Microsoft Support and Professional Services Data Subject Requests for the GDPR and CCPA

Introduction to Microsoft Professional Services

Microsoft Professional Services includes a diverse group of technical architects, engineers, consultants, and support professionals who are dedicated to delivering on the Microsoft mission of empowering customers to do more and achieve more. Our Professional Services team includes more than 21,000 total consultants, Digital Advisors, Unified Support, engineers, and sales professionals working across 191 countries and regions. Our team supports 46 different languages, manages several million engagements per month, and engages in customer and partner interactions through on-premises, phone, web, community, and automated tools. The organization brings broad expertise across the Microsoft portfolio, using an extensive network of partners, technical communities, tools, diagnostics, and channels that connect us with our enterprise customers.

Similarly, the California Consumer Privacy Act (CCPA) provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information. The CCPA also provides for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out/ opt-in" requirements for certain data transfers classified as "sales". This document guides you to information on the completion of Data Subject Requests (DSRs) under the GDPR and CCPA using Microsoft products and services.

For more information about Microsoft Professional Services, see the Microsoft Professional Services Trust Documentation webpage. Microsoft Professional Services takes its obligations under the General Data Protection Regulation (GDPR) seriously. The information in this document is designed to answer customer questions about how Microsoft's support and consulting offerings respond to and assist customers in responding to Data Subject Request (DSR) obligations under GDPR.

Introduction to DSRs

The GDPR gives rights to people (known in the regulation as data subjects) to manage their personal data collected by an employer or other type of agency or organization (known as the data controller or just controller). Personal data is defined broadly under the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data subjects specific rights to their personal data. These rights include access, correction, objection to processing, and deletion. A formal request by a data subject to a controller to take an action on their personal data is called a Data Subject Request or DSR. Additionally, it obligates companies working on behalf of a controller (known as the data processor or just processor) to reasonably assist the controller in fulfilling DSRs.

This guide discusses how to find, access, and act on personal data that resides in Microsoft IT systems that Microsoft Support and other Professional Services organizations collect to provide Support and other Professional Services offerings.

When developing a response for DSRs, it's important for Microsoft's customers to understand that Professional Services Data is separate from Customer Data in their Online Services tenants or other data that they or their data subjects provide to Microsoft. You can't use tools and processes, such as those provided for Online Services or the Microsoft Privacy Dashboard, to respond to DSRs for personal data held by Microsoft Support or other Professional Services.

All requests must go through a support representative, as described later in this article. Currently, there's no self-serve tool for customers to access personal data within the Professional Services organizations.

Overview of the processes outlined in this guide

• Discover: Use search and discovery tools to more easily find customer data that might be the subject of a DSR. Once you collect potentially responsive documents, you can perform one or more of the DSR actions described in the following steps to respond to the request. Alternatively, you might determine that the request doesn't meet your organization's guidelines for responding to DSRs.
• Access: Retrieve personal data that resides in the Microsoft cloud and, if requested, make a copy of it that can be available to the data subject.
• Rectify: Make changes or implement other requested actions on the personal data, where applicable.
• Restrict: Restrict the processing of personal data, either by removing licenses for various Azure services or turning off the desired services where possible. You can also remove data from the Microsoft cloud and retain it on-premises or at another location.
• Delete: Permanently remove personal data that resided in the Microsoft cloud.
• Export/Receive (Portability): Provide an electronic copy (in a machine-readable format) of personal data or personal information to the data subject.

Terminology

Here are some relevant definitions of terms from the GDPR for this guide:

• Controller: The natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. If Union or Member State law determines the purposes and means of such processing, it also provides the controller or the specific criteria for its nomination.
• Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
• Personal data and data subject: Any information that relates to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Additional terms and definitions that help you understand this guide

• Professional Services Data: All data, including all text, sound, video, image files, or software, that Microsoft receives from, or on behalf of, Customer (or that Customer authorizes Microsoft to obtain from a Product) or that Microsoft otherwise obtains or processes through an engagement with Microsoft to obtain Professional Services.
• Customer Contact Data: Personal data that can be part of your business relationship with Microsoft, such as personal data contained within your customer contact information. Customer Contact Data can include your name, e-mail, or phone number of the Premier Contract Service Manager (CSM), the Global or IT Administrator for an Online Service, or similar roles.
• Pseudonymized Data: When you use Microsoft support for Microsoft's enterprise products and services, Microsoft generates some information linked to a Microsoft numeric identifier to provide the support. This information is often referred to as "Pseudonymized Data". Although you can't attribute this data to a specific data subject without the use of additional information, some of it may be deemed personal under GDPR's broad definition for personal data. Within Professional Services, requests to fulfill or assist in fulfilling DSRs always automatically include addressing pseudonymized data.

How to use this guide

This guide covers four scenarios a customer might encounter if they use Microsoft Professional Services.

• DSR for a Customer Contact Engaging Microsoft: Explanation for how Microsoft responds to requests from a customer contact or IT administrator to exercise their data subject rights.
• DSR for an End-User Engaging Microsoft: Explanation for how Microsoft responds to requests from a customer's employees or other data subjects to exercise their rights.
• DSR for Customer Provided Data: Commercial Support: Information about how to receive assistance from Microsoft when a customer receives a request from their employee or other data subjects to exercise their rights, and that data subject's personal data was collected by Microsoft Support during a support engagement.
• DSR for Customer Provided Data: Consulting Services including FastTrack Migration Services: Information about how to receive assistance from Microsoft when a customer receives a request from their employee or other data subjects to exercise their rights, and that data subject's personal data was collected by Microsoft during a consulting engagement.

DSR for a customer contact engaging Microsoft

How Microsoft responds to requests by a customer contact or IT admin to exercise their data subject rights.

When a customer engages Microsoft to receive support or consulting services, Microsoft Support automatically collects or retrieves from account records the personal data of the Customer Contact (for example, CSM, Global Admin, IT Admin). This collection likely includes the name, email, phone, and other personal data of the individual seeking support or consulting services.

The Customer Contact's personal data is part of Microsoft's business relationship with the customer, and Microsoft is the Data Controller, except when Microsoft collects this data in the course of providing technical support. Microsoft responds to DSRs from the Customer Contact regarding their personal data, regardless of whether they're still with the organization.

When Microsoft collects the Customer Contact's personal data in the course of providing technical support, Microsoft is the Data Processor.

Customers should understand that the DSR only covers the personal data of the Customer Contact, and no changes or deletions are made to any of the customer's data submitted as part of engagements (for example, transcripts, case descriptions, files, work product), since Microsoft is the data processor. Additionally, to maintain the engagement's historical record, no changes are made to closed engagements, including the record of who opened an engagement.

When Microsoft is the Data Controller and receives an inquiry from a Customer Contact regarding a DSR, Microsoft personnel refer the customer contact to the Privacy Response Center. This center is Microsoft's primary input mechanism for privacy inquiries and complaints. Upon receiving an inquiry, the Privacy Response Center identifies that this request is part of a commercial or organizational account and responds accordingly.

For situations where Microsoft is the Data Processor, see DSR for Customer Provided Data: Commercial Support below.

Customers can choose to make changes to their data collected during Professional Services engagements through normal support or consulting channels, separate from this DSR. For instance, Microsoft can help expunge support engagements, on request (see in the DSR Guide for Customer Provided Data section).

DSR for an end-user engaging Microsoft

How Microsoft responds to requests from a customer's employees or other data subjects to exercise their rights.

If a customer's employee or other data subject contacts Microsoft to exercise their rights over data that Microsoft collected as the data processor, Microsoft informs the data subject that they need to contact Microsoft's customer, as the data controller, to exercise those rights. Microsoft takes no further action.

If the data subject also contacts Microsoft about exercising their rights for data Microsoft collected in situations where Microsoft is the data controller (for example, consumer support), Microsoft separately responds to the individual's data subject right request for that personal data.

DSR for customer-provided data: Commercial support

How to get help from Microsoft when a customer receives a request from their employee or other data subjects to exercise their rights, and Microsoft Support collects that data subject's personal data during a support engagement.

When a customer engages Microsoft Support, Microsoft collects Support Data from the customer to resolve any issues that require the support engagement. This Support Data includes Microsoft's interaction with the customer (for example, chat, phone, email, web submission) plus any content files the customer sends to Microsoft or Microsoft has, with the customer's permission, extracted from the customer's IT environment or Online Services tenancy to resolve the support issue. In the case of Unified support, this data also includes any data Microsoft collects from the customer to proactively prevent future issues. However, this data excludes other information from Microsoft's business relationship with the customer (for example, billing records).

For all Support Data and Contact Data that Microsoft collects while providing support, Microsoft acts as the data processor. As the data processor, Microsoft doesn't respond to direct requests from data subjects regarding Support Data that Microsoft collects when they're associated with a Microsoft commercial customer. Customers should contact their Customer Success Account Manager (CSAM) for assistance.

Step 1: Discover

The first step in obtaining Microsoft's assistance in responding to a DSR is to find the personal data that is the subject of the DSR. Finding and reviewing the personal data helps a customer determine whether a DSR meets the organization's policies for honoring a data subject request.

After the customer finds the data, they can perform the specific action to satisfy the request by the data subject. Identifying what the customer is trying to do determines what level of discovery the customer needs to engage in.

When Microsoft assists a customer with the resolution of a DSR, this process is a business function, and the request goes through the regular support channel.

In discovering relevant data and obtaining Microsoft's assistance, a customer has several options for how to approach the DSR:

Option A: Cross-Microsoft Support Customer DSR. Apply the DSR to all the customer's support data across Microsoft's support environment. To do this, a customer can just ask Microsoft to apply the DSR to all support data collected.

Option B: Specific Customer Engagements. Use online systems to review tickets, then identify specific engagements containing the relevant personal data and report them to Microsoft. Microsoft attempts to provide assistance to perform a search if the customer doesn't have the ability to search across engagements (tickets).

Once engagements are identified, request to apply the DSR to either a specific part of the record or everything related to that engagement across Microsoft.

To identify specific engagements, customers need to search across their engagements. For Unified customers, the Customer Success Account Manager (CSAM) for a customer has visibility across all support requests (SRs) that are created under the customer's Contract Schedule. For Non-Unified customers, equivalent support engagement portals are available, such as through Online Services support areas.

The CSAM can go to the portal at Services Hub and select manage all support requests.

Once customers identify all the relevant data in the selected support tickets, they can decide whether to request the deletion of everything related to a ticket or selectively apply the DSR to individual instances of personal data.

Step 2: Access

After a customer finds Support Data containing personal data that is potentially responsive to a DSR, the customer decides which personal data to include in the response. For example, the customer might remove personal data about other data subjects and any confidential information.

The response to the DSR might include a copy of the actual document, an appropriately redacted version, or a screenshot of the portions the customer deems appropriate to share. For each of these responses to an access request, the customer retrieves a copy of the document or other item that contains the responsive data.

Access to the personal data of an end user might come from a mention or notation in the various types of content documentation. Since customers can access the engagement ticket and the content, they can provide a summary of personal data themselves without further assistance from Microsoft.

In rare cases, customers might need to obtain copies of support interaction data (for example, emails, transcribed copies of phone recordings, chat transcripts) between a Microsoft Representative and the Customer's Representative. To the extent required, Microsoft might provide redacted copies of these transcripts based on need, sensitivity, and difficulty.

Step 3: Rectify

If a data subject asks the customer to rectify the personal data that resides in their organization's Support Data, the customer determines whether it's appropriate to honor the request. If the customer chooses to honor the request, the customer might request that Microsoft make the change. Microsoft might rectify data or might delete customer's data from the support systems and request that the customer resubmit it to Microsoft in corrected format.

Step 4: Restrict

The customer can close an engagement or contact Microsoft and request the engagement be closed. A closed engagement prevents any work from being performed.

Step 5: Delete

The GDPR protects the "right to erasure" by removing personal data from an organization's Support Data. Removing personal data includes deleting entire engagements, documents, or files, or deleting specific data within an engagement, document, or file.

As a customer investigates or prepares to delete personal data in response to a DSR, understand how deletion works for Microsoft Support.

All data at Microsoft has a retention and deletion policy applied to it, which varies depending on risk and other factors.

Customers can request the deletion of a data subject's personal data universally across Support systems through their Customer Success Account Manager (CSAM) or by filing a Support Request (SR) in Services Hub or equivalent system. You must indicate that this request is to assist with a DSR under GDPR.

Option A: Cross-Microsoft Support Customer DSR. For a cross system DSR, the customer must provide the personal data that Microsoft needs to identify the required data (for example, email address, phone number). Microsoft won't correlate or research records and only searches directly on identifiers provided by the customer. When data is found, Microsoft deletes all engagements and all associated data.

Option B: Specific Customer Engagements. For specific engagements that the customer has identified and wants deleted, don't delete tickets out of Services Hub. This results in personal data remaining in logs and downstream systems that may not be deleted within the needed timeframe. Instead, identify the ticket or personal data within the ticket that must be deleted, and contact Microsoft Support to assist you in deleting that data.

Microsoft Support Data Transfer and Management tool (DTM) instructions

For all these searches, Microsoft doesn't search across DTM due to the potential sensitivity of content in files. However, if the customer desires, Microsoft deletes all files contained in DTM associated with the customer's account. Due to the potential for serious customer impact, Microsoft requires a separate request from customer specifying the deletion of DTM files.

• For open cases or for cases closed less than 90 days prior, the Customer Contact can go into DTM and delete files.
• By default, files are automatically deleted 90 days after the case is closed.
• Customers should also request Microsoft to check across systems for the personal data as files are occasionally copied from DTM to other systems for diagnostic purposes via their CSAM or through the Privacy Response Center.

Step 6: Export

The "right of data portability" allows a data subject to request a copy of their personal data in an electronic format and request that your organization transmit it to another controller. In the case of Support Data, any usable information that Microsoft has is in the form of engagement information or files that you can return for re-communication or uploading to another controller.

Note: Exported data may not include Microsoft's intellectual property or any data that may compromise the security or stability of the service.

DSR guide for customer-provided data in consulting services, including migration services

How to get help from Microsoft when a customer receives a request from their employee or other data subjects to exercise their rights, and Microsoft collected that data subject's personal data during a consulting engagement.

Industry Solutions Delivery

For Industry Solutions Delivery (ISD) engagements contracted under the Microsoft Products and Services Data Protection Addendum (DPA):

Microsoft is the data controller for Customer Contacts working with the engagement team. Those individuals should contact the Privacy Response Center to fulfill data subject rights.

Microsoft is the data processor for a DSR located within data provided during a consulting engagement. The customer should contact their Customer Success Account Manager (CSAM) to build in a plan to assist in responding to a DSR based on the data collected and the specific type of consulting services provided. To the extent your request constitutes a level of effort typically seen within Industry Solutions Delivery, there might be an additional work order required. Additionally, personal data is deleted after each consulting engagement within a timeframe dependent on the type of consulting engagement. Customer can request data to be deleted sooner and request an attestation of deletion.

Microsoft FastTrack Services

Microsoft FastTrack provides IT consulting services to organizations to help them onboard and use Microsoft cloud services such as Microsoft 365, Azure, and Dynamics 365.

Microsoft is the data controller for Corporate Customer Contacts working with the FastTrack to deploy and migrate to the above-mentioned Microsoft cloud services. If you're a Corporate organization, working with Microsoft FastTrack on your deployment and you wish to access, revise, or remove contact information from Microsoft's FastTrack records, you may submit a Data Subject Request (DSR) by sending a request to the FastTrack for Microsoft 365 - Corporate GDPR requests inbox (O365ftgdpr@microsoft.com).

For FastTrack migration services, Microsoft is the data processor. In accordance with our Fast Track additional privacy disclosure statement, all data in migration is considered "migration data." If you need to execute DSRs while your organization is engaged in a FastTrack migration project, special care is required.

If you need to process any access, rectify, or export DSR requests while a user's data is being processed through FastTrack migration systems, it's the customer's responsibility to fulfill such DSRs through your existing source systems in which the user data is stored. Once the user's migration is complete and the data is migrated to the destination Microsoft cloud service, the guidance provided by Microsoft on how customers can use Microsoft products, services, and administrative tools to find and act on personal data to respond to data subject request then applies. To view this guidance, see Data Subject Requests for the GDPR.

If you need to delete a user account in response to a DSR delete request while your organization is engaged in an ongoing FastTrack migration project, be aware that migration systems might retain a copy of user migration data for a period of time following completion of the user's migration and deleting the user account doesn't automatically delete such user migration data stored in FastTrack migration systems. If you want the Microsoft FastTrack team to delete user migration data, you can submit a request. In the ordinary course of business, Microsoft FastTrack deletes all data copies once your organization's migration is complete.

Other Consulting Services

Customers receiving other Consulting Services through Microsoft should work through the engagement team for fulfillment of all GDPR requirements. If the engagement team isn't able to provide clear instructions on GDPR DSR fulfillment, customers should contact their CSAM or submit a request for technical support.