German regulator approves Microsoft 365 for GDPR compliance

The Hessian Knowledge Safety Commissioner concluded on November 15, 2025, that Microsoft 365 cloud providers can function in compliance with the Normal Knowledge Safety Regulation, marking a major shift from the authority’s place three years earlier when it recognized seven essential deficiencies in Microsoft’s knowledge processing agreements.

In response to Professor Dr. Alexander Roßnagel, the Hessian Knowledge Safety and Freedom of Data Commissioner, the 137-page evaluation represents the end result of negotiations that started in January 2025. “We have now constructively examined below what situations sensible and knowledge protection-compliant use of M365 is feasible within the pursuits of customers,” Roßnagel acknowledged within the official announcement. The discovering offers organizations and public authorities in Hesse with elementary authorized certainty for deploying Microsoft 365 merchandise.

The analysis doesn’t represent a technical examination of particular person M365 providers. Fairly, the Hessian authority centered completely on whether or not Microsoft’s Knowledge Safety Addendum addresses the seven deficiencies that the Convention of Impartial Knowledge Safety Authorities recognized in November 2022. At the moment, the convention decided that controllers couldn’t show GDPR-compliant operation of M365 primarily based on the Knowledge Safety Addendum dated September 15, 2022.

Microsoft offers M365 as a cloud service the place Microsoft capabilities as the information processor and the client group serves because the controller below GDPR terminology. The September 2022 Knowledge Safety Addendum failed to satisfy Article 28 GDPR necessities for processors throughout seven particular areas, which turned the benchmark for subsequent negotiations.

Three structural adjustments enabled the brand new evaluation. Authorized frameworks shifted, most notably by way of the adoption of the EU-US Knowledge Privateness Framework that allows private knowledge transfers to the USA. Microsoft adjusted its knowledge processing structure to deal with nearly all private knowledge throughout the European Financial Space by way of what Microsoft phrases an “EU knowledge boundary.” The corporate additionally expanded explanations of its knowledge safety ideas to the Hessian authority and developed the Knowledge Safety Addendum particularly for public sector shoppers.

The primary deficiency addressed insufficient specification of processing varieties, functions, private knowledge classes, and affected teams. Microsoft provided enhanced documentation that allows controllers to acquire enough details about Microsoft’s knowledge processing operations and combine this data into their processing information. The authority concluded that public sector controllers now have entry to ample details about how Microsoft processes their knowledge.

Regarding the second challenge of Microsoft reserving insufficiently outlined rights for its personal enterprise actions, the corporate clarified that it processes solely log and diagnostic knowledge in anonymized and aggregated type for the controller’s functions, not content material knowledge. This processing both falls outdoors GDPR scope or represents acceptable knowledge safety observe, in line with the Hessian evaluation.

The third deficiency concerned Microsoft reserving in depth authority to course of knowledge with out controller instruction and disclose knowledge to 3rd nations. The up to date Knowledge Safety Addendum commits Microsoft to processing private knowledge solely upon documented buyer instruction and topics disclosure practices to GDPR necessities. Microsoft now contractually binds itself to course of knowledge completely primarily based on specific controller course.

Fourth, Microsoft’s earlier failure to decide to implementing required technical and organizational safety measures has been resolved. The present Knowledge Safety Addendum obligates Microsoft to conform absolutely with GDPR necessities with out exceptions. The corporate now contractually commits to sustaining safety requirements mandated by the regulation.

The fifth shortcoming involved insufficient return and deletion obligations. Microsoft now gives a deletion course of and permits all prospects to delete knowledge themselves or request expedited deletion when obligatory. Controllers preserve direct deletion capabilities quite than relying completely on Microsoft’s normal deletion timelines.

Concerning the sixth challenge of inadequate advance notification about subprocessor adjustments, Microsoft maintains detailed details about each subprocessor in its Service Belief Portal. The corporate offers this data six months prematurely for many subprocessors and one month for others, guaranteeing prospects can evaluate subprocessor preparations with out problem. All prospects obtain notifications enabling them to evaluate new subprocessor relationships.

The seventh and most politically delicate challenge concerned illegal knowledge transfers to the USA and different jurisdictions. Microsoft now processes knowledge nearly fully throughout the European Financial Space. Remaining knowledge transfers to the USA and different nations depend on European Fee adequacy selections and Customary Contractual Clauses. The EU-US Data Privacy Framework, adopted because the 2022 evaluation, offers authorized basis for transatlantic transfers that didn’t exist when regulators initially recognized this deficiency.

The optimistic dedication rests on expectations that Microsoft and controllers will collaborate to allow compliant M365 utilization. The report concludes with implementation suggestions for each private and non-private sector organizations in Hesse. These tips allow controllers to conduct detailed knowledge safety assessments of particular M365 parts for his or her meant deployments.

The Hessian authority’s jurisdiction extends solely to one in every of Germany’s 16 federal states, every sustaining impartial knowledge safety supervisory authority. The evaluation doesn’t bind different German states or European knowledge safety authorities, although it might show persuasive primarily based on its substantive evaluation. Germany has separately proposed sweeping GDPR reforms that reach far past present simplification efforts.

The discovering arrives amid ongoing concerns about Microsoft’s ability to protect European data from US government access. Microsoft France’s Director of Public and Authorized Affairs testified below oath in June 2025 that the corporate can not assure French citizen knowledge won’t ever be transmitted to US authorities with out specific French authorization. The testimony highlighted tensions between contractual knowledge safety commitments and the extraterritorial attain of the US Cloud Act.

Microsoft made extra supplies accessible together with the M365-Package designed to assist controllers with their knowledge safety documentation obligations. The corporate developed these assets particularly to deal with implementation challenges that organizations face when making an attempt to doc M365 knowledge processing actions.

The evaluation methodology centered on authorized and contractual evaluation quite than technical infrastructure examination. The Hessian authority didn’t conduct safety audits of Microsoft’s knowledge facilities or confirm technical implementations of safety controls. As a substitute, evaluators focused on whether or not contractual frameworks now present ample authorized basis for compliant utilization.

Implementation suggestions emphasize that controllers should conduct their very own assessments. Organizations ought to consider particular person M365 parts for particular use instances quite than assuming blanket approval for all providers. The authority’s optimistic dedication establishes that compliant utilization is feasible, not that every one M365 deployments routinely obtain compliance.

Controllers bear duty for configuring M365 appropriately, implementing obligatory safeguards, and documenting processing actions. The evaluation offers framework however doesn’t substitute for organization-specific compliance work. Private and non-private sector entities should nonetheless conduct knowledge safety impression assessments for high-risk processing operations.

The three-year evolution from identification of seven essential deficiencies to approval demonstrates how regulatory negotiations can yield substantive enhancements in cloud service supplier practices. Microsoft made particular contractual commitments and architectural adjustments quite than merely offering extra documentation about unchanged practices.

Microsoft’s EU knowledge boundary represents technical infrastructure funding past contractual language changes. Processing private knowledge throughout the European Financial Space addresses knowledge localization issues whereas sustaining operational capabilities. The strategy differs from pure knowledge residency necessities by allowing restricted transfers below acceptable authorized frameworks.

The evaluation acknowledges remaining challenges regardless of total optimistic dedication. Technical complexity of cloud providers creates inherent documentation difficulties. Distributed architectures the place a number of subprocessors deal with completely different processing operations require refined contractual frameworks. Controllers should perceive these technical realities to implement efficient oversight.

Organizations evaluating Microsoft 365 adoption ought to evaluate the total 137-page report alongside Microsoft’s up to date Knowledge Safety Addendum and implementation steering. The Hessian authority’s evaluation offers detailed reasoning about every beforehand recognized deficiency and Microsoft’s remedial actions.

Advertising expertise professionals ought to observe that GDPR compliance frameworks continue evolving alongside broader regulatory adjustments affecting knowledge processing. The European Fee proposed substantial GDPR amendments by way of its Digital Omnibus initiative that would alter compliance necessities for AI growth and automatic decision-making programs.

The November 15 dedication applies particularly to Microsoft 365 as documented within the present Knowledge Safety Addendum. Future product adjustments, service expansions, or modified processing practices might require reassessment. Controllers ought to monitor Microsoft’s communications about materials adjustments to knowledge processing architectures or contractual frameworks.

Timeline

Abstract

Who: The Hessian Knowledge Safety and Freedom of Data Commissioner (HBDI), led by Professor Dr. Alexander Roßnagel, evaluated Microsoft’s cloud service compliance. Microsoft capabilities as knowledge processor whereas buyer organizations function controllers below GDPR definitions.

What: The authority decided Microsoft 365 can now function in compliance with GDPR necessities after resolving seven essential deficiencies beforehand recognized within the firm’s Knowledge Safety Addendum. Microsoft made contractual commitments, applied EU knowledge boundary infrastructure, and offered enhanced documentation enabling controllers to show compliant utilization.

When: The 137-page report was printed November 15, 2025, following negotiations that started in January 2025. The evaluation addresses deficiencies recognized by German knowledge safety authorities in November 2022 concerning Microsoft’s September 15, 2022 Knowledge Safety Addendum.

The place: The dedication applies particularly to Hesse, one in every of Germany’s 16 federal states with impartial knowledge safety authority. Microsoft processes knowledge nearly fully throughout the European Financial Space by way of its EU knowledge boundary, with restricted transfers to the USA below EU-US Knowledge Privateness Framework and Customary Contractual Clauses.

Why: The evaluation issues as a result of Microsoft 365 represents extensively deployed cloud infrastructure for organizations all through Europe. The optimistic dedication offers authorized certainty for Hessian organizations whereas demonstrating how three years of regulatory negotiations yielded substantive enhancements in cloud supplier knowledge safety practices, contractual frameworks, and technical architectures.