The Core GDPR Question for Cloud Users

Every time personal data — customer names, email addresses, employee records, order history — enters a cloud service, you are engaging a data processor. Under GDPR Article 28, you must have a Data Processing Agreement (DPA) in place with that processor before any data is transferred. Microsoft provides a standard DPA for all M365 and Azure customers via the Microsoft Products and Services Data Protection Addendum (DPA), available in the Microsoft admin center. Signing it (or accepting it online) is a mandatory first step, not a formality.

The second question is data residency. The Schrems II ruling (CJEU, 2020) invalidated Privacy Shield and created ongoing uncertainty about transfers of EU personal data to the US. Microsoft’s EU Data Boundary commitment — announced in 2022 and progressively expanded — stores and processes core M365 and Azure data entirely within the EU for customers who opt in. For Berlin businesses handling significant volumes of customer personal data, activating the EU Data Boundary is the most straightforward way to reduce transfer risk.

Five GDPR Compliance Pillars for Cloud-Using SMBs

Microsoft 365 GDPR Configuration: What to Turn On

Microsoft Purview Compliance Portal

Microsoft 365 Business Premium and above include Microsoft Purview, the compliance management platform. For GDPR compliance, the most immediately actionable capabilities are:

• Audit (Standard): Logs user and admin activity across Exchange, SharePoint, Teams, and OneDrive. Retained for 90 days by default. Enable immediately — it is off by default in new tenants. Navigate to Purview > Audit > Start recording user and admin activity.
• Content Search and eDiscovery: Required to respond to GDPR Subject Access Requests (SARs). When a data subject asks you to provide all data you hold about them, Content Search lets you locate it across mailboxes, SharePoint, and Teams without manual trawling.
• Data Loss Prevention (DLP): Define policies that detect personal data — German personal ID numbers, IBAN numbers, medical data markers — and prevent it from being emailed externally or uploaded to personal OneDrive. Purview ships with pre-built GDPR and German-specific sensitive information types.
• Retention Policies: GDPR requires you to keep data only as long as necessary. Retention policies in Purview automate deletion of email, Teams messages, and SharePoint content after defined periods, creating a defensible record of data minimization.

Entra ID Access Controls

Access control is the technical measure most directly auditable by a data protection authority. For GDPR purposes, the key Entra ID settings are:

• Conditional Access with MFA: Enforces strong authentication before accessing personal data. Directly satisfies Article 32’s “appropriate technical measures” requirement.
• Privileged Identity Management (PIM): Global Administrator and SharePoint Administrator roles should not be permanently assigned. PIM requires just-in-time elevation with approval and logging, minimizing the attack surface on your highest-privilege accounts.
• Guest access reviews: External collaborators who were granted access to SharePoint libraries or Teams channels containing personal data should be reviewed quarterly. Entra ID Access Reviews automate this.

Azure GDPR Configuration for Berlin SMBs

If your business runs workloads in Azure — virtual machines, databases, file shares — the following settings are non-negotiable for GDPR compliance:

The Article 30 Record of Processing Activities

GDPR Article 30 requires businesses to maintain a written record of all processing activities involving personal data. This is not a one-time exercise — it must be updated when you add new SaaS tools, change how data is used, or onboard new categories of data subjects. The record should document: the purpose of processing, categories of personal data, categories of data subjects, recipients (including cloud processors), retention periods, and a description of security measures.

In a Microsoft 365 context, the record of processing entries typically include: HR records in SharePoint/OneDrive, customer correspondence in Exchange Online, financial records in SharePoint or ERP, Teams meeting recordings, and CRM data. For each entry, reference the DPA with Microsoft and document that EU data residency has been activated.

72-Hour Breach Notification: Can You Meet It?

GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. “Becoming aware” starts the clock — which means your ability to meet the deadline depends entirely on how quickly you can detect and scope a breach. Without Microsoft 365 audit logs enabled and an alert policy for suspicious activity (such as mass email forwarding, bulk download from SharePoint, or privilege escalation), you may not become aware until days after the fact.

Configure alert policies in the Microsoft Defender Portal under Email & Collaboration > Policies & Rules > Alert Policy. Enable alerts for: “Mass download of files”, “Unusual volume of file deletion”, “Forwarding/redirect rule created”, and “Elevation of Exchange admin privilege”. These fire quickly enough to support a 72-hour notification window when acted on promptly.

What IT Experts Berlin Delivers for GDPR Cloud Compliance

Our GDPR cloud compliance service for Berlin SMBs covers three deliverables: a cloud tool inventory identifying all SaaS services currently processing personal data, an M365 and Azure configuration review against GDPR technical measures (access control, encryption, audit logging, data residency), and a draft Article 30 record of processing for your primary cloud workloads. We coordinate with your data protection officer or external GDPR counsel and provide technical documentation in the format required for regulatory submissions. Contact us for an initial consultation.