The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations processing the personal data of EU individuals. It aims to protect data subject rights and ensure lawful, fair, and transparent data processing. GDPR imposes obligations on data controllers and processors, including implementing security measures, conducting impact assessments, and reporting breaches. It is relevant for organizations both within and outside the EU that target or monitor EU residents, necessitating compliance to avoid penalties and meet enterprise customer requirements.

Microsoft 365 Certification verifies apps, and their supporting infrastructures, are in accordance with key elements of GDPR including:

• Data subjects can submit subject access requests (SARs).
• Ensure that the ISV can identify all locations of information related to a data subject when responding to SARs.
• Ensure there is a backup retention period allowing data removal via SARs as old backups are deleted or overwritten.

GDPR mandates organizations to handle SARs as per Article 12. Article 12.3 requires data controllers to respond within one month of receiving a SAR, with a possible extension of up to two months if justified. Data processors also assist the data controller in fulfilling SAR obligations. Certification auditors will review ISVs subject access requests procedures to ensure compliance.

Microsoft 365 Certification confirms that ISVs have a process in place to accurately identify all locations where data subjects’ information is stored. This could involve a manual process due to detailed documentation of data storage, or the use of tools to ensure all data is located during the SARs process. ISVs provide a list of all data locations and a documented search process. This includes commands for data searches, like specific SQL statements if applicable, to ensure proper data identification.

ISVs show a formal retention period for backups that accommodate data removal due to SARs. The framework phases out older backups within a defined period, ensuring erased SAR data is removed from all backups. This aligns backup practices with regulatory requirements concerning the right to erasure.

Article 13 of the GDPR outlines the information that data controllers must provide to data subjects when collecting their personal data. This includes the identity and contact details of the data controller, the purposes of processing, the legal basis for processing, the recipients or categories of recipients of the personal data, and the period for which the data will be stored.

GDPR stipulates data subjects must be informed of their rights, such as the right to access, rectify, or erase their data, the right to data portability, and the right to lodge a complaint with a supervisory authority. Certification verifies ISVs and their offerings comply with Article 13, giving data subjects control over their personal information by requiring clear and detailed data privacy notices.

Portions of this control set are automated using ACAT, the App Compliance Automation Tool. ACAT is a service within the Azure portal designed to ease the path to compliance for applications using Microsoft 365 customer data and published through Partner Center. ACAT also allows continuous compliance monitoring with customized daily reports.

Next steps

To learn how Microsoft 365 Certification validates GDPR compliance requirements, visit the Microsoft 365 Certification control evidence requirements.

To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.