Microsoft Global Data Protection Notice for Employees, External Staff and Candidates

Last Updated: March 14, 2019

Expand All Print

Addendum

Your privacy is important to us. We respect the privacy rights of all individuals and we are committed to handling personal data responsibly and in accordance with applicable law. This privacy notice, together with the Addendum, explain what personal data Microsoft collects, uses, and maintains (collectively "processes") about you in the operation of its business, how it uses that data, and your rights to that data.

Please note that this notice applies to the handling of your personal data as an employee, candidate or as external staff (individuals who are not employed by Microsoft that have access to Microsoft facilities and/or Microsoft corporate network access. This could include agency temporary workers, outsourced staff, contractors, and business guests). Additional details concerning Microsoft's governance and privacy requirements for employee data can be found in internal resources including the Microsoft Privacy Standard and Responsible Use of Technology Policy.

This notice does not cover your use of Microsoft consumer products as a consumer, outside of your regular employment or assignment with Microsoft. Microsoft consumer products may include services, websites, apps, software, servers, and devices. To learn more about Microsoft's data collection practices that cover your use of Microsoft products as a consumer, please read our Microsoft Privacy Statement.

This notice is not intended and shall not be read to create any express or implied promise or contract for employment, for any benefit, or for specific treatment in specific situations. Nothing in this notice should be construed to interfere with Microsoft's ability to process employee data for purposes of complying with its legal obligations, or for investigating alleged misconduct or violations of company policy or law, subject to compliance with internal policy and local legal requirements.

Microsoft's processing of personal data is in all cases subject to the requirements of local law, internal policy, and any consultation requirements with worker representatives (where appropriate). To the extent this notice conflicts with local law in your jurisdictions, local law controls.

What Personal Data We Collect
The data we collect can include the following, but is not limited to:

Name and contact data. Your first and last name, employee identification number, email address, postal address, phone number, photo, beneficiary and emergency contact details, and other similar contact data. Additionally, you may opt to provide Microsoft with additional contact information such as personal email address(es) and/or cell phone number(s).

Demographic data. Your date of birth and gender. We may also collect and process "Sensitive Personal Information" about you in accordance with local requirements and applicable law. This may include any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, trade union membership, or information about your health, disabilities, or sexual orientation. We will use this information to comply with anti-discrimination laws and government reporting obligations and to help insure equal employment opportunities. We may also request information about your physical or mental condition to provide work-related accommodations, to provide health and insurance benefits to you and your dependents, or to manage absences from work. We may further request, where permitted by law and on a voluntary and consensual disclosure basis, sensitive personal information such as information about your racial/ethnic origin, sexual orientation, veteran status, and disability status. We will use this information on a de-identified and aggregated basis to help provide a more diverse and inclusive workplace through our Diversity, Inclusion and Accessibility programs.

National identifiers. Your national ID/passport, residency and work permit status, social security number, or other taxpayer/government identification number.

Employment details. Your job title/position, office location, employment contract, offer letter, hire date, termination date, performance history and disciplinary records, leave of absence, sick time, and vacation/holiday records.

Spouse/partner and dependents' information. Your spouse/partner and dependents' first and last names, dates of birth, and contact details.

Background information. Academic and professional qualifications, education, CV/Resume, credit history and criminal records data (utilized for background check and vetting purposes where permissible and in accordance with applicable law and consultation requirements).

Financial information. Bank account details, tax information, salary, retirement account information, company allowances and other information necessary to administer payroll, taxes and benefits.

Workplace, Device, Usage, and Content data. Electronic communications transmitted within our corporate network, building and information system access, Microsoft device, system and application usage (including telemetry) when accessing and using Microsoft corporate buildings, services and assets.

Why We Process Personal Data
We process your personal data (and, where necessary, data for your dependents, beneficiaries and other individuals associated with your employment) for the varied purposes set out below. Failure to provide your personal data when requested may prevent us from being able to carry out these tasks and/or comply with our legal obligations.

1. To administer your employment contract, external staff engagement, offer letter or other commitments we've made to you

We process your personal data primarily for the purpose of managing our employment or working relationship with you, and to fulfill our obligations under your employment contract, or applicable Microsoft policies, including payroll, benefits administration, tax reporting, and the like. A few examples: your employment contract, your offer letter (e.g. so we can on-board you), promotion history and performance reviews (e.g. so we can manage our employment relationship with you), and your bank account and salary details (e.g. so we can pay you or provide HR benefits). If you are a candidate, we process your data to engage with you about Microsoft career opportunities, consider your application for employment to specific roles at Microsoft, and other similar uses including candidate screening, interview scheduling and management, lawful background checks, and to on board you at Microsoft if you receive and accept an offer of employment with us. If you are external staff, the type of personal data we process is limited to what is needed to manage your engagement with Microsoft and access to Microsoft facilities and information systems.

2. Other overriding and legitimate business purposes

We also may process your personal data when it is necessary for other legitimate purposes, such as general HR administration, our global directory of employees and external staff, general business management and operations, disclosures for auditing and reporting purposes, management of network and information systems security and business operations, provision and improvement of employee services, physical security and to protect the life and safety of employees and others. We may also use special applications and systems that record employee performance metrics, such as sales related or code databases for business operations purposes as well as for the purposes of reviewing, rewarding and coaching employees on their performance. We may also process your personal data to investigate potential violations of law or breaches of our internal policies.

3. Legally required purposes

We also may process your personal data when we consider it necessary for complying with laws and regulations, including collecting and disclosing personal data as required by law (e.g., for minimum wage, working time, tax, health and safety, anti-discrimination laws, global migration), under judicial authorization, or to exercise or defend the legal rights of Microsoft.

4. Other uses of your data (where permissible and in accordance with applicable law and consultation requirements)

We also may process data about you and your usage of and interaction with Microsoft products, services and internal applications and tools, when you use them to conduct Microsoft business, to measure and improve these products, or to assess or improve how it conducts its business; use of your data for product improvement may include human and machine review of such data to train AI models and improve machine learning for Microsoft products and services. While Microsoft allows incidental use of its corporate applications and tools for personal reasons; personal data you transmit through these systems may be used for product improvement. Where required by law or internal policy, we will seek your consent to such uses; and where your consent is sought, we will ensure your consent is knowing, truly voluntary, and that you suffer no adverse consequence from any decision to withhold or revoke your consent.

Collection and Use of Data from Third Parties and Social Media
We may also collect personal data about you from third parties or public sources as needed to support the employment relationship or to engage with you concerning job opportunities at Microsoft. For example, before and during the course of your employment or assignment with Microsoft, we may collect information from public social media sources, such as your public LinkedIn profile, for recruitment purposes. We also may conduct lawful background screenings, to the extent permitted by law, through a third-party vendor for information about your past education, employment, credit and/or criminal history. In the event of a natural disaster or other life/safety emergency, we may rely on public social media posts or other public sources to account for employees if otherwise unable to contact them. Additionally, if there is an investigation of an employee matter, we may obtain information relevant to the incident from external sources including private parties, law enforcement or public sources like news sources and public social media posts.

Change of purpose
We will only use your personal data for the purposes outlined in this notice or such purposes as may be reasonably compatible with the original purpose for which it was collected or there is an alternative legal basis for the further processing. For example, you may provide personal information to Microsoft while researching job openings, but once you apply for a specific role, Microsoft may need to process your personal information based on other legal bases for processing.

How and Why We Share Personal Data
Microsoft will only share your personal data with those who have a legitimate need for it. Whenever we permit a third party to access personal data, we will make sure the data is used in a manner consistent with this notice (and any applicable internal data handling guidelines consistent with the sensitivity and classification of the data). Your personal data may be shared with our subsidiaries and affiliates and other third parties, including service providers, for legitimate purposes as follows:

In order to carry out the uses of personal data described above (See section titled: Why We Process Personal Data);
To enable third parties to provide services to us. Categories of recipients of data would include financial investment service providers, insurance providers, payroll support services, relocation, tax and travel management services, health and safety experts, and child care providers;
To comply with our legal obligations, regulations or contracts, or to respond to a court order, administrative or judicial process, such as a subpoena, government audit or search warrant. Categories of recipients would include counter-parties to contracts, judicial and governmental bodies;
In response to lawful requests by public authorities (such as national security or law enforcement);
To seek legal advice from external lawyers and advice from other professional advisers such as accountants, management consultants, etc.;
As necessary to establish, exercise or defend against potential, threatened or actual litigation (such as adverse parties in litigation);
Where necessary to protect Microsoft, your vital interests, or those of another person;
In connection with the sale, assignment or other transfer of all or part of our business (such as a potential purchaser and its legal / professional advisers); or
Otherwise in accordance with your consent.

Please note that where legal requirements and/or internal policy limit the sharing of your data, Microsoft will respect such requirements.

Your Rights to Your Personal Information

In some regions, you may have certain rights under applicable data protection laws (such as the European General Data Protection Regulation). Please see the Addendum to this notice for specific additional information by region / country.

Use of Cookies and Web Beacons
Site pages may use cookies (small text files placed on your device). Cookies allow us, among other things, to store your preferences and settings; enable you to sign-in; combat fraud; and analyze how our websites and online services are performing.

We also use web beacons to help deliver cookies and gather usage and performance data. Our websites may include web beacons and cookies from third-party service providers.

You have a variety of tools to control cookies, web beacons and similar technologies, including browser controls to block and delete cookies and controls from some third-party analytics service providers to opt out of data collection through web beacons. Your browser and other choices may impact your experiences with our websites and systems.

Workplace Security and Monitoring
Microsoft monitors its IT and communications systems through automated tools such as network authentication and wireless connectivity hardware and software, anti-malware software, website filtering and spam filtering software, security software for cloud-based applications, and mobile device management solutions. The primary purpose of this monitoring is to protect Microsoft, its employees, customers and business partners, for example:

For system, applications, and network security, including in particular the security of Microsoft's IT system and assets, and the safety and security of its employees, external staff and other third parties;
For network and device management and support;
For proof of business transactions and recordkeeping;
For the protection of confidential information and company assets;
For investigating wrongful acts or potential violations of company policy; and
For other legitimate business purposes as permitted under applicable law.

We also monitor our offices, and other workplace facilities, through video monitoring like closed-circuit television ("CCTV") and badge scans for security purposes. CCTV is primarily used at office entrance and exit points, elevator lobbies, rooms where there may be valuable equipment, such as server rooms, and in other select areas with a high risk for theft or with highly sensitive assets. CCTV is not used in private spaces such as restrooms, new mothers' rooms or locker rooms nor is it used to monitor employee workstations for performance reasons.

You should be aware that any message, files, data, document, facsimile, audio/video, social media post or instant message communications, or any other types of information transmitted to, through or from, received or printed from, or created, stored or recorded on our IT and communications systems and assets (included via the use of personal devices accessing corporate IT systems) are presumed to be business-related and may be monitored or accessed by us in accordance with applicable law and workplace agreements (such as works council agreements), and subject to Microsoft's internal policies concerning access to and uses of such data. Microsoft will not review data stored on your personal mobile device without your consent.

Other Important Privacy Information
Security of Your Personal Data

Microsoft is committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorized access, use, or disclosure. For example, we store the personal data you provide on computer servers with limited access that are located in controlled facilities, and, when we transmit certain highly confidential or sensitive personal information, we protect it through the use of encryption.

Where We Store and Process Personal Data

Microsoft operates at the global level and therefore personal data may need to be transferred to countries outside of where it was originally collected. For example, because we are headquartered in the United States, information collected in other countries is routinely transferred to the United States for processing. When we transfer your personal data to a different country, we will ensure that this transfer complies with applicable laws and legislation. Microsoft has Model Clauses in place for the collection, use, and retention of personal data transferred from the European Union to other countries, and also complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S Privacy Shield Framework.

Microsoft Corporation complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Economic Area, the United Kingdom, and Switzerland to the United States. Microsoft Corporation has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If third-party agents process personal data on our behalf in a manner inconsistent with the principles of either Privacy Shield framework, we remain liable unless we prove we are not responsible for the event giving rise to the damage. The controlled U.S. subsidiaries of Microsoft Corporation, as identified in our self-certification submission and listed here, also adhere to the Privacy Shield Principles.

If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov.

If you have a question or complaint related to participation by Microsoft in the EU-U.S. or Swiss-U.S. Privacy Shield, we encourage you to contact us via our web form. For any complaints related to the Privacy Shield frameworks that Microsoft cannot resolve directly, we have chosen to cooperate with the relevant EU Data Protection Authority, or a panel established by the European data protection authorities, for resolving disputes with EU individuals, and with the Swiss Federal Data Protection and Information Commissioner (FDPIC) for resolving disputes with Swiss individuals. Please contact us if you’d like us to direct you to your data protection authority contacts. As further explained in the Privacy Shield Principles, binding arbitration is available to address residual complaints not resolved by other means. Microsoft is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Our Retention of Personal Data

Personal data will be stored according to applicable laws or regulatory requirements and kept as long as is necessary to fulfill the purposes for which the personal data was collected. Generally, this means that your personal data will be retained as documented in our corporate data retention schedule and applicable riders and supplements.

Changes to this Privacy Notice

We may occasionally update this privacy notice. When we do, we will revise the "last updated" date at the top of the privacy notice. If there are material changes to this notice or in how Microsoft will use your personal data, we will use reasonable efforts to notify you either by prominently posting a notice of such changes before they take effect or by directly sending you a notification. We encourage you to periodically review this privacy statement to learn how Microsoft is protecting your personal data.

How to Contact Us
For copies of additional privacy documents mentioned in this notice, or if you have a privacy concern or question related to this notice, please contact AskHR@microsoft.com.

Our address is:
HR Privacy
Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052 USA

Telephone: (+1) 425-882-8080

Addendum

European Union and United Kingdom

Last Updated: April 13,2018
European Union and United Kingdom: Your Data Subject Rights

In addition to the information shared above, EU and UK employees, external staff and candidates (including individuals working in the EU and UK, or in some circumstances individuals who normally reside in the EU and UK who are working abroad) may have certain rights under applicable data protection laws (including the EU General Data Protection Regulation and local legal implementation of that Regulation), which include the rights to:
1. Request access to and obtain a copy of your personal data,
2. Request rectification (or correction) of personal data you have provided that is inaccurate;
3. Request erasure (or deletion) of personal data that is no longer necessary to fulfill the purposes for which it was collected, or does not need to be retained by Microsoft for other legitimate purposes;
4. Restrict or object to the processing of your personal data; and
5. If applicable, request your personal data be ported (transferred) to another company
Application of the above rights may vary depending on the type of data involved, and Microsoft’s particular basis for processing the personal data.
To make a request to exercise one of the above rights, please contact AskHR@microsoft.com. We will consider and act upon any requests in accordance with applicable data protection laws. Please note that we may request specific information from you to enable us to confirm your identity and right to access, as well as to search for and provide you with the personal data that we hold about you. We may, in limited circumstances, charge you a reasonable fee to access your personal data; however, we will advise you of any fee in advance.
If we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal.
EU and UK employees, external staff and candidates (including individuals working in the EU and UK, or individuals who normally reside in the EU and UK who are working abroad) may also direct questions about how we handle personal information to the Data Protection Officer at https://aka.ms/privacyresponse
While Microsoft hopes it can answer any questions that you may have, if you have unresolved concerns you also have the right to complain to a relevant data protection supervisory authority in the EU and UK.
Turkey

Last Updated: April 13,2018
Employees in Turkey: Your Data Subject Rights
You may exercise the below-listed rights regarding the processing of your personal data by means of submitting a request to Microsoft. Upon your submission of a request relating to your rights as data subjects, by using methods specified under Microsoft Privacy Policy at https://privacy.microsoft.com/tr-tr/privacystatement, such requests shall be finalized by the Company free of charge, at the latest within thirty days, depending on the nature of the request. However, in case a request fee is required as may be determined by the Personal Data Protection Board, such fee shall be applicable.

In this respect, data subjects are entitled to the following rights;
- To learn whether data relating to him/her are being processed;
- If personal data relating to him/her have been processed, to request further information in this regard;
- To learn the purpose of the processing of personal data and whether personal data are being processed in line with such purpose;
- To know the third-party recipients to whom the personal data are transferred to either within the country or abroad;
- To request rectification, in case personal data processed are either incomplete or inaccurate;
- To request erasure or destruction of personal data within the conditions set forth under the relevant legislation;
- To request that third persons to whom personal data is transferred to be notified on the correction, erasure and destruction carried out in accordance with the relevant legislation;
- To object to negative consequences resulting from the analysis of your processed personal data by solely automatic means;
- To demand compensation for your damage incurred as a result of unlawful processing of your personal data.
You may exercise your rights regarding the processing of your personal data by sending an e-mail to AskHR@microsoft.com.