Office 365 is not designed to conduct or facilitate such monitoring. But as the data processor, Microsoft has no control over such use and typically would have little or no insight into such use.Ī systematic monitoring of a publicly accessible area on a large scale Any such use is relevant to a controller's determination of whether a DPIA is needed. Office 365 is a highly customizable service that enables the customer to track or otherwise process any type of personal data, including special categories of personal data.
However, a data controller could use Office 365 to process the enumerated special categories of data. Office 365 is not designed to process special categories of personal data. Processing on a large scale 1 of special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation), or of personal data relating to criminal convictions and offenses However, because Office 365 is a highly customizable service, a data controller could potentially use it for such processing. Office 365 is not designed to perform automated processing as the basis for decisions that produce legal or similarly significant effects on individuals. Risk FactorĪ systematic and extensive evaluation of personal aspects relating to natural persons that is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural personĭepending upon the data controller's configuration, Office 365 may perform certain automated processing of data, such as the analysis performed by Workplace Analytics that allows the data controller to derive insights on how people collaborate within an organization based on email and calendar header information from user's mailboxes. In determining whether a DPIA is needed, you, as a data controller should consider these factors, along with any other relevant factors, in light of the controller's specific implementation(s) and use(s) of Office 365. Part 1: Determining whether a DPIA is neededĪrticle 35 of the GDPR requires a data controller to create a Data Protection Impact Assessment 'where a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.' It further sets out particular factors that would indicate such a high risk, which are discussed in the following table. A more complete list of services available through Office 365 can be seen in Tables 1 and 2 of the Office 365 Data Subject Request Guide.
Office 365 applications and services, include, but are not limited to, Exchange Online, SharePoint Online, OneDrive for Business, Yammer, and Microsoft Teams.
MICROSOFT OFFICE 365 CALENDAR TEMPLATES DOWNLOAD
Part 3 also includes an illustrative DPIA document that you can download and modify to make drafting DPIAs easier for you. Part 3 provides additional product-specific information for a number of the most relevant information needs of our customers for purposes of drafting their own DPIAs. Part 2 provides answers applicable to all Office 365 services for each of the required elements of a DPIA. If the answer is 'yes,' Parts 2 and 3 of this document provide key information from Microsoft that can help draft it. Part 1 of this document provides information about Office 365 to help you, as a data controller, determine whether a DPIA is needed. Rather, whether a DPIA is required will be dependent on the details and context of how you, as the data controller, deploy, configure, and use Office 365.
There is nothing inherent in Microsoft Office 365 that would necessarily require the creation of a DPIA by a data controller using it. Under the General Data Protection Regulation (GDPR), data controllers are required to prepare a Data Protection Impact Assessment (DPIA) for processing operations that are 'likely to result in a high risk to the rights and freedoms of natural persons'.
0 kommentar(er)
