On the 5th of November 2018 the Dutch government issued a set of reports on the GDPR compliance of Office 2016 (Pro Plus) and Office 365. These reports were based on a Data Protection Impact Assessment (or DPIA) conducted in The Netherlands by a governmental agency and external consultants (Privacy Company).
The document (one of many) can be found here.
The main conclusion of the DPIA is troublesome. Microsoft gathers both telemetry (more than 20.000 Office events), audit log information and can use (personal) data for translation and spell-check functions. And this data might contain personal information.
For example, the Office 365 auditlogs contain information on e-mails. Most identifiable information cannot be directly related to a person. But the e-mail subject line is easily accessible. And these might just contain sensitive information. For example: “Re: Discussed compensation with Albert after termination”.
Since the publication, a lot of information has been provided on this subject. I will not copy/paste all this information, but did want to share some important links and notes.
First of all. Microsoft has agreed to work together with the Dutch government to address the issues. It’s been granted till April 2019 to reply. Secondly. Some of the recommendations in the report might not be practical or do-able. For example: periodically deleting the VIP’s accounts or stop using SharePoint Online/OneDrive/Office Online all together.