![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 94%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | Microsoft Forms | Other
A web-based tool in Microsoft 365 that enables users to quickly create surveys, quizzes, polls, and feedback forms.
Microsoft does not use individual Microsoft Forms responses for its own research or marketing, but data is processed and stored by Microsoft as part of providing the service and to meet security, compliance, and legal obligations.
For organizational (work or school) accounts:
- Forms data is handled under the organization’s Microsoft 365 agreement and privacy/compliance terms (including GDPR, FERPA, and BAA where applicable).
- Microsoft Forms “has met GDPR compliance requirements” and “meets FERPA and BAA protection standards,” which means data is processed according to those regulatory frameworks, including access controls and data subject rights.
For personal Microsoft accounts (Hotmail, Live, Outlook.com):
- Forms must comply with the Microsoft Terms of Use, and data is handled under those terms.
Because Microsoft is the service provider, it can technically access data as required for:
- Operating and securing the service.
- Fulfilling legal or regulatory obligations.
- Enforcing terms of use (for example, investigating reported abuse or phishing).
However, this is different from Microsoft using the content for its own independent research. Any such use would be governed by the applicable privacy terms and data protection regulations.
Regarding what can be declared to participants:
- It is accurate to state that responses are collected and used by the researcher for the stated research purpose.
- It should not be stated that “no one at Microsoft can ever access the data,” because Microsoft, as the data processor/service provider, may access it under its compliance, security, and legal obligations.
- A typical accurate statement is that data is stored and processed on Microsoft services under Microsoft’s privacy, security, and compliance commitments (GDPR, FERPA/BAA where applicable), and that only the research team and the service provider (Microsoft) have access as required to operate the service and meet legal obligations.
For detailed legal wording, the applicable Microsoft 365 privacy/compliance documentation and the organization’s own privacy statement should be consulted.
References: