Dutch report says Microsoft Office is not GDPR compliant

[German]It's no real surprise: An investigation for dutch governement found, that Microsoft spies on users for individual use through its Office Pro Plus modules. Office 2016 Pro Plus and Office 365 isn't compliant with the General Data Protection Regulation (GDPR).


Microsoft systematically and extensively collects data about the individual use of Word, Excel, PowerPoint and Outlook. Secretly, without informing people. This is the core message of the Tor project's tweet that reached me some days ago through Michael Horowitz (security researcher).

Having experienced this with Windows 10, it's not really a surprise.

The background

The Dutch Ministry of Security and Law wanted to ensure that the software used in dutch governement was in compliance with the General Data Protection Regulation (GDPR) and legal provisions. Microsoft Office is also used by Dutch authorities.

The SLM Rijk (Strategisch Leveranciersmanagement Microsoft Rijk) is a special division, that conducts negotiations with Microsoft on about 300,000 digital workplaces in Dutch government organizations. The enterprise version of the Microsoft Office (Office 2016 Pro Plus) software is used by various government organizations such as ministries, the judiciary, the police and the tax office.


The Privacy Company was commissioned (see where the documents are available in Dutch and English) to examine Microsoft products on behalf of SLM Rijk to determine whether they comply with public or legal privacy requirements. The document Impact assessment shows privacy risks Microsoft Office ProPlus Enterprise presents the results of the DPIA investigations carried out on behalf of the Dutch Ministry of Security and Law. Microsoft Office ProPlus (Office 2016 MSI and Office 365 CTR) was examined. At the request of the Ministry, the Privacy Company published the results in the above blog post.

The Results

The results of this Data Protection Impact Assessment (DPIA) are alarming. Microsoft collects and stores personal information about individual employee behavior on a large scale without any public documentation. The DPIA report published by the Ministry is available here (English).

With immediate effect, SLM Rijk offers support to Microsoft administrators of government organizations to reduce the telemetry data from Office to zero (zero exhaust settings). While the DPIA document was being created, Microsoft is committed to taking a number of other important steps to reduce data protection risks. Details may be found within the reports and websites linked above.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *