Resources

Inquiry into Microsoft Ireland Operations Limited – September 2025

Date of decision: 1 September 2025

On 1 September 2025, following an inquiry concerning a complaint received against Microsoft Ireland Operations Limited (Microsoft), the Data Protection Commission (DPC) adopted a decision.

The DPC commenced this inquiry on 16 May 2023, on foot of a complaint that Microsoft failed to comply with an access request submitted by the complainant in August 2020.

The scope of the inquiry concerned an examination and assessment of the following:

  1. Whether the Controller complied with Article 12(4) of the GDPR after the Complainant made an access request on 17 August 2020;
  1. Whether the Controller’s reliance on Article 15(4) to withhold all of the Complainant’s data was justified; and
  1. Whether the Controller was in compliance with Article 5(1)(a) in deleting the Complainant’s personal data (i.e. any personal data contained in the relevant OneDrive account).

As the processing under examination constituted 'cross border' processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion.

The DPC received one relevant and reasoned objection to the draft decision from the supervisory authorities concerned within the statutory period and therefore issued a revised draft decision. As the DPC did not receive any relevant and reasoned objections to the revised draft decision, the supervisory authorities concerned were deemed to be in agreement with the revised draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR.

The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. The decision, which was adopted on 1 September 2025, records findings of infringement as follows:

  • Article 12(4) of the GDPR

The DPC finds that Microsoft infringed Article 12(4) of the GDPR in respect of the access request when it failed to inform the complainant of the possibility to lodge a complaint with a supervisory authority and to seek a judicial remedy following the complainant’s access request.

  • Article 5(1)(a) of the GDPR

The DPC finds that, the specific circumstances of the complaint, Microsoft infringed the lawfulness, fairness and transparency principle under Article 5(1)(a) of the GDPR in its handling of the access request and in its decision to delete the complainant’s data.

Corrective Powers Exercised:

  • A reprimand to Microsoft Ireland Operations Limited pursuant to Article 58(2)(b) of the GDPR in light of the infringements found.
  • In light of the infringement of Article 5(1)(a) of the GDPR, and in accordance with Article 58(2)(d) of the GDPR, an order for Microsoft to revise its policies and procedures so that
    1. the data retention policies for data associated with accounts terminated by Microsoft for violations of the Microsoft Services Agreement are clarified in its user-facing policies;
    2. the circumstances when Microsoft permanently deletes such data are clarified and;
    3. the appeals processes available to the account holder where Microsoft has terminated the service for an alleged infringement of the Terms of Service are outlined.

The full decision can be downloaded at this link: Inquiry into Microsoft Ireland Operations Limited – September 2025 (10MB, PDF)