Data Protection Impact Assessments: Guidance for Controllers Using Windows diagnostic data processor configuration
Note
This topic applies to Windows 10 Enterprise, Pro and Education editions, version 1809 with July 2021 update and newer.
Under the General Data Protection Regulation (GDPR), controllers are required to prepare a Data Protection Impact Assessment (DPIA) for processing operations that are 'likely to result in a high risk to the rights and freedoms of natural persons.' There's nothing inherent in the Windows diagnostic data processor configuration itself that would necessarily require the creation of a DPIA by a controller using it. Rather, whether a DPIA is required depends on the details and context of how the controller deploys, configures, and uses the Windows diagnostic data processor configuration.
The purpose of this document is to provide controllers with information about the Windows diagnostic data processor configuration that will help them to determine whether a DPIA is needed and, if so, what details to include.
Note
Microsoft is not providing any legal advice in this document. This document is being provided for informational purposes only. Customers are encouraged to work with their privacy officers and legal counsel to determine the necessity and content of any DPIAs related to their use of the Windows diagnostic data processor configuration or any other Microsoft online service.
Part 1: Determining whether a DPIA is needed
Article 35 of the GDPR requires a controller to create a Data Protection Impact Assessment (DPIA) '[w]here a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons'. It further sets out particular factors that would indicate such a high risk, which is discussed in the following table. To determine whether a DPIA is needed, a controller should consider these factors, along with any other relevant factors, in light of the controller's specific implementation(s) and use(s) of the Windows diagnostic data processor configuration.
Table 1: Windows diagnostic data processor configuration DPIA risk factors
High Risk Factor | Relevant Information about the Windows diagnostic data processor configuration |
---|---|
A systematic and extensive evaluation of personal aspects relating to natural persons that is based on automated processing, including profiling and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person. | The Windows diagnostic data processor configuration doesn't provide capabilities to perform certain automated processing of data. However, because other services use the diagnostic data collected in accordance with the Windows diagnostic data processor configuration as a data source, a data controller could potentially configure those services to be used for such processing. Controllers should make this determination based on their usage of services that use the diagnostic data collected in accordance with the Windows diagnostic data processor configuration. |
Processing on a large scale of special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation), or of personal data relating to criminal convictions and offenses. | The Windows diagnostic data processor configuration isn't specifically designed to process special categories of personal data and the usage of the Windows diagnostic data processor configuration doesn't increase the inherent risk of a controller's processing. However, a data controller could use services that use the diagnostic data collected in accordance with the Windows diagnostic data processor configuration to process the enumerated special categories of data. Services that use the diagnostic data collected in accordance with the Windows diagnostic data processor configuration as a data source may enable the customer to track or otherwise process any type of data, including special categories of personal data. But as the data processor, Microsoft has no control over such use and has little or no insight into such use. It's incumbent upon the data controller to determine appropriate uses of the data controller's data. |
Part 2: Contents of a DPIA
Article 35(7) mandates that a Data Protection Impact Assessment specifies the purposes of processing and a systematic description of the envisioned processing. A systematic description of a comprehensive DPIA might include factors such as the types of data processed, how long data is retained, where the data is located and transferred, and what third parties may have access to the data. In addition, the DPIA must include:
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of natural persons; and
- the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
The following table contains information about the Windows diagnostic data processor configuration that is relevant to each of those elements. As in Part 1, data controllers must consider the details provided in the table, along with any other relevant factors, in the context of the controller' specific implementation(s) and use(s) of the Windows diagnostic data processor configuration.
Table 2: Windows diagnostic data processor configuration DPIA elements
Element of a DPIA | Relevant Information About Windows diagnostic data processor configuration |
---|---|
Purpose(s) of processing | The purpose(s) of processing diagnostic data collected in accordance with Windows diagnostic data processor configuration is determined by the controller that implements, configures, and uses it. Microsoft, as a data processor, processes Windows diagnostic data according to the terms in Microsoft Product Terms. As detailed in the Microsoft Product Terms and Microsoft Products and Services Data Protection Addendum (DPA), Microsoft also uses Personal Data to support a limited set of business operations. Microsoft is the controller of the processing of Windows diagnostic data for these specific business operations. Generally, Microsoft aggregates Windows diagnostic data before using it for our legitimate business operations, removing Microsoft's ability to identify specific individuals, and uses Windows diagnostic data in the least identifiable form that will support processing necessary for legitimate business operations. Microsoft won't use Windows diagnostic data collected when the Windows diagnostic data processor configuration is enabled, or information derived from it for any advertising or similar commercial purposes. |
Categories of personal data processed | Windows diagnostic data—Technical data from Windows devices about the device and how Windows and related software are performing. It's used to keep Windows up to date, secure, reliable, performant, and to make product improvements. Some examples of Windows diagnostic data are the type of hardware being used, applications installed with their respective usage, and reliability information on device drivers. Some Windows components and apps connect to Microsoft services directly, but the data they exchange isn't Windows diagnostic data. For example, exchanging a user’s location for local weather or news isn't an example of Windows diagnostic data. For more information regarding data processing when using the Windows diagnostic data processor configuration, see the Configure Windows diagnostic data in your organization, and the Microsoft Trust Center. |
Data retention | Microsoft will retain and process Windows diagnostic data collected when the Windows diagnostic data processor configuration is enabled in accordance with the Microsoft Product Terms. The customer can delete and export Windows diagnostic data pursuant to a Data Subject Request using the capabilities described in Windows diagnostic data processor configuration Data Subject Requests for the GDPR and CCPA. |
Location and transfers of personal data | Starting in August 2023, for eligible devices updated with the January 2023 preview cumulative update or later, when the Windows diagnostic data processor configuration is enabled the location is automatically assigned based on the customer's Microsoft Entra tenant billing address. Windows devices with diagnostic data turned on and that are joined to a Microsoft Entra tenant with billing address in the EU Data Boundary, will be automatically enrolled in the Windows diagnostic data processor configuration and the Windows diagnostic data collected resides in datacenters in an EU location. Otherwise, the Windows diagnostic data collected resides, or may be transferred to data centers in the United States. |
Data sharing with third parties | Microsoft may share data with third parties acting as our subprocessors (that is, subcontractors that process personal data) to support functions such as customer and technical support, service maintenance, and other operations. Any subcontractors to which Microsoft transfers Windows diagnostic data collected in accordance with the Windows diagnostic data processor configuration or Support data will have entered into written agreements with Microsoft that are no less protective than the terms in the Microsoft Product Terms. All third-party subcontractors with which Windows diagnostic data or Support data is shared are included in the Lists of subcontractors (see 'We limit access by subprocessors'). Information regarding Microsoft's response to law enforcement and third-party requests for Windows diagnostic data collected in accordance with the Windows diagnostic data processor configuration and Support data is located in the Microsoft Product Terms. Unless Microsoft is legally prohibited from doing so, Microsoft will attempt to redirect the law enforcement agency or third party directly to the Customer. |
Data subject rights | When operating as a processor, Microsoft makes available to the customer (the controller) the personal data of its data subjects and the ability to fulfill data subject requests when they exercise their rights under the GDPR. Microsoft does so in a manner consistent with the functionality of the product and its role as a data processor. If Microsoft receives a request from the customer's data subjects to exercise one or more of its rights under the GDPR, the request will be redirected to the data controller. Windows diagnostic data processor configuration Data Subject Requests for the GDPR and CCPA provides a description of how to support data subject rights for Windows diagnostic data collected in accordance with the Windows diagnostic data processor configuration. |
An assessment of the necessity and proportionality of the processing operations in relation to the purposes | Such an assessment depends on the data controller's needs and purposes of processing. With regard to the processing carried out by Microsoft, such processing is necessary and proportional to the purposes of processing reflected in the Microsoft Product Terms. |
An assessment of the risks to the rights and freedoms of data subjects | The key risks to the rights and freedoms of data subjects from the use of the Windows diagnostic data collected in accordance with the Windows diagnostic data processor configuration will be a function of how and in what context the controller implements, configures, and uses the Windows diagnostic data. Windows diagnostic data collected in accordance with the Windows diagnostic data processor configuration may be at risk of unauthorized access or inadvertent disclosure. Measures Microsoft takes to address such risks are discussed in the Microsoft Product Terms. |
The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned | Microsoft is committed to helping protect the security of Windows diagnostic data. The security measures Microsoft takes are described in the Microsoft Product Terms. Microsoft takes reasonable and appropriate technical and organizational measures to safeguard the personal data that it processes. These measures include, but aren't limited to, internal privacy policies and practices, contractual commitments, and international and regional standard certifications. More information is available at Trust Center's Privacy Standards page. Microsoft provides significant, transparent customer facing security and privacy materials to help explain Microsoft's use and processing of personal data. Customers are encouraged to contact Microsoft with questions. Further, Microsoft complies with all other GDPR obligations that apply to data processors, including but not limited to, data protection impact assessments and record keeping. Where Microsoft processes Windows diagnostic data for its legitimate business operations, it complies with GDPR obligations that apply to data controllers. |