordance with applicable laws and Employee Privacy Principles. This privacy notice, together with the Addenda and other notices provided at the time of data collection, explain what personal data Microsoft collects about you, how we use this personal data, and your rights to this personal data.

Please note that this privacy notice applies to the handling of your personal data as an employee, former employee, candidate, guest, or as external staff. (“External staff” are workers who are not employed by Microsoft and who have access to Microsoft’s facilities and/or Microsoft’s corporate network. This could include agency temporary workers, outsourced staff, contractors, and business guests.) Microsoft has additional governance and privacy requirements concerning the collection and uses of personal data.

This notice does not cover your use of Microsoft consumer products as a consumer, or outside of your employment or assignment with Microsoft. Microsoft consumer products may include services, websites, apps, software, servers, and devices. To learn more about Microsoft’s data collection practices that cover your use of Microsoft products as a consumer, please read our Microsoft Privacy Statement.

This notice is not intended and shall not be read to create any express or implied promise or contract for employment, for any benefit, or for specific treatment in specific situations. Nothing in this notice should be construed to interfere with Microsoft’s ability to process employee data for purposes of complying with our legal obligations, or for investigating alleged misconduct or violations of company policy or law, subject to compliance with local legal requirements.

Microsoft's processing of personal data is in all cases subject to the requirements of applicable local law, internal policy, and where applicable or appropriate, any consultation requirements with worker representatives. To the extent this notice conflicts with local law in your jurisdictions, local law controls.

We collect, use, and store (collectively “process”) different types of personal data about you in in the operation of our business. If you are an employee, we process personal data about you (and your dependents, beneficiaries and other individuals associated with your employment) primarily for managing our employment relationship with you and managing your interactions with workplace facilities/information systems. If you are a former employee, we process personal data about you primarily for legal compliance. If you are external staff, the type of personal data we process is limited to what we need to manage your engagement with Microsoft and access to Microsoft facilities and information systems. If you are a candidate, the type of personal data we process is generally limited to what we need to engage with you about Microsoft career opportunities, consideration of your application for employment to specific roles at Microsoft, including candidate screening, interview scheduling and management, lawful background screening, and to on-board you at Microsoft if you receive and accept an offer of employment with us.

The personal data we process can include, but is not limited to, the following:

Name and contact data. Your first and last name, employee identification number, email address, mailing address, phone number, photo, beneficiary and emergency contact details, and other similar contact data. Additionally, you may opt to provide Microsoft with additional contact information such as personal email address(es) and/or cell phone number(s).

Demographic data. Your date of birth and gender as well as more sensitive personal data (also known as special category data) including information relating to racial and ethnic origin, religious, political or philosophical beliefs, trade union membership or information about your health, disabilities, sexual orientation, gender identity, and transgender status. We may also ask about your parental status and military status.

We process this personal data for a variety of reasons, and this will vary in our different jurisdictions. Our reasons for processing this data include:

1. Where it is necessary to comply with local requirements and applicable law. For example, we may use this information to comply with anti-discrimination laws and government reporting obligations;
2. To monitor and ensure diversity and equal treatment and opportunity;
3. To provide work related accommodations or adjustments, to provide health and insurance benefits to you and to your dependents, and to manage absences from work.

Where the processing of this personal data is not required by law, we will seek your consent to process your data and, in the consent mechanism, we will explain the purposes for which we will use your data. This will be voluntary, and you may decide whether or not to give consent.

National identifiers. Your national ID/passport, citizenship status, residency and work permit status, social security number, or other taxpayer/government identification number.

Employment details. Your job title/position, office location, employment contract, offer letter, hire date, termination date, performance history and disciplinary records, training records, leave of absence, sick time, and vacation/holiday records.

Spouse’s/partner’s and dependents’ information. Your spouse and dependents’ first and last names, dates of birth, and contact details.

Background information. Your academic and professional qualifications, education, CV/Resume, credit history and criminal records data (utilized for background screening and vetting purposes where permissible and in accordance with applicable law and consultation requirements).

Video, voice and image. We may collect and use your video, voice and image data, subject to the requirements of local law, internal policy, and any consultation requirements with worker representatives (where appropriate).

Financial information. Your bank account details, tax information, salary, retirement account information, company allowances and other information necessary to administer payroll, taxes and benefits.

Learning and Skills Data. As described in the Learning and Skills Data Addendum.

Feedback and sentiment data. Your responses to employee listening surveys such as Employee Signals and Daily Pulse and feedback collected about managers and co-workers via tools like Manager Feedback and Perspectives.

Workplace, Device, Usage, and Content data. Application data (such as data from Office 365, Teams, Outlook, or internal business processes) including emails sent and received, calendar entries, to-do items, instant messages, building and information system access, Microsoft devices, system and application usage (including telemetry) when accessing and using Microsoft corporate buildings and assets. Please note, more information about the specific types of data Microsoft may use for product improvement purposes can be found in several resources, including the Microsoft Data Program (MDP) addendum to this DPN. We may also collect personal data about you from third parties or public sources as needed to support the employment relationship or to engage with you concerning job opportunities at Microsoft. For example, before and during your employment or assignment with Microsoft, we may collect information from public professional networking sources, such as your LinkedIn profile, for recruitment purposes. We also may conduct lawful background screenings, to the extent permitted by law, through a third-party vendor for information about your past education, employment, credit and/or criminal history. In the event of a natural disaster or other life/safety emergency, we may rely on public social media posts or other public sources to account for employees if otherwise unable to contact them. Additionally, if there is an investigation of an incident involving employees, we may obtain information relevant to the incident from external sources including private parties, law enforcement or news sources and public social media posts.

We collect your personal data for the purposes set out below. Failure to provide your personal data when requested may prevent us from being able to carry out these tasks and/or comply with our legal obligations.

1. To administer your employment contract, offer letter or other commitments we have made to you.

We collect and use your personal data primarily for the purposes of managing our employment or working relationship with you, and to fulfill our obligations under your employment contract, or applicable Microsoft policies, including on-boarding, payroll, benefits administration, pension and retirement administration, managing vacation and other types of leave, tax reporting, and the like. A few examples include: your employment contract, your offer letter (e.g., so we can on-board you), promotion history and performance reviews (e.g., so we can manage our employment relationship with you), and your bank account and salary details (e.g., so we can pay you or provide HR benefits).

2. Other overriding and legitimate business purposes

We also may collect and use your personal data when it is necessary for other legitimate purposes, such as general HR administration, maintaining our global directory of employees and external staff, general business management and operations, disclosures for auditing and reporting purposes, measuring employee sentiment, internal investigations, management of network and information systems security, business operations, security, life safety and building management, provision and improvement of employee services and facilities, physical security and cybersecurity, data protection, for global diversity and inclusion initiatives, to protect the life and safety of employees and others and in connection with the sale, assignment or other transfer of all or part of our business. We also use business data and other workplace usage, device and content data for organizational and individual analytics and data insight purposes to improve Microsoft business operations, manager capability, and the employee experience. We may also use special applications and systems that record employee performance metrics, such as sales related or code databases for business operations purposes as well as for the purposes of reviewing, rewarding and coaching employees on their performance and for administration and assessment of training. We may also process your personal data to investigate potential violations of law or violations of our internal policies.

Additionally, we may process your personal data to conduct scientific research, without your additional consent, when viewed as in the public interest and/or where there is a clear attempt for contributions to generalizable knowledge. In these cases, we will ensure appropriate technical and organizational controls are in place to protect your personal data, such as anonymizing and aggregating data to help protect your identity, ensuring use of your personal data is subject to our privacy standards and conducting ethics and compliance reviews prior to using your personal data.

3. Legally required purposes

We may also use your personal data when necessary to comply with laws and regulations, including collecting and disclosing personal data as required by law (e.g., for minimum wage, working time, tax, health and safety, anti-discrimination laws, global migration, and data subject rights), under judicial authorization, or to exercise or defend Microsoft’s legal rights.

4. Other uses of your data (where permissible and in accordance with applicable laws and consultation requirements)

We also may collect your internal usage data of Microsoft products, services and internal applications and tools, including business data created by employees and external staff, to measure and improve these products and for product research including human and machine review of data to train AI models and improve machine learning for Microsoft products and services. Where required by law, we will seek your consent for such usage; and where your consent is sought, we will ensure your consent is informed, voluntary, and that you suffer no adverse consequence from any decision to withhold or revoke your consent.

For eligible employees (i.e., part or full-time employees, interns, apprentices, or visiting researchers) who enroll in Microsoft Give, with your consent, we collect and use your personal data to enable voluntary personal donations of money, Microsoft products, or volunteer hours to eligible organizations (i.e., certain non-profits or non-governmental organizations). Give is a voluntary benefit program from which participants can opt-out and revoke their consent at any time; however, opt-outs and revocations do not affect previous processing of personal data. Further information on Microsoft Give is available here.

Microsoft will only share your personal data with those who have a legitimate business need for it. Whenever we permit a third party to access your personal data, we will ensure the personal data is used in a manner consistent with this privacy notice (and any applicable internal data handling guidelines consistent with the sensitivity and classification of the personal data). Your personal data may be shared with our subsidiaries and affiliates and other third parties, including service providers, for the following legitimate purposes:

1. In order to carry out the purposes of our personal data processing as described above (see section titled: “Why We Process Personal Data”);

2. To enable third parties to provide services on behalf of Microsoft. Third party data recipients include financial investment service providers, insurance providers, pension administrators and other benefits providers, childcare providers, payroll support services, relocation, tax and travel management services, health and safety experts, facility management, legal service providers, and security services;

3. To comply with our legal obligations, regulations, government clearances, or contracts, or to respond to data subject rights, a court order, administrative or judicial process, such as a subpoena, government audit or search warrant. Categories of recipients would include counterparties to contracts, judicial and governmental bodies;

4. In response to lawful requests by public authorities (such as regulatory bodies, law enforcement authorities, and national security organizations);

5. To seek legal advice from external lawyers and advice from other professionals such as accountants, management consultants, etc.;

6. As necessary to establish, exercise or defend against potential, threatened or actual litigation;

7. Where necessary to protect Microsoft, your vital interests, such as safety and security, or the vital interests of other persons;

8. In connection with the sale, assignment or other transfer of all or part of our business (such as a potential purchaser and its legal/professional advisers); or

9. Otherwise in accordance with your consent.

Please note that where legal requirements limit the sharing of your personal data, Microsoft will respect such requirements.

In some regions, you may have certain rights under applicable data protection laws (such as the European Union and United Kingdom General Data Protection Regulation). Please see the Addendum to this notice for additional information by region/country.

Site pages may use cookies (small text files placed on your device). Cookies and similar technologies allow us to store and honor your preferences and settings; enable you to sign-in; combat fraud; and analyze how our websites and online services are performing.

We also use “web beacons” to help deliver cookies and gather usage and performance data. Our websites may include web beacons, and cookies, or similar technologies from third-party service providers.

You have a variety of tools to control the data collected by cookies, web beacons and similar technologies. For example, you can use controls in your internet browser to limit how the websites you visit are able to use cookies and to withdraw your consent by clearing or blocking cookies.

Microsoft monitors its IT and communications systems through automated tools such as network authentication and wireless connectivity hardware and software, anti-malware software, website filtering and spam filtering software, security software for cloud-based applications, access and transaction logging, and mobile device management solutions. The primary purpose of this monitoring is Microsoft’s legitimate interests in protecting its employees, customers, and business partners. For example:

1. For systems, applications, and network security, including in particular the security of Microsoft’s IT systems and assets, and the safety and security of its employees, external staff and other third parties;
2. For network and device management and support;
3. For proof of business transactions and recordkeeping;
4. For the protection of confidential information and company assets;
5. For investigating wrongful acts or potential violations of company policy; and
6. For other legitimate business purposes as permitted under applicable law.

We also monitor our offices, and other workplace facilities, through video monitoring such as closed-circuit television (“CCTV”) and badge scans for security, life safety and building management purposes. CCTV is primarily used at office entrance and exit points, elevator lobbies, rooms where there may be valuable equipment, such as server rooms, and in other select areas with a high risk for theft or with highly sensitive assets. CCTV is not used in private spaces such as restrooms, new mothers’ rooms or locker rooms. Nor is it used to monitor employee workstations for performance reasons.

You should be aware that any message, files, data, document, facsimile, audio/video, social media post or instant message communications, or any other types of information transmitted to, through or from, received or printed from, or created, stored or recorded on our IT and communications systems and assets (included via the use of personal devices accessing corporate IT systems), are presumed to be business-related and may be monitored or accessed by us in accordance with applicable law and workplace agreements (such as works council agreements), and subject to Microsoft’s own policies on access to and uses of such data.

Microsoft operates globally and therefore personal data may need to be transferred to countries outside of where the personal data was originally collected. For example, because we are headquartered in the United States, personal data collected in other countries is routinely transferred to the United States for processing. When we transfer your personal data to a different country, we will ensure that this transfer complies with applicable laws and legislation. Microsoft relies upon terms, including those outlined in the Standard Contractual Clauses, for the collection, use, retention and transfer of personal data from the European Union and United Kingdom to other countries. Microsoft complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States.

To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov. If you have a question or complaint related to participation by Microsoft in the EU-U.S. or Swiss-U.S. Privacy Shield, we encourage you to contact us via our web form.

Please contact us if you would like us to direct you to your data protection authority contacts. Binding arbitration is available to address residual complaints not resolved by other means. Microsoft is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

For copies of additional privacy documents mentioned in this privacy notice, or if you have a privacy concern or question related to this privacy notice, please contact AskHR@microsoft.com.

Our address is:

HR Privacy

Microsoft Corporation

One Microsoft Way

Redmond, Washington 98052 USA

Telephone: (+1) 425-882-8080.

Last updated: June 2021

European Union and United Kingdom: Your Data Subject Rights

In addition to the information shared in the privacy notice, EU and UK employees, external staff and candidates (including individuals working in the EU and UK, or in some circumstances individuals who normally reside in the EU and UK who are working abroad) may have certain rights under applicable data protection laws, including the EU and UK General Data Protection Regulation (collectively, the “GDPR”) and local laws implementing or supplementing the GDPR, including the rights to:

1. Request access to and obtain a copy of your personal data;
2. Request rectification (or correction) of inaccurate personal data you have provided;
3. Request erasure (or deletion) of personal data that is no longer necessary to fulfill the purposes for which it was collected, or does not need to be retained by Microsoft for other legitimate purposes;
4. Restrict or object to the processing of your personal data; and
5. If applicable, request your personal data be ported (transferred) to another company.

Application of the above rights may vary depending on the type of personal data involved, and Microsoft’s particular basis for processing the personal data.

To make a request to exercise one of the above rights, please contact AskHR@microsoft.com. We will consider and act upon any requests in accordance with applicable data protection laws. Please note that we may request certain information from you to enable us to confirm your identity. We may, in limited circumstances, charge you a reasonable fee for administrative costs in relation to responding to your request; however, we will advise you of any fee in advance.

If we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before withdrawal of consent.

EU and UK employees, external staff and candidates (including individuals working in the EU and UK, or individuals who normally reside in the EU and UK who are working abroad) may also direct questions about how we handle personal data to our Data Protection Officer at https://aka.ms/privacyresponse.

While we hope we can answer any questions that you may have, if you have unresolved concerns, you also have the right to complain to a relevant data protection supervisory authority in the EU and UK.

For present and former employees, the controller of your personal data is the Microsoft entity that is or was your employer. For candidates, the controller of your personal data is the Microsoft entity to which you have applied for a role. For external staff, the Microsoft entity to which you provide services will be the controller of your personal data. Microsoft Corporation is also a controller of certain personal data of the above-mentioned data subjects. Any privacy-related queries for your data controller should be directed to AskHR@microsoft.com.

Last updated: June 2021

Employees in Turkey: Privacy Notice

With respect to the data processing activities concerning employees, candidates and external staff in Turkey, Microsoft Bilgisayar Yazılım Hizmetleri Limited Şirketi acts as the data controller, within the purposes of the Law on the Protection of Personal Data numbered 6698 (the “Law”).

With respect to the data processing activities concerning employees, candidates and external staff of the Liaison Office (MEA HQ) in Turkey, Microsoft Ireland Research ULC acts as the data controller, within the purposes of the Law.

In addition to the information shared above, we process personal data relating to you for the purposes of conducting contract management, audit, and ethics processes.

Such data may be obtained by means of email, telephone, web services, courier/post, physical and online forms, as well as photographs and video recordings during events and organizations, in both physical and electronic environments.

Personal data are processed on the following legal grounds: being envisaged under the laws; compliance with legal obligations; being necessary for the establishment, exercise and protection of a right, conclusion and performance of an agreement; legitimate interests of the data controller; and if provided, your explicit consent, as specified within the scope of the Law.

As data subjects, you are entitled to the rights, set forth under Article 11 of the Law. In accordance with the Communiqué on Principles and Procedures for Applications to Data Controllers, and to be concluded within 30 days, you may convey your requests concerning your rights under Article 11 of the Law, by the following means:

• Registered E-mail Address (KEP): microsoft@hs02.kep.tr
• E-mail Address: AskHR@microsoft.com (if your e-mail is registered within our systems, you may directly convey your request, however, if your e-mail address is not registered within the data controller’s systems, you must sign your application with secure electronic signature or mobile signature,)
• Address for Written Applications: Levent Mah. Aydın Sok. No: 7 Nisbetiye, 34340 Beşiktaş/İstanbul, Türkiye.

Last updated: June 2021

This addendum applies to Learning and Skills Data that Microsoft processes about employees and external staff for various purposes, subject to compliance with local laws, our own internal policies, third-party terms of use (e.g., where skills data or training is provided by third parties), and applicable third-party contractual requirements.

Learning and Skills Data are information about your professional development activities, such as training and achievements, skills, and related interests. Sources of Learning and Skills Data include information about your:

• Interactions with Microsoft Learning websites, such as Microsoft Learn or LinkedIn Learning, when you authenticate with your Microsoft employee account.
• Internal Microsoft trainings, courses or other offerings delivered by Microsoft, that you may attend to develop job, work, role or career-related skills. These offerings may be optional, encouraged, expected or even required; may be provided live, online or via audio and video recordings; and may be targeted broadly or scoped to your business, role or function. Examples include: Microsoft’s Standards of Business Conduct Training, offerings for Microsoft employees only on LinkedIn Learning, and trainings offered via company-wide, divisional or team learning portals.
• Third-party trainings or courses offered by Microsoft, or linked to your Microsoft employee account, or that you choose to share with Microsoft. Unlike the internal trainings referenced above, these trainings are delivered by third parties, not Microsoft, or are offered through services such as LinkedIn or LinkedIn Learning. These trainings may be provided via external websites, off-site courses, or delivered (even internally) by third-party resources. Like internal trainings, these third-party trainings may be targeted broadly or scoped to your business, role or function and may be available via commercial or consumer-facing websites. Examples include: offerings on LinkedIn Learning, or courses offered by third parties like Dale Carnegie or others.
• Certifications and achievements, such as Microsoft and third-party certifications you earn and choose to share. Some jobs, roles or functions may require specific certifications. If so, you will receive prior notice of such requirements. If certifications are mandatory, you may be required to share information about your successful completion of these certifications.
• Skills you identify or that can otherwise be inferred from your learning or professional activities.
• Participation in Microsoft events, such as Ready, Build, and hackathons.
• Growth interests, such as the experiences or skills you indicate that you would like to build for your growth and development in Connects or other contexts, or the content or material you explore related to professional development, career planning, skill building, and other learning opportunities.
• Role-based development, such as hands-on or experiential activities you do to gain competence in your role.

Microsoft may process various kinds of data from the above sources including (but not limited to):

• Contact Information and Demographic Data, for example, your name, contact information, job title, job level, profession, etc.;
• Attendance, performance, and completion data;
• Feedback about a particular event, course, training or offering;
• Analytics about your interactions with a training or learning website or service;
• Data about the skills you provide or are observed;
• Photos, videos or recordings (video and audio) of the training activity or event.

Microsoft also collects Learning and Skills Data in various contexts. For example, Microsoft collects Learning and Skills Data when you:

• Provide it, for example by sharing your professional development goals with your manager in your Connect, joining a Microsoft internal distribution list or group affiliated with a certification or professional skill, or updating your profile by adding badges designating professional achievements;
• Authorize a third party to provide it, such as when you direct an educational or professional organization to share your professional achievements with Microsoft;
• Register and participate in Microsoft learning activities, such as attending Ready, Build or a hackathon.
• Use learning services available only to Microsoft employees and/or external staff, such as when you view professional development content or interact with learning modules; and
• Use learning services authenticated with your Microsoft employee account, such as Microsoft Learn or LinkedIn Learning (subject to applicable terms of use for the hosting website and any contractual obligations Microsoft has undertaken to access such data).

Microsoft uses Learning and Skills Data for the varied purposes set out below, which may involve automatic processing using machine learning and artificial intelligence applications, such as natural language processing.

1. To manage our employment or working relationship with you – including your career development opportunities

   We process Learning and Skills Data for the purpose of managing our employment or working relationship with you, including fulfilling our obligations and commitments to you. Failure to provide your Learning and Skills Data when requested may prevent us from being able to carry out these tasks and/or comply with our legal obligations. For example, Microsoft uses Learning and Skills Data to:

   • Verify you have completed training activities required in your role or as required by applicable laws;
   • Facilitate, at your direction, professional development and career planning;
   • Review, reward, and enhance employee performance and career development;
   • Identify career and growth opportunities for employees;
   • Determine appropriate resources for a particular customer opportunity or support scenario;
   • Assess employee potential for advancement;
   • Validate you have attended training paid for or reimbursed by Microsoft; and
   • Assist you in identifying content or materials that may be aligned with your interests.

2. To provide and improve our products and services

   We process Learning and Skills Data to provide and improve our products and services. For example, when you register for Microsoft training or certification exams, we use your Learning and Skills Data to determine if you have completed the training and, if appropriate, meet certification benchmarks.

   We process Learning and Skills Data for the purpose of improving our products and services. For example, we may:

   • Analyze pseudonymized Learning and Skills Data to determine which learning activities are most popular among new employees or employees with certain titles;
   • Combine Learning and Skills Data with other business intelligence data to identify and evaluate, on an aggregated basis, the effectiveness of learning products and services. For example, we may inquire whether certain learning activities increase customer satisfaction levels, improve employee safety, reduce security incidents, or have impact on career development opportunities or employee performance; or
   • Use feedback from learning activities to improve our products and services. For example, we may receive insights about ways to improve Azure when analyzing aggregated results of Azure certification exams or reviewing feedback received after a training event.

3. Other lawful purposes

   We process Learning and Skills Data for other lawful purposes, such as when:

   • Necessary for our legitimate business purposes, such as running our business, conducting business intelligence, for auditing and reporting purposes, managing our network and information systems security, and providing and improving employee services.
   • We suspect or discover violations of law or violations of our internal policies.
   • Permissible, with your lawfully obtained consent.
   • We consider it necessary for complying with laws and regulations, including collecting and disclosing personal data as required by law (e.g., for minimum wage, working time, tax, health and safety, anti-discrimination laws, global migration and data subject rights), under judicial authorization, or to exercise or defend Microsoft’s legal rights.

Last updated: June 2021

This addendum applies to the Microsoft Data Program (MDP) and the business-related data processed by MDP for purposes of debugging, testing, developing, and improving new and existing products and services (“MDP Data”). MDP data may be used for scientific research purposes and to train AI and machine learning models. MDP and the terms of this addendum apply to Microsoft employees only. External staff and candidate data are specifically excluded from the scope of MDP. More information about the specific terms and scope of MDP can be found at the Learn More page. Employees may opt-out to limit their participation in the program at any time, without adverse consequence by clicking here http://aka.ms/MDPOptOut.

MDP is aimed primarily at the processing of data or information that is transmitted, created, exchanged or stored by Microsoft employees using Microsoft internal systems, software, services, and assets within the scope of their employment. Microsoft will make reasonable efforts to implement controls to exclude nonbusiness-related data from the scope of MDP, where possible. While those controls are intended to limit the scope of MDP to processing Microsoft business-related data (as described further at the Learn More page), MDP may incidentally process certain personal content for employees that is created, stored or transmitted in Microsoft owned or provided systems and resources. When that occurs, Microsoft will continue to make reasonable efforts to refine its controls to better exclude such data in the future. At all times, MDP’s processing of data will comply with the stated requirements for MDP, as well Microsoft’s internal policies (including the Responsible Use of Technology Policy), as well as local law.

Sources of MDP data include, but are not limited to, emails and calendar information in Exchange, files stored in OneDrive for Business, content of meeting recordings, voice collected on work devices, messages in Yammer and Teams, content on SharePoint sites, diagnostic data from work devices, search data, product and services feedback data, and internal line of business applications such as those applications developed to support sales processes (e.g., MSX). These are representative and non-exhaustive examples of the types of Microsoft business-related data from which MDP may process data. Up-to-date information concerning MDP can be found at the Learn More page.

In addition to content-related data from the above sources, Microsoft may also process various additional kinds of data from the above sources in support of MDP including (but not limited to):

• Basic Demographic Data, including, for example, your name and alias, etc.;

• Meta-data associated with the applicable content, such as time and date information, signals related to authorship and modification of data, document and meeting titles, etc.; and

• Telemetry data, such as data related to product and feature usage, associated with the above content types and services, or machine-related data such as software version history, machine type, operating system version, etc.

Microsoft’s use of MDP data is premised on Microsoft’s legitimate interest in using its own business data for business-related purposes, as that use strongly exceeds our employee’s individual interest in the privacy of such business-related data. Microsoft may process certain MDP data based on employee consent, to the extent: (1) an individual’s privacy interest would exceed Microsoft’s interest in the processing; and (2) local law requires Microsoft to obtain consent prior to such processing. Where consent constitutes the primary basis for processing data under MDP, Microsoft will in all cases ensure consent is voluntary and informed and will also ensure employees suffer no adverse consequence for refusing to give or later revoking such consent, and gain no specific benefit from choosing to participate or contribute data to MDP.

Last updated: April 2022

This addendum provides details about how Microsoft may process personal information in relation to the global COVID-19 pandemic. The addendum supplements the Privacy Notice and applies to employees, external staff, candidates, and guests.

Microsoft may process your personal information, as well as limited and relevant personal household information, in response to the COVID-19 pandemic for the purposes of ensuring the safety and wellbeing of employees, candidates, guests, and external staff, complying with applicable law, government guidelines and requests, and aiding the stability and continuity of our business.

The information that we process will be limited to what is proportionate and necessary for the purposes detailed below, considering unique local health and safety situations, applicable law, government guidelines and the latest guidance issued by local public health authorities. Please note that the types of personal information we process will depend on the specific measures in place at our worksites and overall workforce safety. Therefore, the descriptions below apply only to the extent that such measures are in effect.

What personal information may be processed?

Subject to applicable law, Microsoft may process personal information or data as follows:

• Personal information required to complete a daily health self-screening via the HealthCheck app upon entering our facilities.
• COVID-19 testing results, where such testing is required to enter our worksites.
• Your uploaded COVID-19 vaccination status or card, where required by law and/or as proof of your vaccination status to access Microsoft facilities.
• Information on any medical, religious, or other protected reason(s) that prevent you from getting vaccinated. For locations with vaccination requirements or mandates, the HR Accommodations Team has implemented a confidential process to evaluate information regarding protected reasons for non-vaccination.
• Personal information required to enable contact tracing, to provide benefits and other resources, or to comply with applicable law, government guidelines and requests.

What are we using the information for?

Your personal information, including but not limited to, information uploaded to the HealthCheck app, COVID-19 test results, details of protected reasons for non-vaccination, and information collected to enable contact tracing, provide benefits and other resources, and to respond to government requests may be used by Microsoft for the following purposes:

• To comply with our legal obligations for COVID-19 testing and/or vaccination mandates, as well as legal requirements to provide a safe and healthy working environment.
• To assess risks and adopt measures relating to health and safety at our worksites, such as our hybrid workplace model, social distancing, guidance on face coverings, etc.
• To comply with reporting obligations related to Microsoft’s response to the COVID-19 pandemic to governmental/public health authorities as required by applicable law.
• To manage staff absence and working patterns due to COVID-19 (e.g., to administer sick pay, make alternative work arrangements, etc.)

Where the information is to be used to make organizational decisions (for example, in relation to the safety measures to be implemented at worksites, worksite re-openings, etc.), steps will be taken to anonymize and aggregate the data wherever possible.

Legal Bases

Where applicable law requires personal information to be processed pursuant to a legal basis, we process:

• the personal information described above (apart from health information*): (i) on the basis of Microsoft’s legitimate interests to ensure the health, safety, and well-being of our employees, candidates, guests, and external staff, as well as to ensure the stability and continuity of our business operations; and (ii) to comply with applicable legal obligations related to health and safety at our worksites;
• health information: to comply with our legal obligations related to: (i) health and safety at our worksites, (ii) preventative and occupational medicine, and (iii) local laws that require such processing.

Where appropriate under applicable law, we may also process your personal information based on your consent. If we rely on consent, we will explicitly state so and provide details on how to withdraw consent, as appropriate.

With whom will the information be shared?

Microsoft will only share your personal information with internal parties who have a legitimate business need for it, including but not limited to, facilities and occupational health personnel, managers, supervisors, and/or HR, for the purposes described above. We will share your personal information with external third parties as required by law or with your consent.

How long will the information be retained by Microsoft?

We respect the privacy rights of all individuals, and we are committed to handling personal information responsibly and in accordance with applicable laws. Microsoft will only keep your information for as long as it is necessary for the above purposes, considering applicable law and government guidelines, the latest guidance issued by local public health authorities, and the on-going risks presented by COVID-19.

Any inquiries relating to this addendum should be directed to AskHR@microsoft.com.

For further details regarding how your personal data is processed by Microsoft, including your rights in relation to your data (where applicable), security measures and contact details of our Data Protection Officer in the event of a question or concern, please refer to the Privacy Notice.

* Information concerning the health of employees, candidates, guests, or external staff, including, where applicable, medical records, COVID-19 test results, vaccination status, and details of medical, or other protected reasons for non-vaccination.

Last updated: May 2022

This China Notice is a supplement to the Microsoft Global Data Privacy Notice (“DPN”) and provides additional information about personal data processing as required by the China Personal Information Protection Law and its implementing rules and regulations (“Applicable Chinese Law”). In case of any inconsistencies between the DPN and the China Notice, this China Notice prevails.

With respect to this China Notice, "Personal Data" means "Personal Information" as defined under Applicable Chinese Law. Personal Data is any electronic or otherwise recorded information related to identified or identifiable natural persons, excluding anonymized data.

Personal Data that We Process

In addition to the types of Personal Data described under the “Personal Data that We Process” section in the DPN, we may also process the following Personal Data:

• Household registration information, and if applicable, social relations of family members;
• Current or former employment status;
• Social benefits information, including information needed for social insurance and housing provident fund contributions;
• Business travel information, including payment information of Microsoft’s corporate credit card, and other information related to business trip and reimbursement, etc.

Under Applicable Chinese Law, the following non-exhaustive types of Personal Data that we collect from you, as necessary, may be considered sensitive Personal Data under Applicable Chinese Law:

• Demographic and biometric data, including employees’ health information; and
• Financial information.

Why We Process Personal Data

We process your Personal Data under a lawful basis of processing as provided by Applicable Chinese Law. Additionally, we process your Personal Data for the purposes described under the “Why We Process Personal Data” section in the DPN and for HR and workplace management, including investigations and disciplinary actions.

We collect and use sensitive Personal Data for the following purposes:

• Comply with requirements and applicable laws;
• Administering your employment contract or other commitments we have made to you;
• HR and workplace management, including investigations and disciplinary actions; and
• General business management and operations.

We will adopt strict security measures when processing sensitive Personal Data.

Your Rights to Your Personal Data

We respect your rights under Applicable Chinese Law. Under lawful circumstances, you may copy, consult, correct, complete, and delete your Personal Data. In certain circumstances, we may be unable to respond to your request to exercise your personal rights due to legal requirements, administrative regulations, or other legitimate purpose of processing Personal Data. You may exercise your rights via AskHR@microsoft.com.

Cross-Border Transfer of Personal Data

Microsoft operates globally. In order to perform general business management and operations, carry out HR management, fulfill legal obligations, and for other lawful purposes, Microsoft may transfer Personal Data collected from you in China to Microsoft’s affiliated entities outside of China, for example, the U.S. where Microsoft is headquartered. When your Personal Data is transferred outside of China, we will ensure that the transfer complies with Applicable Chinese Law and will implement appropriate and necessary measures to provide an equivalent level of data protection in accordance with Applicable Chinese Law.

Last Updated: December 2022

California: Your Rights

If you are an employee, external staff member, or candidate that resides in California, this section applies to you and supplements the information shared in the privacy notice.

California residents have specific rights regarding their personal information under the California Privacy Rights Act (“CPRA”). This section describes your rights and explains how to exercise those rights. Please note that in the preceding twelve (12) months, we have not sold your personal information or shared such information for cross context behavioral advertising. We may disclose certain personal information, such as your first and last name, employee identification number, email address, bank account details, job title/position, and other similar contact data, financial information, and employment details with our subsidiaries and affiliates and other third parties, including service providers who provide services on behalf of Microsoft.

1. You may request notice of and access to certain information about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable request, we may disclose to you:
   • The categories of personal information we collected about you.
   • The categories of sources for the personal information we collected about you.
   • Our business or commercial purpose for collecting that personal information.
   • The categories of third parties with whom we disclosed that personal information.
   • The specific pieces of personal information we collected about you (also called a data portability request).
   • If we disclosed your personal information for a business purpose, a list of disclosures identifying the personal information categories that each category of recipient obtained.
2. You may request that we correct personal information about you that is inaccurate.
3. You may request that we delete your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request, we will delete or de-identify (and direct our service providers to delete or de-identify) your personal information from our records, unless an exception applies.

None of these rights are absolute and there may be circumstances in which we are required or permitted under applicable law not to address your request.

Only you or an authorized agent that you authorize to act on your behalf may make a verifiable request related to your personal information.

Any verifiable request (including those to delete data) must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative (such as by requiring you to provide a signed written authorization that the agent is authorized to make a request on your behalf).
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable request does not require you to create an account with us.

We will not penalize you for exercising any of your rights where prohibited by law.

You may exercise your rights under the CPRA through one of the following means:

• Submitting a request to AskHR@microsoft.com
• Calling us at (+1) 425-882-8080