Microsoft complies with applicable legal requirements providing adequate protection for the transfer of personal data to countries outside of the EEA. We transfer personal data from the EEA using the European Commission approved Standard Contractual Clauses.
Following the Schrems II ruling (CJEU 2020), the legal validity of data transfers to the US depends on supplementary measures alongside SCCs; while the EU-US Data Privacy Framework (2023) now provides an alternative adequacy basis, any future invalidation of these mechanisms could disrupt Microsoft's services for EU users.
Microsoft collects a wide range of personal data — including location, voice recordings, search queries, browsing history, and content you create — across all its products and uses this data for advertising personalisation, AI training, and product improvement. Users with a Microsoft account have rights to access, correct, delete, and export their data, and can opt out of interest-based advertising, but many data uses are bundled under broad legitimate interest or contractual necessity grounds that cannot be individually declined. You can review, download, and delete your personal data, and adjust advertising and diagnostic data settings, by visiting the Microsoft Privacy Dashboard at account.microsoft.com/privacy.