Resources

Inquiry into Microsoft Ireland Operations Limited - November 2023

Date of decision: 15 November 2023

On 15 November 2023, following an inquiry concerning a complaint received against Microsoft Ireland Operations Limited (Microsoft), the Data Protection Commission (DPC) adopted a decision.

The DPC commenced this inquiry on 29 June 2023, on foot of a complaint that Microsoft failed to comply with two erasure requests submitted by the complainant in March and October 2021.

The scope of the inquiry concerned an examination and assessment of the following:

  •  Whether Microsoft’s handling of the complainant’s erasure requests was compliant with Articles 12 and 17 of the GDPR.

As the processing under examination constituted 'cross border' processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion.

As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR.

The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. The decision, which was adopted on 15 November 2023, records findings of infringement as follows:

  • Article 12(4) of the GDPR

The DPC finds that Microsoft infringed Article 12(4) of the GDPR in respect of the March erasure request when it failed to inform the complainant of the possibility of seeking a judicial remedy when it responded to them outlining the reasons for not taking action, in part, on the complainant’s erasure request.

  • Article 12(4) of the GDPR

The DPC finds that Microsoft infringed Article 12(4) of the GDPR in respect of the October erasure request when it failed to inform the complainant of the possibility of seeking a judicial remedy when it responded to them outlining the reasons for not taking action on the complainant’s erasure request.

  • Article 17 of the GDPR

The DPC finds that Microsoft infringed Article 17 of the GDPR by failing to erase personal data that were the subject of the complainant’s erasure request of October 2021 without undue delay.

Corrective Powers Exercised:

  • An order, in accordance with Article 58(2)(d) of the GDPR for Microsoft to revise its internal policies and procedures as regards the information to be provided to data subjects pursuant to Article 12, to ensure that, where it informs data subjects on foot of requests made under Articles 15 to 22 of the GDPR that it has decided not to take action on the request, that data subjects are informed in all cases of their right to seek a judicial remedy. Details of compliance to be provided to the DPC by 7 February 2024.

  • A reprimand to Microsoft Ireland Operations Limited pursuant to Article 58(2)(b) of the GDPR in light of the infringements found.

For more information, you can download the full decision at this link: Inquiry into Microsoft Ireland Operations Limited - November 2023 (PDF, 5.6mb)