Change History for Microsoft Data Privacy Notice

October 2023

  • Added Canada addendum.
  • Updated EU and UK addendum to include Switzerland.
  • Where We Store and Process Personal Data updated to include language regarding our liability for onward transfers.

September 2023

  • Covid-19 addendum removed.
  • Where We Store and Process Personal Data language updated to reflect Data Privacy Framework.
  • Workplace Security and Monitoring updated to include usage of badge scans for campus utilization trends.

June 2023

  • Remote working location included in the definition of employment detail.
  • Equity and incentive compensation included in the definition of financial information.
  • Workplace, Device, Usage, and Content data section has been updated to include additional context on the use of applications and technical data.
  • Why We Process Personal Data updated to include space planning and allocation, administration of business applications and systems, whistleblowing procedures, and AI to facilitate certain features and experiences deployed on the Microsoft tenant.
  • How and Why We Share Personal Data updated to include internal and external audits.
  • Where We Store and Process Personal Data language regarding Privacy Shield Framework updated.
  • EU and UK addendum updated with how to locate contact information of the controller of data.

February 2023

  • Added Employee Privacy Principles.

December 2022

  • Added California addendum.

June 2022

  • We have updated Why We Process Personal Data section to provide details for when data may be used for scientific research and what requirements must be met to enable this use.
  • Specific reference made to processing of employee data to support Hybrid workplace and other facility and building management activities.

May 2022

  • Added China Privacy Notice addendum.

April 2022

  • With GIVE campaign going global we have updated Why We Process Personal Data section by adding information related to GIVE processing.
  • Added addendum covering processing of personal data related to COVID-19 pandemic.

October 2021

Per request of the Privacy Shield team at the U.S. Department of Commerce’s International Trade Administration (ITA), changes include a statement that:

  • Swiss individuals have the right to complain to their relevant data protection supervisory authority;
  • Microsoft is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), and binding arbitration, under certain conditions.

June 2021

  • Specific reference made to former employee data being in scope for the DPN.
  • Inclusion of “data subject rights” as an example of Microsoft’s legal obligations to process data and specific reference to global diversity and inclusion initiatives as a legitimate business purpose for processing personal data.
  • Specific reference to feedback and sentiment data as a category of personal data that Microsoft processes.
  • Specific reference to the availability of Microsoft’s Model Clauses for data transfers from the EU to other countries and non-reliance on the EU-U.S. Privacy Shield Framework as a legal basis for personal data transfers in light of the Schrems II decision.
  • Identification of the controllers of personal data in the EU and UK addendum.

October 2020

  • Gender, gender identity, parental and military status were included in the definition of demographic data.

June 2020

  • Specific reference made to the personal data of “guests” being in scope for the DPN.

February 2020

We added 2 addenda:

  • Learning and Skills Data Addendum
  • Microsoft Data Program (MDP) Addendum

March 2019

In Where we store and process personal data, we clarified that our commitment to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks extends to personal information received from the United Kingdom.

April 2018

We published a new Global Data Employee, Candidate and External Staff Privacy Notice that brought together many privacy statements that historically covered groups separately (e.g. candidates, EU employees) and created one privacy notice to collectively address all audiences and also reflect employee DSR rights for the EU and Turkey.