Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Microsoft 365 (formerly Office 365) is a cloud based productivity suite including Outlook, Word, Excel, PowerPoint, Teams, OneDrive, and SharePoint. It processes extensive personal data, uses cookies and telemetry, and transfers data internationally via Microsoft's global data center infrastructure, requiring GDPR compliance through the Data Protection Addendum (DPA) and Standard Contractual Clauses.
Microsoft 365 (formerly Office 365) is a cloud based productivity and collaboration suite developed by Microsoft. It includes Outlook, Word, Excel, PowerPoint, Microsoft Teams, OneDrive, SharePoint, and a growing range of services such as Viva Insights, Loop, and Copilot. Organisations use it for email, document creation, file storage, video conferencing, intranet portals, and workflow automation. When Microsoft 365 components are embedded on public facing websites (SharePoint pages, Microsoft Forms, Teams meeting links, Power BI dashboards), they introduce privacy considerations for website operators subject to European data protection law.
Microsoft 365 sets various cookies for authentication, session management, security, and analytics. Key cookies include MUID (unique machine identifier, 13 months), ESTSAUTH and ESTSAUTHPERSISTENT (Azure AD authentication tokens), AADSSO (single sign on state), MC1 (Microsoft analytics, 13 months), and MS0 (session identification). Microsoft also collects telemetry data including required and optional diagnostic data that covers application usage patterns, performance metrics, and error reports. When M365 services are embedded on external sites, cookies from domains such as login.microsoftonline.com, sharepoint.com, and office.com may be deposited on visitor browsers.
Microsoft 365 raises significant GDPR considerations due to the breadth and sensitivity of personal data processed across its services. Microsoft acts as a data processor under the Data Protection Addendum (DPA), which incorporates Standard Contractual Clauses (SCCs) and specific EU GDPR terms. In November 2025, the Hessian Data Protection Commissioner published a 137 page report confirming that Microsoft 365 can operate within GDPR requirements when properly configured, following a three year review process. The European Data Protection Supervisor also closed its enforcement proceedings against the European Commission''s use of M365 in July 2025 after Microsoft implemented additional safeguards. However, compliance remains a shared responsibility: organisations must configure telemetry settings, data retention, and access controls appropriately.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The legal basis depends on the specific use of Microsoft 365. For internal employee use of productivity tools, contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)) typically applies. Microsoft''s telemetry collection may rely on legitimate interest for required diagnostic data, while optional diagnostic data should be disabled unless consent is obtained. When M365 components are embedded on public facing websites (SharePoint pages, Microsoft Forms, Power BI reports), explicit consent under Art. 6(1)(a) GDPR and the ePrivacy Directive is required before setting non essential cookies on visitor browsers. Organisations should deploy a cookie consent management platform to manage consent for these embeds.
Microsoft operates a global network of data centers and may process M365 data in US, EU, and Asia Pacific facilities. To address GDPR transfer requirements, Microsoft provides the DPA with SCCs and has implemented the EU Data Boundary, which ensures that core customer data for eligible tenants is stored and processed within the EU and EFTA. Microsoft is a certified participant in the EU US Data Privacy Framework. However, certain data flows such as support requests and some security telemetry may still involve US processing. Organisations should review their tenant''s data residency settings, confirm the DPA is in effect, and document these safeguards in their Records of Processing Activities. The extraterritorial reach of the US CLOUD Act remains a consideration that organisations should assess in their transfer impact assessments.
To achieve GDPR compliance with Microsoft 365, organisations should follow these key steps. First, review and accept the Data Protection Addendum in the Microsoft 365 Admin Center. Second, configure diagnostic data settings to the minimum required level (Security only or Required). Third, enable the EU Data Boundary if your tenant is eligible. Fourth, conduct a DPIA covering all M365 services in use, leveraging Microsoft''s DPIA template and Service Elements Matrix. Fifth, deploy a cookie consent banner on public facing websites embedding M365 widgets. Sixth, configure data retention policies and Data Loss Prevention (DLP) rules via the Microsoft Purview compliance portal. Seventh, restrict third party app access via the AppSource marketplace. Eighth, configure audit logging and regularly review the Unified Audit Log. Finally, train staff on data protection principles and use Microsoft''s M365 Kit documentation resources to support your compliance programme.
Websites using Microsoft 365 must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended for Microsoft 365 deployments due to large scale processing of personal data across email (Outlook/Exchange), file storage (OneDrive/SharePoint), collaboration (Teams), and productivity applications. Key areas to assess include: volume and sensitivity of personal data processed across all M365 apps, telemetry and diagnostic data collection by Microsoft, international data transfers to US and other data centers, employee monitoring risks if productivity analytics (Viva Insights) are enabled, data retention and deletion policies across services, third party app integrations via AppSource, and the adequacy of the DPA and SCCs for your specific processing activities. The Hessian DPA (Germany) published a 137 page assessment in November 2025 confirming M365 can operate within GDPR requirements when properly configured.
Sample consent text
This site uses embedded Microsoft 365 services (including SharePoint, Forms, and Teams widgets) that may set cookies and process personal data on Microsoft servers, including servers located outside the European Economic Area. These cookies enable authentication, session management, and service functionality. By accepting, you consent to this data processing in accordance with Microsoft's Data Protection Addendum. You can withdraw your consent at any time through our cookie settings.
Third-party domains contacted
login.microsoftonline.comoutlook.office.comsharepoint.comteams.microsoft.comonedrive.live.comoffice.comgraph.microsoft.comadmin.microsoft.comcompliance.microsoft.comforms.office.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| MUID | analytics | 13 months | Microsoft unique machine identifier used to track user interactions across Microsoft properties and for analytics. |
| ESTSAUTH | authentication | Session | Azure Active Directory authentication token that validates the user login session for Microsoft 365 services. |
| ESTSAUTHPERSISTENT | authentication | 90 days | Persistent Azure AD authentication token enabling the Keep me signed in functionality across browser sessions. |
| AADSSO | authentication | Session | Stores the single sign on state for Azure Active Directory, allowing seamless access across M365 applications. |
| MC1 | analytics | 13 months | Microsoft analytics cookie tracking user interactions with Microsoft services for usage reporting and improvement. |
| MS0 | functionality | Session | Session identification cookie for maintaining user state within Microsoft 365 web applications. |
| MSFPC | analytics | 13 months | Microsoft first party cookie used for analytics and site usage measurement across Microsoft online properties. |
| SignInStateCookie | authentication | Session | Tracks the authentication state during the login flow to prevent login replay attacks and ensure session integrity. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Microsoft 365 sets several cookies including MUID (unique machine identifier, 13 months), ESTSAUTH and ESTSAUTHPERSISTENT (Azure AD authentication tokens), AADSSO (single sign on state), MC1 (Microsoft analytics, 13 months), and MS0 (session identification). Microsoft also collects telemetry data covering usage patterns and performance metrics. When M365 services are embedded on external websites, cookies from login.microsoftonline.com, sharepoint.com, and office.com domains may be deposited on visitor browsers.
For internal organisational use by employees, consent is typically not required as contract performance or legitimate interest serve as legal basis. However, when M365 components such as SharePoint pages, Microsoft Forms, or Power BI dashboards are embedded on public facing websites, prior consent under the ePrivacy Directive is required before setting non essential cookies. Optional telemetry and diagnostic data collection also requires consent or should be disabled.
Core productivity use by employees relies on contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)). Required diagnostic data collection is covered by legitimate interest for service security and reliability. Optional diagnostic data should be disabled or consented to. Public facing embeds that set cookies require explicit consent (Art. 6(1)(a)). Each processing activity should be documented in your Records of Processing Activities.
Yes. Microsoft operates global data centers and may process data in US facilities. Transfers are covered by the Data Protection Addendum (DPA) incorporating SCCs. Microsoft has implemented the EU Data Boundary for eligible tenants and is certified under the EU US Data Privacy Framework. However, some data flows such as support requests and security telemetry may still involve US processing. The US CLOUD Act's extraterritorial reach should be assessed in transfer impact assessments.
A DPIA is strongly recommended and likely required under Art. 35 GDPR for most M365 deployments. The platform processes large volumes of personal data across email, file storage, collaboration, and productivity applications. Microsoft provides a DPIA template and Service Elements Matrix to assist organisations. The Hessian DPA confirmed in November 2025 that M365 can be compliant when properly configured, but each organisation must assess risks specific to their deployment.
Review and accept the DPA in the Microsoft 365 Admin Center. Configure diagnostic data to the minimum required level. Enable the EU Data Boundary if eligible. Conduct a DPIA using Microsoft's templates. Deploy cookie consent banners for public facing M365 embeds. Configure data retention and DLP rules via Microsoft Purview. Restrict third party app access. Enable audit logging and review the Unified Audit Log regularly. Train staff on data protection principles.
Alternatives include Nextcloud (self hosted open source collaboration), LibreOffice Online (open source office suite), Tutanota or ProtonMail (privacy focused email), CryptPad (encrypted collaboration), and Infomaniak kSuite (Swiss hosted productivity). For specific functions, Jitsi Meet can replace Teams for video conferencing. Each alternative should be evaluated for its own GDPR compliance posture and security certifications.
List all cookies set by embedded M365 services including names, purposes, durations, and originating domains (login.microsoftonline.com, sharepoint.com, office.com, teams.microsoft.com). Specify whether each cookie is strictly necessary or requires consent. Document Microsoft's role as data processor, reference the DPA and SCCs, and describe the telemetry data collected. Provide clear instructions for managing or withdrawing consent. Review the policy whenever M365 integrations change.