https://www.baden-wuerttemberg.datenschutz.de/cookies-tracking-faq-update/
deep link:
https://www.baden-wuerttemberg.datenschutz.de/faq-zu-cookies-und-tracking-2/
[protecting people by good design, solid security, efficient processes and trusted services]
https://www.dr-datenschutz.de/verzeichnis-von-verarbeitungstaetigkeiten-tipps-zur-umsetzung/
includes links to
Interesting structure:
Contents
Summary………………………………………………………………………………………….4
Introduction ……………………………………………………………………………………. 11
Part A. Description of the data processing……………………………………………….. 19
1. The processing of Diagnostic Data…………………………………………….. 19
1.1 About Teams, OneDrive, SharePoint Online and the Azure AD………… 19
1.2 Difference between Content, Functional and Diagnostic Data …………. 21
1.3 Different types of Diagnostic Data ………………………………………….. 23
2. Personal data and data subjects ………………………………………………. 24
2.1 Definitions of different types of personal data ……………………………. 24
2.2 Telemetry data mobile Teams, OneDrive and SharePoint apps ……….. 25
2.3 Outgoing traffic to third parties……………………………………………… 30
2.4 Diagnostic data from audits logs and admin consoles in Teams,
OneDrive and Sharepoint…………………………………………………………….. 33
2.5 Results access requests ………………………………………………………. 35
2.6 Analytical services based on the system-generated log files…………… 38
2.7 Types of personal data and data subjects…………………………………. 43
3. Privacy controls …………………………………………………………………… 47
3.1 Privacy controls system administrators ……………………………………. 47
3.2 Privacy controls end users……………………………………………………. 54
4. Purposes of the processing……………………………………………………… 56
4.1 Purposes Diagnostic Data generated on cloud servers………………….. 56
4.2 Purposes Telemetry Data generated on user devices and browser …… 57
4.3 Purposes Microsoft and third parties as data controllers ……………….. 58
5. (Joint) controller or processor………………………………………………….. 58
5.1 Definitions……………………………………………………………………….. 58
5.2 Contractual arrangements between SLM Rijk, SURF and Microsoft…… 59
5.3 Data processor …………………………………………………………………. 60
5.4 Data controller………………………………………………………………….. 60
5.5 Joint controllers ………………………………………………………………… 67
6. Interests in the data processing……………………………………………….. 68
6.1 Interests of the government organisations and universities …………… 68
6.2 Interests of Microsoft………………………………………………………….. 69
6.3 Joint interests…………………………………………………………………… 71
7. Transfer of personal data outside of the EU …………………………………. 72
7.1 Microsoft’s factual transfers of personal data to the USA ………………. 72
7.2 GDPR rules for transfers of personal data…………………………………. 73
7.3 Data Transfer Impact Assessment (DTIA)…………………………………. 75
8. Techniques and methods of the data processing …………………………… 87
8.1 Encryption……………………………………………………………………….. 87
8.2 Big Data Processing……………………………………………………………. 88
9. Additional legal obligations: e-Privacy Directive……………………………..89
10. Retention periods ………………………………………………………………….91
Part B. Lawfulness of the data processing…………………………………………………94
11. Legal Grounds………………………………………………………………………94
11.1 Diagnostic data Teams, OneDrive, Sharepoint Online and the Azure AD 94
11.2 Telemetry data Office for the Web and Required Service Data ………96
11.3 Controller Connected Experiences …………………………………………96
11.4 Analytics & reports in Teams and Viva Advanced Insights ……………96
12. Special categories of data………………………………………………………..97
13. Purpose limitation………………………………………………………………….97
14. Necessity and proportionality ……………………………………………………98
14.1 The principle of proportionality …………………………………………….98
14.2 Assessment of the proportionality …………………………………………98
14.3 Assessment of the subsidiarity……………………………………………101
15. Data Subject Rights ……………………………………………………………..102
Part C. Discussion and Assessment of the Risks ……………………………………….104
16. Risks………………………………………………………………………………..104
16.1 Identification of Risks ………………………………………………………104
16.2 Assessment of Risks………………………………………………………..105
16.3 Summary of risks……………………………………………………………109
Part D. Description of risk mitigating measures ………………………………………..111
17. Risk mitigating measures ………………………………………………………111
17.1 Measures against the one high and six low risks ……………………..111
Conclusions ……………………………………………………………………………………116
APPENDIX 1……………………………………………………………………………………117
Data Protection Impact Assessments in Practice
Experiences from Case Studies
Michael Friedewald, Ina Schiering, Nicholas Martin, Dara Hallinan
https://link.springer.com/chapter/10.1007/978-3-030-95484-0_25
GooglePlay Developer Policy Center
https://play.google.com/about/developer-content-policy/
Überarbeitetes privatim-Merkblatt «Cloud-spezifische Risiken und Massnahmen»
https://www.privatim.ch/de/uberarbeitetes-privatim-merkblatt-cloud-spezifische-risiken-und-massnahmen-2/
largely follows DSB Austria
also in English:
https://www.cnil.fr/en/use-google-analytics-and-data-transfers-united-states-cnil-orders-website-manageroperator-comply#
The actual decision:
https://www.cnil.fr/sites/default/files/atoms/files/med_google_analytics_anonymisee.pdf