The results of the Dutch Data Protection Impact Assessment (DPIA) shows that Microsoft collects and stores large-scale personal data about the behaviour of individuals
In the Netherlands government organisations use Microsoft services to store data locally. It is inevitable that Microsoft collect personal data, such as email, IP address as such data is necessary for individuals to use their services, but Microsoft has been collecting large-scale data covertly, without informing users. The individuals that use the services provided by Microsoft do not get a choice in the amount of data that is collected, the possibility to opt-out or the ability to view their collected personal data.
Microsoft determines the purposes of the processing of the diagnostic data in the Office software, and the retention period of the data (30 days up to 18 months, or even longer if deemed necessary by Microsoft). The DPIA report shows that Microsoft processes the diagnostic data for 7 purposes, and for all other purposes Microsoft deems to be compatible with those purposes. Microsoft acts as a controller, and not as a data processor because it determines the purposes and the means (of the retention period.
The 2017 investigation of the processing of telemetry data in the consumer and small business versions of Windows 10 (Home and Pro), conducted by The Dutch Data Protection Authority (DPA), found that Microsoft violated data protection laws, such as purpose limitation and lack of purpose of processing and lack of transparency. In response to that investigation, Microsoft made some adjustments in the spring of 2018 release of the software and those adjustments the Dutch DPA confirms will minimize risk.
However the report concludes by stating that further mitigating solutions have to be taken to completely eliminate risks but until that is done, the risks will persist and it is up to the individuals to apply additional measures to protect their personal data and privacy.