Change History for Microsoft Data Privacy Notice

October 2021

Per request of the Privacy Shield team at the U.S. Department of Commerce’s International Trade Administration (ITA), changes include a statement that:

  • Swiss individuals have the right to complain to their relevant data protection supervisory authority;
  • Microsoft is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), and binding arbitration, under certain conditions.

June 2021

  • Specific reference made to former employee data being in scope for the DPN.
  • Inclusion of “data subject rights” as an example of Microsoft’s legal obligations to process data and specific reference to global diversity and inclusion initiatives as a legitimate business purpose for processing personal data.
  • Specific reference to feedback and sentiment data as a category of personal data that Microsoft processes.
  • Specific reference to the availability of Microsoft’s Model Clauses for data transfers from the EU to other countries and non-reliance on the EU-U.S. Privacy Shield Framework as a legal basis for personal data transfers in light of the Schrems II decision.
  • Identification of the controllers of personal data in the EU and UK addendum.

October 2020

  • Gender, gender identity, parental and military status were included in the definition of demographic data.

June 2020

  • Specific reference made to the personal data of “guests” being in scope for the DPN.

February 2020

We added 2 addenda:

  • Learning and Skills Data Addendum
  • Microsoft Data Program (MDP) Addendum

March 2019

In Where we store and process personal data, we clarified that our commitment to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks extends to personal information received from the United Kingdom.


April 2018

We published a new Global Data Employee, Candidate and External Staff Privacy Notice that brought together many privacy statements that historically covered groups separately (e.g. candidates, EU employees) and created one privacy notice to collectively address all audiences and also reflect employee DSR rights for the EU and Turkey.