Has Microsoft seen reduced risk appetite for its cloud solutions among Danish businesses due to the increased focus on international data transfers?
Microsoft continues to see a strong appetite for cloud solutions, alongside a growing focus on risk assessment, compliance documentation and solid governance. Whether this reflects a shift in risk appetite is hard to say – but the high-profile cases currently in the public eye have certainly heightened awareness. As the Danish Data Protection Authority says: you need to “do your homework!”
Is Microsoft seeing growing interest in data transfers beyond the US from Danish customers?
There’s a general focus on being able to demonstrate compliance with the entire GDPR – including Chapter 5 on transfers to so-called "unsafe third countries".
What solutions is Microsoft developing to meet Danish customers' compliance expectations when using Microsoft cloud services?
We firmly believe that Danish customers can already use Microsoft Cloud in full compliance with legislation. There is, however, some homework to do – and we’re working hard to help customers complete it, based on guidance from the Data Protection Authority. To further simplify certain aspects – like scenario-based assessments involving third-country transfers – Microsoft has launched the EU Data Boundary project (https://aka.ms/MSEUDataBoundary), which is being implemented and will roll out starting January 1, 2023.
Over recent years, the requirements for technical documentation and risk assessments have increased – even for sub-processors. Companies like Scalepoint find it difficult to obtain the documentation they need from Microsoft. What is your view on Microsoft’s documentation access – and are there plans to improve it?
Microsoft operates over 300 cloud services and provides extensive documentation for both the platforms and specific services – available via our Service Trust Portal (https://aka.ms/STP). This includes whitepapers, standard certifications, audit reports and more. In Denmark, we’ve also tried to help customers and partners navigate and understand the materials through resources like our Cloud Governance Whitepaper (https://aka.ms/MSCloudGovernance), with ongoing updates here: https://aka.ms/MSCloudComplianceRoundtable2022. Additionally, we share anonymised customer use cases such as our Compliance Package (https://aka.ms/MSCompliancePakkeSummary).
Is it correct that Microsoft – in cooperation with the Danish Data Protection Authority and a public institution – helped define sufficient safeguards for data processing in MS Azure? Can you share a few examples of these safeguards?
Yes – together with a municipality and their legal advisor, and with the Danish Data Protection Authority acting in an advisory role, we co-developed a compliance package that the municipality has now shared anonymously. The package outlines both the standard and additional safeguards the municipality chose to implement. It’s not just one or two controls that make the difference – it all depends on the data, processing activities, and identified risks. In this case, the municipality implemented 41 mitigating measures across legal, organisational, and technical domains.
Would you say most organisations using MS Azure could implement similar measures and thus ensure lawful data processing?
While I can’t speak on behalf of the authorities, my opinion is yes. That said, every solution must be assessed individually, and the risks addressed appropriately. In most cases, the legislation doesn’t require servers to be physically located in Denmark. Only a few systems fall under the Danish Data Protection Act’s §3(9) (location requirement). And once Microsoft’s new data center region, Denmark EAST, is operational, even those systems can use Microsoft Cloud. You can read more here: https://aka.ms/DigitalLeapDenmark
What is Microsoft’s “Black Forest” setup, and is it true that it was only implemented in Germany? Why Germany specifically?
“Black Forest” was a concept introduced in Germany in 2015 but shut down around 2020. It involved a German operator (T-Systems) acting as data processor and “Data Trustee”, with Microsoft completely hands-off. This setup was based on wishes – not legal requirements – from some German authorities that MS Online Services should be operated by “German hands”. We closed it due to lack of demand and no viable business case. These models often become too expensive and fail to deliver parity with Microsoft’s standard hyper-scale cloud, leading to degraded services. Plus, the third-party operators often need Microsoft’s involvement anyway. We’re not ruling it out entirely – there may be special cases where it makes sense – but for the vast majority of use cases, it’s simply not practical from a functionality, security, or compliance standpoint.
About Ole Kjeldsen
Ole Kjeldsen is Director of Technology & Security at Microsoft Denmark & Iceland. With over 20 years of experience at Microsoft Denmark, he has deep expertise in compliance, governance and digital infrastructure. He works to align Microsoft’s offerings with societal needs and represents the company in organisations such as Dansk Industri, Dansk Erhverv, Dansk Standard, and the Council for Digital Security. He also serves on the board of DK Hostmaster.