Microsoft · Microsoft Privacy Statement (Legacy)

Enterprise and Organizational Data Processing

Medium severity
Share 𝕏 Share in Share 🔒 PDF
Watch Microsoft Get alerts when this provision or policy changes.
Watch — $9.99/mo

What it is

If you use Microsoft products through your employer, school, or government, your organization — not Microsoft — controls your data and is responsible for privacy. Microsoft's privacy policy does not protect you in these cases.

Why it matters (compliance & risk perspective)

Many people use Microsoft products at work or school without realizing that Microsoft's consumer privacy protections do not apply — their employer or institution controls their data and sets the privacy rules.

Consumer impact (what this means for users)

If you use Microsoft 365, Teams, or other Microsoft products through your employer or school, your personal data is controlled by your organization, not covered by Microsoft's consumer privacy statement, and your employer may be able to access your activity data.

How other platforms handle this

Character.AI Medium

We may disclose certain information, in connection with or during negotiations or closing of any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

Google Gemini Medium

For users who are under 18, Gemini Apps Activity is saved for 18 months by default and can only be changed to 3 months. Conversations with Gemini apps from users under 13 are not saved to their Google Account by default.

Reddit Medium

Reddit, Inc., is based in the United States and we process and store information on servers located in the United States. We may store information on servers and equipment in other countries depending on a variety of factors, including the locations of our users and service providers. By accessing o...

See all platforms with this clause type →

This clause could change without notice.

Get alerted when Microsoft updates this policy — with plain-language summaries and severity ratings.

Watch Microsoft Need compliance memos? Professional →
View original clause language
When Microsoft offers products to an enterprise or organization (your employer, school, or government entity), that enterprise customer controls and administers the Microsoft products and is the data controller for personal data associated with those products. Microsoft processes that data on behalf of the enterprise customer and, in such cases, Microsoft's privacy statement does not apply to the processing of your personal data. The enterprise customer's privacy statement applies. You should direct privacy inquiries to your organization's administrator.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: GDPR Art. 28 governs processor relationships, requiring a Data Processing Agreement when Microsoft processes employee/student data on behalf of enterprise customers who act as controllers. GDPR Art. 4(7)-(8) defines the controller-processor distinction. FERPA (20 U.S.C. §1232g) applies where educational institutions deploy Microsoft products to students. Employment privacy laws in EU member states (e.g., Works Councils Act in Germany, Article L1222-4 in France) constrain employer monitoring of employee Microsoft activity data. U.S. Electronic Communications Privacy Act (ECPA, 18 U.S.C. §2511) applies to employer access to employee communications.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC has authority over deceptive practices related to enterprise data processing representations that may mislead consumers about who controls their data.
    File a complaint →

Applicable regulations

BIPA
Illinois, USA
CCPA/CPRA
California, USA
COPPA
United States Federal
CAN-SPAM
United States Federal
DMA
European Union
FCRA
United States Federal
GDPR
European Union
GLBA
United States Federal
HIPAA
United States Federal
UK GDPR
United Kingdom

Provision details

Document information
Document
Microsoft Privacy Statement (Legacy)
Entity
Microsoft
Document last updated
March 5, 2026
Tracking information
First tracked
April 9, 2026
Last verified
April 9, 2026
Record ID
CA-P-002502
Document ID
CA-D-00001
Evidence Provenance
Source URL
https://www.microsoft.com/en-us/privacy/privacystatement
Wayback Machine
View archived versions →
SHA-256
7a7aaaae65bc958b5f0f4bd77710852e41e6cfb0400ed13c15acbc6d552e2a1d
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Microsoft | Document: Microsoft Privacy Statement (Legacy) | Record: CA-P-002502
Captured: 2026-04-09 15:01:32 UTC | SHA-256: 7a7aaaae65bc958b…
URL: https://conductatlas.com/platform/microsoft/microsoft-privacy-statement-legacy/enterprise-and-organizational-data-processing/
Accessed: May 4, 2026
Classification
Severity
Medium
Categories
Data sharing

Other risks in this policy

Related Analysis

Don't miss changes to this clause.

Microsoft has updated this policy before. Get alerted on the next change.

Watch Microsoft

Frequently Asked Questions

What does Microsoft's Enterprise and Organizational Data Processing clause do?

Many people use Microsoft products at work or school without realizing that Microsoft's consumer privacy protections do not apply — their employer or institution controls their data and sets the privacy rules.

How does this clause affect you?

If you use Microsoft 365, Teams, or other Microsoft products through your employer or school, your personal data is controlled by your organization, not covered by Microsoft's consumer privacy statement, and your employer may be able to access your activity data.

Is ConductAtlas affiliated with Microsoft?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Microsoft.