The Dutch government’s recently released (in Dutch only) Data Privacy Impact Assessment (DPIA) and Data Transfer Impact Assessment (DTIA) on Microsoft and its tools, can be valuable sources of inspiration for your own Microsoft tool impact assessments.

The DPIA assessed the data protection risks of the professional use of Microsoft Teams in combination with OneDrive, SharePoint Online and the Azure Active Directory. It found no high or medium-level risks, but did identify some low-level risks. It includes a warning regarding certain categories of personal data.

The DTIA was carried out for Microsoft transfers of personal data from its Dutch government customers to the USA, and is a companion to the DPIA. The DTIA found that it is extremely unlikely that personal data from the Dutch government customers would be unlawfully accessed by US authorities, or by authorities in other countries where Microsoft uses subprocessors.

In parallel, the Dutch Ministry of Justice and Security requested an analysis of US legislation in relation to the GDPR and Schrems II by GreenburgTraurig.