Does this discussion need to interest the „normal user“ at all? And if so, what can and must he do himself?

Office 365 as a range of online applications

Office 365, a Microsoft product, offers access to a whole range of web applications, from Outlook to Excel to OneDrive. They are available to the user online. The market share of Office 365 is high and has been growing for years. It’s no wonder that data protection issues surrounding Office 365 are attracting a great deal of attention.

Criticism from data protection authorities

In recent times, it has been reported here and there that Office 365 violates data protection and should soon no longer be used. To put it bluntly, this is of course not true. The supervisory authorities have not announced that they will ban the use of Office 365. Rather, they have determined by a narrow majority (i.e., not unanimously) that it is not currently possible to use Office 365 in a way that complies with data protection requirements.
This statement is something of an interim message. At the moment, negotiations are underway between the supervisory authorities and Microsoft. In the process, the issues that have arisen will be discussed. This will certainly take some time. We will hear about the results sooner or later.

Unproblematic use of data

The regulators have raised some issues that are quite interesting. The main one is the contract between Microsoft and the companies or administrations that use Office 365. There, it is regulated what Microsoft uses the personal data that is transmitted by the users for.
One point is completely unproblematic: Microsoft uses this data to provide the agreed services. If Outlook is to function, for example, Microsoft must process the data required for this purpose. Sending an e-mail, for example, only works if the necessary e-mail address is available and is used to send the e-mail. There is no criticism of this.

Use of data for „business activities

It gets more difficult because, according to the contract, Microsoft may also use data for „legitimate business activities of Microsoft“. This wording is quite general. Therefore, the question arises whether companies that use Office 365 are allowed to provide Microsoft with data for this purpose. In some respects, the answer is clearly yes. This applies, for example, to the billing of services that Microsoft provides. In other respects, it is not so clear. For example, the fight against fraud and cybercrime is certainly an important matter. Here, however, it is debatable which data is actually required for this purpose and may therefore be transferred to Microsoft.

Field for experts

These few examples show that this is a question for data protection experts. How precise must contractual provisions be? What technical security measures must Micro-soft have in place? All of this is important. For the normal user of Office 365 in the office, however, it is not worth dealing with this. It would only be different if he wants to delve deeply into questions of data protection out of private passion.

Ask questions of yourself!

So is it enough to sit back quietly and simply use Office 365 without giving it much thought? That would be too simplistic again. Instead, the normal user in the office should take a moment to think about everything he or she does with Office 365. Normally, that’s an astonishing amount. We’ve already talked about mails. But some thoughts about what is in Excel spreadsheets could also be useful.

Observe the employer’s requirements!

Based on the question „What am I actually doing here?“, the user should then consider whether he or she is adhering to the specifications of the company where he or she works. Has the Excel spreadsheet perhaps been extended by one or the other column because that seemed so practical? Or did the company deliberately not include such a column?

See your own responsibility!

These are questions that do not concern Microsoft. One should never forget that Office 365 is only a tool. As long as it is not used, it does not store any data and does not pass any on. If it stores and passes on data, then the user has triggered this. The user is responsible for this, not Microsoft.