Right To Be Forgotten

Summary General Data Protection Regulation

The help with right to be forgotten General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services in the European Union (EU) or collect and analyze data from individuals resident in the EU, regardless of their place of residence and company headquarters. This document provides you with information about complying with rights and obligations under the GDPR while using Microsoft products and services. A recommended GDPR action plan and accountability checklists provide additional resources for assessing and implementing GDPR compliance.


Helpful definitions for GDPR terms used in this document:

  • Data controller (responsible person) : a legal person, public authority, agency or other body that alone or jointly with others decides on the purposes and means of the processing of personal data.
  • Personal data and data subject : any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be directly or indirectly identified.
  • Processor : a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
  • Customer Data : Data created and stored as part of your regular business operations.

What is the GDPR?

The GDPR gives individuals the authority to manage personal data collected by an organization. These rights can be exercise upon a request from a data subject. The organization must provide timely information on data subject requests and data breaches, and conduct data protection impact assessments.

When implementing or evaluating GDPR requirement, several points should be consider:

  • Develop or evaluate your GDPR data protection policy for compliance data.
  • Assess data security in your organization.
  • Who is your data controller?
  • What data security operations may you need to run?

The recommended GDPR action plan and accountability checklists may bring up additional points to consider.

The following task are require to meet GDPR standard. Follow the links in the list for details about your implementation.

  • Requests from data subjects . A formal request made by a data subject to a controller to take specific action (amendment, restriction, access) in connection with the personal data of the data subject.
  • Security Breach Notification . Under the GDPR, a personal data breach is “a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitter, store or otherwise process”.
  • Data Protection Impact Assessments . Data controller are require under the GDPR to prepare a data protection impact assessment for process that are “likely to result in a high risk to the right and freedom of individual”.

As note above, the Recommend GDPR Action Plan and Accountability Checklist provide guidance on how to implement or assess right to be forgotten GDPR compliance when using Microsoft product and service.

Use the Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center that helps you understand your organization’s compliance posture and take action to reduce risk. The Compliance Manager has a pre-built assessment for this regulation for Enterprise E5 customers. The template for creating the assessment can be found on the Assessment Template page in the Compliance Manager. Learn how to create assessments in Compliance Manager .

request of a data subject

The GDPR grants individuals certain rights in connection with the processing of their personal data, including the right to have inaccurate data corrected, to erase or restrict the processing of data, to receive data and to fulfill a request to port the data to someone else controllers. The controller is responsible for providing a timely, GDPR-consistent response. For technical details, see Data Subject Requests .

Frequently Asked Questions (FAQs) about a Data Subject Request

What action are require to complete a data subject request?

Data subject requests consist of six activities: detection, access, rectification, restriction, export, and deletion.

What are your data sources?

Much of an organization’s data is generate in Office application such as Excel and Outlook. You may also find relevant data for a DSR in the insights and system-generated logs generated by Microsoft products and services .

What type of data need to be search?

Personal information can be found in customer data, insight generate by Microsoft product and service, and system-generate log.

How is personal data search?

Searches for personally identifiable information may vary among Microsoft products and services. For example, search tools offer a content search or an in-app search . Administrator can access system-generate log associate with user Right to be Forgotten Meaning.

In what formats should personal data be provided?

The GDPR “right to data portability” allows data subjects to request an electronic copy of their personal data in a “structured, commonly used, machine-readable format” and to have your organization transmit those files to another data controller.