Microsoft and the transfer of personal data: why even the EU Data Boundary doesn't solve everything? And how to deal with it?
Wondering where your business data ends up when you use Microsoft cloud services? New EU Data Boundary rules promise to keep your sensitive information in Europe. But the reality is more complicated. Find out when and why Microsoft can still transfer your data outside the EU. What risks does this pose and what measures can help you stay safe and GDPR compliant?
Jan Kubicek
A new era of data storage in Europe
The situation regarding the "travelling" of personal data when using Microsoft products has already improved during 2023, when the European Commission issued a decision on the appropriate level of protection for the US.
Then, in early 2025, Microsoft declared that All corporate and public sector customer data is stored in the EUThe measure applies to data processed by the main cloud services - i.e. Microsoft 365, Dynamics 365, Power Platform and most Azure services. When technical support is used, data (e.g. logs or case notes) should be stored in accordance with the EU Data Boundary.
For the customer data itself (i.e. mainly the files we upload to Microsoft services), EU Data Boundary works well. However, ensuring the same geographic location for the rest of the data has given Microsoft a lot of work (see the text of the post completing the EU Data Boundary Announced by).
So what's the catch? V in certain cases data is still transferred outside the EU Data Boundary.
Data storage only in Europe? Old exceptions
Several exceptions apply. Geographical restrictions on data processing do not apply when providing technical support. Therefore, when a technical problem is resolved, personal data may be transferred to a third country.
Another exception applies to handling of logos. Even during this period, personal data may be transferred outside the EU Data Boundary. However, Microsoft at least declares that it keeps the logs in accordance with principle minimization of processing - i.e. only for as long as necessary and for operational purposes only.
What about logos? Sometimes it's personal data
As part of the normal operation of Microsoft's online services, there are system logs. These are continuously recorded, what happened in the system and when. Logs help Microsoft monitor whether its systems are working properly, prevent fraud or cyber attacks, optimise performance and enable it to demonstrate compliance with regulations and policies.
System logs for Microsoft's core services are usually stored in datacentres under the EU Data Boundary. However, they may still be transferred, albeit on a limited basis, e.g. to the USA or may be accessed remotely by Microsoft staff (e.g. for security purposes).
Some logs may contain personal data - e.g. information such as who started which instance or who performed which action in the system. This does not have to be a first and last name. Often, a unique identifier that can eventually be assigned back to a specific person, such as an administrator, is sufficient. Logs are also created about the activity of ordinary users.
Microsoft these logs pseudonymizes - replaces a specific identifier with an artificial one. However, even this data can be matched to a specific person by adding additional information.
Log transmissions are Documented by and Pseudonymized. However, it is still personal data because it is not anonymised - anonymisation would render the logs unusable for keeping a history of transactions or actions on the system (logs that are anonymised would cease to be personal data).
Conclusion: the EU Data Boundary does not apply absolutely
Let's recap. There are still situations (typically when running cloud services) where Microsoft will transfer data outside the EU Data Boundaryfor example:
- security monitoring
- data transfer triggered by the customer's use of the services
Therefore, we continue to recommend that this area be looked at more closely and that cases of possible transmission be dealt with. In order to be able to demonstrate compliance with the requirements of the GDPR, you must to show that these are limited transfers for compelling reasons (which ensuring safety can be).
(If you're wondering about data transfer to the US or elsewhere more generally, check out this article.)
And what if the data is transferred to a third country?
Microsoft declares that if Microsoft employees outside the EU Data Boundary need to access Customer Data, pseudonymized personal data (typically system-generated logs), or Professional Services Data that Microsoft maintains inside the EU Data Boundary, then:
- such access (i.e. "transfer of personal data" under the GDPR) is secured by technologies that ensure its safety,
- these data will not be permanently stored outside the EU Data Boundary.
For core services, the EU Data Boundary should be set accordingly, where your organisation operates. Alternatively, get this you set up the service yourself. You can learn more about security on the Microsoft website.
What are Professional Services and Professional Services Data?
Microsoft under Professional Services means, for example, its consulting or migration services, but also the technical support provided when using its services. The data that the customer provides to Microsoft for the use of these services is then referred to as Professional Services Data. This can be text, audio, video, image files or software.
What is Customer Data?
Like Customer Data Microsoft refers to all possible types of data that are entrusted to Microsoft as part of the use of its online services.Online Services are typically Microsoft cloud services such as Azure, Dynamics 365, Microsoft 365, etc.)
Furthermore, if the user or the customer-side administrator initiates the data transfer outside the EU Data Boundary, Microsoft will not prevent such a transfer - does not want to disrupt the services provided.
In MS Azure, for example, you can set that no workload will run outside the allowed locations. For example, you can prevent anyone in your environment from running a deployment outside the region.
(Interested in how IT regulation treats non-EU countries? Read our article on geographic risks under GDPR, DORA and NIS2.)
How to live with EU Data Boundary
As long as the legal situation in the US remains as it is today, we can continue to rely on decisions on the appropriate level of protection for the US.
The completion of the EU Data Boundary obviously improves the situation for data controllers and processors in the EU - but still there are cases where data will be transferred to third countries.
It is therefore necessary to assess this responsibly, to evaluate the circumstances of the transfers in question and, where appropriate, to evaluate relevant third countries outside the US and Switzerland for which there is no adequacy decision.
At ORBIT we can help you with thisas we prepare such assessments for banks and banking groups. Contact us - we know our way around Microsoft Azure cloud services i v AWS and Amazon Cloud Services.
