Azure GDPR Control Mapping 5.24.18

The controls in this spreadsheet will be updated from time to time as Microsoft incorporates new controls and tests
existing c
The relationship between the GDPR Articles and the Microsoft service controls is organized by a set of privacy and security co
techniques -- Enhancement to ISO/IEC 27001 for privacy management – Requirements. (To purchase a copy of the complete d
These control mappings are focused specifically on GDPR obligations. Microsoft Services implement these and other controls
NIST 800-171, UK G-Cloud, and many others. Visit our compliance offering list at https://www.microsoft.com/en-us/trustcent
Those controls marked “Primary” in the mapping also appear in the Compliance Manager under Microsoft Managed Controls
Use of these files is governed by the agreement under which you obtained these services and may not be used to reverse eng
[Revised 5.24.18]
Description of Headings in file (tab 3)
Column Heading
ISO Control Number
ISO Control Title
Microsoft Service Control ID
Microsoft Service Control Title
Primary/Secondary
GDPR Article
GDPR Article Text
will be updated from time to time as Microsoft incorporates new controls and tests existing controls. Please review the date of the downloa
PR Articles and the Microsoft service controls is organized by a set of privacy and security controls, labeled “ISO Control Number” and “ISO
/IEC 27001 for privacy management – Requirements. (To purchase a copy of the complete draft ISO standard, please visit https://shop.bsig
ed specifically on GDPR obligations. Microsoft Services implement these and other controls to support security and data protection, includ
any others. Visit our compliance offering list at https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings.
in the mapping also appear in the Compliance Manager under Microsoft Managed Controls, allowing you to use them to track, assign, and
he agreement under which you obtained these services and may not be used to reverse engineer or competitively benchmark any Microso
Description of information in the column

Clause number in ISO/IEC CD 27552
Clause Title in ISO/IEC CD 27552
ID number used by the Microsoft Service to designate the control
Title of Microsoft Service Control
Rows marked “Primary” represent, in Microsoft’s opinion, a direct relationship between an ISO control,
an GDPR article and a Microsoft Service Control. These controls appear in the Compliance manager under
Microsoft Managed Controls.
GDPR Article Number
Text of GDPR Article
review the date of the download on this tab and check the download page for the latest version.
ISO Control Number” and “ISO Control Title.” The numbers and titles are drawn from ISO/IEC CD 27552 Information technology -- Security
rd, please visit https://shop.bsigroup.com/ProductDetail?pid=000000000030372571.)
rity and data protection, including to support certifications to standards including FedRamp, HIPAA/HITECH, ISO 27001, ISO 27002, ISO 270
complianceofferings.
o use them to track, assign, and verify your organization's regulatory compliance activities with respect to Microsoft cloud services.
titively benchmark any Microsoft software, service, or technology.
n technology -- Security
7001, ISO 27002, ISO 27018,
ft cloud services.
Azure includes:
API Management
App Service (API Apps Logic Apps Mobile Apps Web Apps)
Application Gateway
Application Insights
Automation
Azure Active Directory
Azure Container Service
Azure Cosmos DB (formerly DocumentDB)
Azure DevTest Labs
Azure DNS
Azure Information Protection (including Azure Rights Management)
Azure Resource Manager
Backup
Batch
BizTalk Services
Cloud Services
Data Catalog
Data Factory
Data Lake Analytics
Data Lake Store
Event Hubs
Express Route
Functions
HDInsight
Import/Export
IoT Hub
Key Vault
Load Balancer
Log Analytics (formerly Operational Insights)
Azure Machine Learning Studio
Media Services
Microsoft Azure Portal
Multi-Factor Authentication
Notification Hubs
Power BI Embedded
Redis Cache
Scheduler
Security Center
Service Bus
Service Fabric
Site Recovery
SQL Data Warehouse
SQL Database
SQL Server Stretch Database
Storage StorSimple
Stream Analytics
Traffic Manager
Virtual Machines
Virtual Machine Scale Sets
Virtual Network
Visual Studio Team Services
VPN Gateway
Visual Studio Team Services
VPN Gateway
Product ISO Control Nu ISO Control Title Microsoft Servic
Azure 5.2.2 Understanding the needs and expec

1130
Azure 5.2.3 Determining the scope of the inf 1130
Azure 5.2.4 Information security management1130
Azure 5.3 Planning 1250
Azure 5.3 Planning 1130
Azure 6.10.1 Information transfer policies and 1140

procedures
procedures
procedures
Azure 6.10.2 Confidentiality or non-disclosure 1195
Azure 6.11.1 Securing application services on p1140

Azure 6.11.2 Secure systems engineering princi1140
Azure 6.12 Supplier relationships 1545
Azure 6.13.1 Management of information secur1140
Azure 6.13.2 Responsibilities and procedures 1140


Azure 6.13.3 Response to information security 1140


Azure 6.15.2 Independent review of informatio405
Azure 6.15.3 Technical compliance review 1140
Azure 6.2 Information security policies 1141
Azure 6.2 Information security policies 1142
Azure 6.3 Organization of information securi1705
Azure 6.4 Human resource security 1705
Azure 6.5.1 Classification of information 225
Azure 6.5.2 Management of removable media1140

Azure 6.5.3 Physical media transfer 935
Azure 6.6.1 User access management 175
Azure 6.6.1 User access management 715
Azure 6.6.2 User registration and de-registrat 1140
Azure 6.6.3 User access provisioning 1140

Azure 6.6.4 Management of privileged access 1140
Azure 6.6.5 Secure log-on procedures 1140
Azure 6.7 Cryptography 1140
Azure 6.8.1 Secure disposal or re-use of equi 1140

Azure 6.8.2 Clear desk and clear screen policy1140
Azure 6.9.1 Separation of development, testi 1140
Azure 6.9.2 Information backup 1140

Azure 6.9.3 Event logging 1140
Azure 6.9.3 Event logging 387
Azure 6.9.4 Protection of log information 1140
Azure 8.2.1 Cooperation agreement 1141
Azure 8.2.2 Organization’s purposes 1445

Azure 8.2.4 Infringing instruction 1141
Azure 8.2.4 Infringing instruction 1142
Azure 8.2.5 PII controller obligations 1141
Azure 8.2.6 Records related to processing PII 1140

Azure 8.3.1 Obligations to PII principals 1141
Azure 8.4.1 Temporary files 1140
Azure 8.4.2 Return, transfer or disposal of PII 1140

Azure 8.4.3 PII transmission controls 1141
Azure 8.5.1 Basis for transfer of PII 1141

Azure 8.5.2 Countries and organizations to wh1140
Azure 8.5.3 Records of PII disclosure to third p1715
Azure 8.5.3 Records of PII disclosure to third p387
Azure 8.5.4 Notification of PII disclosure requ 1740

Azure 8.5.5 Legally binding PII disclosures 1740
Azure 8.5.6 Disclosure of subcontractors used1142
Azure 8.5.7 Engagement of a subcontractor to1142

Azure 8.5.8 Change of subcontractor to proces1142

Microsoft Service Control Title Primary/Secondary GDPR Article
Microsoft C+E maintains documentation to suMaster (31)
Microsoft C+E maintains documentation to suMaster (32)(2)
Azure Global Ecosystem performs risk assessme

Secondary (32)(2)
MCIO Risk Management team performs a securit

Secondary (32)(2)
Microsoft C+E maintains documentation to suSecondary (32)(2)

Master (32)(2)
MCIO Risk Management team performs a securit

Master (32)(2)
Microsoft C+E employs independent assessorsSecondary (32)(2)

Master (32)(1)(b)
Microsoft C+E maintains documentation to suSecondary (32)(2)
Microsoft develops, documents and dissemina

Secondary (5)(1)(f)
Microsoft C+E documents and disseminates Sta

Secondary (5)(1)(f)
Microsoft C+E encrypts digital media assets via

Master (5)(1)(f)
Microsoft C+E approves the transport of digitaSecondary (5)(1)(f)
Microsoft C+E requires personnel to sign non-Master (28)(3)(b)
Microsoft C+E supplier contracts are reviewe Secondary (28)(3)(b)
Policy including information on Microsoft’s s Master (5)(1)(f)
Microsoft C+E supplier contracts are reviewe Secondary (5)(1)(f)

Secondary (32)(1)(a)

Internal communication between key Azure co

Microsoft C+E ensures customer data communic
Master (32)(1)(a)

Secondary (5)(1)(f)
Microsoft C+E maintains documentation and Secondary

makes publicly available through
(5)(1)(f)organizational websites or otherwise:
1) Privacy program information, including data protection policies and instructions to action on a data subject request;
Microsoft C+E documents and disseminates Sta Secondary (5)(1)(f)
2) Data residency and transfer policy (including abstracted data flow maps, legal safeguards and justification for transfer);
Internal communication between key Azure co Secondary (5)(1)(f)
3) Data protection policy description including security, processor/controller commitment, privacy by design and default, back
4) Incidentdevelops,
Microsoft management process.
documents and dissemina
Secondary (25)(1)

Secondary (25)(1)
Microsoft C+E requires service teams apply inMaster (25)(1)
Microsoft C+E supplier contracts are reviewe Secondary (28)(1)
To ensure subcontractor accountability, all Secondary (28)(1)
Prior to engaging in Azure services, Microsof Master (28)(1)
Microsoft C+E documents the information sy Secondary (28)(1)
To ensure subcontractor accountability, all Secondary (30)(2)(d)
Microsoft C+E maintains a list of subcontractoSecondary (32)(1)(b)

Secondary (33)(2)

Secondary (33)(2)
Microsoft C+E reports customer-reportable seMaster (33)(2)

Secondary (33)(1)

Secondary (33)(1)


Microsoft C+E monitors the Azure platform for
Microsoft C+E determines a set of auditable Secondary (33)(3)(a)
Microsoft C+E components are configured to Secondary

l (33)(3)(a)
Microsoft C+E reviews auditable events via evSecondary (33)(3)(a)
Microsoft C+E has an incident handling capabiSecondary (33)(3)(a)

Secondary (33)(3)(b)


Microsoft C+E determines a set of auditable Secondary (33)(3)(b)

l (33)(3)(b)
Microsoft C+E reviews auditable events via eve

Microsoft C+E has an incident handling capabiSecondary (33)(3)(b)

Secondary (33)(3)(c)


Microsoft C+E determines a set of auditable Secondary (33)(3)(c)

l (33)(3)(c)

Microsoft C+E has an incident handling capabSecondary (33)(3)(c)

Secondary (33)(3)(d)


Microsoft C+E determines a set of auditable Secondary (33)(3)(d)

l (33)(3)(d)

Microsoft C+E has an incident handling capabiSecondary (33)(3)(d)

Secondary (33)(4)

(33)(4)organizational websites or otherwise:
Microsoft C+E documents and disseminates Sta Secondary (33)(4)
Microsoft develops, documents and dissemina Secondary (33)(5)
4) IncidentC+E
Microsoft management
documentsprocess.
and disseminates Sta
Secondary (33)(5)
Microsoft C+E has an incident handling capabiSecondary (33)(5)

Microsoft develops, documents and dissemina Secondary (5)(1)(f)
4) IncidentC+E
has an incident handling capabiSecondary (5)(1)(f)

Secondary (33)(2)

Secondary (33)(2)



Microsoft C+E determines a set of auditable Secondary (33)(3)(a)

l (33)(3)(a)
Microsoft C+E reviews auditable events via evSecondary (33)(3)(a)
Microsoft C+E has an incident handling capabiSecondary (33)(3)(a)



Microsoft C+E determines a set of auditable Secondary (33)(3)(b)

l (33)(3)(b)

Microsoft C+E has an incident handling capabiSecondary (33)(3)(b)



Microsoft C+E determines a set of auditable Secondary (33)(3)(c)

l (33)(3)(c)

Microsoft C+E has an incident handling capabSecondary (33)(3)(c)



Microsoft C+E determines a set of auditable Secondary (33)(3)(d)

l (33)(3)(d)

Microsoft C+E has an incident handling capabiSecondary (33)(3)(d)

Secondary (33)(5)

Secondary (33)(5)
Microsoft C+E has an incident handling capabiSecondary (33)(5)

Microsoft C+E manages a control state monitoSecondary (32)(1)(d)
Microsoft C+E employs independent assessorsMaster (32)(1)(d)
4) IncidentC+E
manages aprocess.
control state monitoSecondary (32)(2)


Microsoft C+E employs independent assessorsSecondary (32)(1)(d)
Microsoft C+E performs internal penetration Secondary (32)(1)(d)

Secondary (32)(2)

Secondary (32)(2)
Microsoft C+E performs internal penetration Secondary (32)(2)
Microsoft C+E employs an independent penetr

Master (32)(2)
Microsoft C+E maintains documentation and Master

Policy including information on Microsoft’s s Secondary (24)(2)
Microsoft maintains a description of data proMaster (37)(1)(a)
4) Incidentmaintains
Microsoft management process. of data proMaster
a description (39)(1)(b)
Microsoft C+E classifies personal data in ac Master (32)(2)

Secondary (5)(1)(f)

Microsoft C+E establishes usage restrictions Master (5)(1)(f)
Microsoft C+E encrypts digital media assets via
Master (32)(1)(a)
4) IncidentC+E
approves the transport of digitaSecondary (32)(1)(a)

Secondary (5)(1)(f)

Secondary (5)(1)(f)
Microsoft C+E approves the transport of digitaSecondary (5)(1)(f)
Microsoft C+E establishes usage restrictions Secondary (5)(1)(f)
External access by non-organizational users t Master (5)(1)(f)

Secondary (5)(1)(f)

Secondary (5)(1)(f)
Microsoft C+E grants temporary access for AzSecondary (5)(1)(f)
Microsoft C+E has procedures in place to aut Master (5)(1)(f)
Microsoft C+E terminates temporary access toSecondary (5)(1)(f)
Microsoft C+E service teams or security grou Master (5)(1)(f)

Secondary (5)(1)(f)

Secondary (5)(1)(f)
Microsoft C+E grants temporary access for AzMaster (5)(1)(f)
Microsoft C+E service teams or security grou Master (5)(1)(f)
Microsoft C+E establishes and administers priSecondary (5)(1)(f)
Microsoft C+E employs the principle of least Master (5)(1)(f)

Secondary (5)(1)(f)

Secondary (5)(1)(f)
Microsoft C+E determines a set of auditable Secondary (5)(1)(f)

l (5)(1)(f)
Microsoft uniquely identifies and authenticatSecondary (5)(1)(f)
Microsoft C+E administrative access to the SerMaster (5)(1)(f)

Secondary (5)(1)(f)

Secondary (5)(1)(f)
External access by non-organizational users t Master (5)(1)(f)
Microsoft C+E provides a mechanism for author

Secondary (5)(1)(f)
Customer credentials used to access Azure serMaster (5)(1)(f)


Cryptographic certificates, keys, customer a Master (32)(1)(a)
Cryptographic controls are used for informat Secondary (32)(1)(a)

Secondary (5)(1)(f)

Secondary (5)(1)(f)
Confidential documents are cross-shredded orSecondary (5)(1)(f)
Microsoft C+E customer data is retained and Master (5)(1)(f)
Microsoft C+E customer data is retained and Secondary (5)(1)(f)
Hard drives and offsite backup tapes are dispoSecondary (5)(1)(f)
Prior to reuse, Microsoft C+E cleanses/purgesMaster (5)(1)(f)

Secondary (5)(1)(f)

Microsoft C+E has included a clear desk and cMaster (5)(1)(f)
4) Incident management
Confidential process.
documents are cross-shredded orSecondary (5)(1)(f)
Microsoft C+E grants temporary access for AzSecondary (5)(1)(f)

Secondary (5)(1)(f)

Secondary (5)(1)(f)
Microsoft C+E has established prcoedures agai

Master (5)(1)(f)
'The production environment is separated fr Master (5)(1)(f)


Critical Azure components have been designed

Backups of key Azure service components andSecondary

s (32)(1)(c)
Microsoft C+E backs up data for properties baSecondary (32)(1)(c)
Microsoft C+E monitors backups and investigaSecondary (32)(1)(c)
Backup restoration procedures are defined anMaster (32)(1)(c)
Microsoft C+E services are configured to aut Secondary (32)(1)(c)

Secondary (5)(1)(f)

Secondary (5)(1)(f)
Critical Azure components have been designed

Secondary (5)(1)(f)
Backups of key Azure service components andSecondary

s (5)(1)(f)
Microsoft C+E backs up data for properties baSecondary (5)(1)(f)
Microsoft C+E monitors backups and investigaSecondary (5)(1)(f)
Microsoft C+E services are configured to aut Secondary (5)(1)(f)

Secondary (5)(1)(f)
Microsoft C+E makes available customer auditMaster (5)(1)(f)

Secondary (5)(1)(f)

Secondary (5)(1)(f)
Microsoft C+E protects audit information fro Master (5)(1)(f)
Microsoft C+E retains audit records for a def Master (5)(1)(f)

(28)(3)(e)
organizational websites or otherwise:
Microsoft C+E creates and implements for new Secondary (28)(3)(e)
Prior to engaging in Azure services, Microsof Secondary (28)(3)(e)
4) IncidentC+E
maintains aprocess.
mechansim that ena
Secondary (28)(3)(e)
Microsoft C+E analyzes and tests software r Secondary (28)(3)(e)
Microsoft C+E supplier contracts are reviewe Secondary (28)(3)(f)
Prior to engaging in Azure services, Microsof Secondary (28)(9)
Microsoft C+E maintains documentation to e Secondary (35)(1)
Customer Data is stored in customer-specifiedSecondary (28)(3)(a)
Prior to engaging in Azure services, Microsof Master (28)(3)(a)
C+E Security Education and Awareness (CESEA)


Customer data is automatically replicated witSecondary (28)(3)(a)

(29) organizational websites or otherwise:
Data subject requests received from customerMaster (29)
Microsoft C+E provides a mechanism for author Secondary (29)
4)
C+EIncident
Securitymanagement process.
Education and Awareness (CESEA)
Secondary (32)(4)

Secondary (32)(4)

(5)(1)(b)
Policy including information on Microsoft’s s Secondary (5)(1)(b)
(28)(3)(h)
4) Incident
Policy management
including process.
information on Microsoft’s s Secondary (28)(3)(h)
(28)(3)(h)
4) Incident
Prior management
to engaging in Azureprocess.
services, Microsof Secondary (28)(3)(h)
C+E Security Education and Awareness (CESEA) Secondary (28)(3)(h)
4)
C+EIncident
Securitymanagement process.
Education and Awareness (CESEA)
Secondary (28)(3)(h)
Microsoft C+E manages a control state monitoSecondary (28)(3)(h)
Microsoft C+E employs independent assessorsSecondary (28)(3)(h)
Microsoft C+E reports customer-reportable seSecondary (28)(3)(h)


Microsoft C+E performs a Data Protection ImpSecondary (30)(2)(a)
Prior to engaging in Azure services, Microsof Secondary (30)(2)(a)
Microsoft C+E procedures and guidelines for Secondary (30)(2)(a)
Microsoft C+E protects audit information fro Master (30)(2)(a)


Microsoft C+E performs a Data Protection ImpSecondary (30)(2)(b)
Prior to engaging in Azure services, Microsof Secondary (30)(2)(b)
Microsoft C+E procedures and guidelines for Secondary (30)(2)(b)

Secondary (30)(3)

Secondary (30)(3)
Microsoft C+E performs a Data Protection ImpSecondary (30)(3)
Microsoft C+E procedures and guidelines for Secondary (30)(3)

(28)(3)(e)
Microsoft C+E maintains a mechansim that ena Master (28)(3)(e)
4) Incidentdevelops,
documents and dissemina
Secondary (5)(1)(c)

Secondary (5)(1)(c)
Microsoft C+E has defined Data Protection PolSecondary (5)(1)(c)
Microsoft C+E customer data is retained and Master (5)(1)(c)

Secondary (28)(3)(g)

(28)(3)(g)
Microsoft C+E documents and disseminates Sta Secondary (28)(3)(g)
Microsoft C+E customer data is retained and Master (28)(3)(g)
4) IncidentC+E
maintains aprocess.
mechansim that ena
Microsoft C+E monitors compliance against da

Secondary (30)(1)(f)

(30)(1)(f)
Microsoft C+E maintains a mechansim that ena Secondary (30)(1)(f)
4) IncidentC+E
Microsoft management process. against da
monitors compliance Secondary (30)(1)(f)

Internal communication between key Azure co Secondary (5)(1)(f)
Microsoft C+E ensures customer data communic Master (5)(1)(f)
4) IncidentC+E
maintains documentation and Master
(44) organizational websites or otherwise:
Customer Data is stored in customer-specifiedSecondary (44)
Prior to engaging in Azure services, Microsof Secondary (44)
4) IncidentC+E
Microsoft management process. data with Secondary
will share personal (44)
Customer Data is stored in customer-specifiedSecondary (46)(1)
Prior to engaging in Azure services, Microsof Secondary (46)(2)(c)
Prior to engaging in Azure services, Microsof Secondary (46)(2)(d)
Prior to engaging in Azure services, Microsof Secondary (46)(2)(f)
Customer Data is stored in customer-specifiedSecondary (48)

Microsoft maintains a description of online Secondary (48)
Microsoft C+E will share personal data with Secondary (48)
Prior to engaging in Azure services, Microsof Secondary (49)(1)(f)
Prior to engaging in Azure services, Microsof Secondary (49)(1)(g)

Master (30)(2)(c)

Microsoft C+E performs a Data Protection ImpSecondary (30)(2)(c)
Microsoft C+E maintains documentation to e Secondary (30)(2)(c)
Microsoft C+E performs a Data Protection ImpMaster (30)(1)(d)
Microsoft C+E makes available customer auditSecondary (30)(1)(d)
Prior to engaging in Azure services, Microsof Master (28)(3)(a)


Data subject requests received from customerSecondary (28)(3)(a)
Prior to engaging in Azure services, Microsof Master (48)

Secondary (28)(2)
Microsoft C+E maintains a list of subcontractoMaster (28)(2)

Secondary (28)(2)

Secondary (28)(2)

Secondary (28)(2)
Microsoft C+E maintains a list of subcontractoSecondary (28)(2)

Secondary (28)(2)

Secondary (28)(2)

Microsoft C+E supplier contracts are reviewe Master (28)(3)(d)
Microsoft C+E maintains a list of subcontractoSecondary (28)(3)(d)
To ensure subcontractor accountability, all Master (28)(3)(d)




Secondary (28)(2)
Microsoft C+E supplier contracts are reviewe Master (28)(2)
Microsoft C+E maintains a list of subcontractoSecondary (28)(2)

Secondary (28)(2)

Secondary (28)(2)
GDPR Article Text
The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the superviso
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processin
freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measu
as appropriate:
In
(b)assessing
the abilitythe
to appropriate level of security
ensure the ongoing accountintegrity,
confidentiality, shall be availability
taken in particular of the risks
and resilience that are presented
of processing by services;
systems and processing,
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
using appropriate technical or organisational measures ('integrity and confidentiality')
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and catego
contract or other legal act shall stipulate, in particular, that the processor:
Processing
(b) ensuresby a processor
that shall be governed
persons authorised to processby the
a contract ordata
personal otherhave
legalcommitted
act under themselves
Union or Member State law, that
to confidentiality is binding
or are under a
Personal data
(b) ensures shall
that be: authorised to process the personal data have committed themselves to confidentiality or are under a
persons
as appropriate:
Taking
(a) the into account the state
pseudonymisation andof the art, the
encryption of costs of implementation
personal data; and the nature, scope, context and purposes of processin
as appropriate:
Taking
as appropriate:
(a) the pseudonymisation and encryption of personal data;
as appropriate:
Personal data shall be: and encryption of personal data;
(a) the pseudonymisation
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing
freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means
appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protecti
Taking into
integrate account
the the safeguards
necessary state of theinto
art, the
the processing
cost of implementation and the
in order to meet the requirements
nature, scope,ofcontext and purposes
this Regulation of processing
and protect the ri
Taking into
integrate account
the the safeguards
necessary state of theinto
art, the
the processing
cost of implementation and the
in order to meet the requirements
nature, scope,ofcontext and purposes
this Regulation of processing
and protect the ri
Where processing
integrate is to be
the necessary carried out
safeguards onthe
into behalf of a controller,
processing in order the controller
to meet shall use onlyofprocessors
the requirements providing
this Regulation sufficient
and protect thegua
ri
in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the d
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient gua
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing ac
(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
as appropriate:
The processor
(b) the shall
ability to notify
ensure thethe controller
ongoing without undue
confidentiality, delay availability
integrity, after becoming aware of aofpersonal
and resilience datasystems
processing breach.and services;
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours aft
supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to
supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data
personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information c
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, whe
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in pha
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effect
supervisory authority to verify compliance with this Article.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller sha
undue delay.

The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the
and the recommendations provided for in points (b), (c) and (d) of Article 33(3).
as appropriate:
Taking into account
(d) a process the state
for regularly of the
testing, art, the and
assessing costsevaluating
of implementation and the of
the effectiveness nature, scope,
technical andcontext and purposes
organisational of processin
measures for ensu
as appropriate:
In
(d)assessing
a processthe
forappropriate level of
regularly testing, securityand
assessing account shall be
evaluating thetaken in particular
effectiveness of the risks
of technical andthat are presented
organisational by processing,
measures for ensu
as appropriate:
Taking into account
measures for ensu
as appropriate:
Taking into account
measures for ensu
as appropriate:
Taking into account
measures for ensu
as appropriate:
In
(d)assessing
a processthe
forappropriate level of
regularly testing, securityand
assessing account shall be
evaluating thetaken in particular
effectiveness of the risks
of technical andthat are presented
organisational by processing,
measures for ensu
Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementa
Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementa
The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
The data protection officer shall have at least the following tasks:
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the po
personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing opera
as appropriate:
(a) the pseudonymisation and encryption of personal data;
as appropriate:
Taking
as appropriate:
as appropriate:
Taking
as appropriate:
Taking
as appropriate:
Taking
as appropriate:
as appropriate:
Taking into account
(c) the ability the state
to restore of the art,and
the availability the access
costs oftoimplementation
personal data inand the nature,
a timely manner scope,
in thecontext and
event of purposes
a physical orof processin
technical in
as appropriate:
Taking into account
in thecontext and
event of purposes
technical in
as appropriate:
Taking into account
in thecontext and
event of purposes
technical in
as appropriate:
Taking into account
in thecontext and
event of purposes
technical in
as appropriate:
Taking into account
in thecontext and
event of purposes
technical in
as appropriate:
Taking into account
in thecontext and
event of purposes
technical in
as appropriate:
Taking into account
in thecontext and
event of purposes
technical in
as appropriate:
Personal datato
(c) the ability shall be: the availability and access to personal data in a timely manner in the event of a physical or technical in
restore
Processing by aaccount
(e) taking into processor
theshall be of
nature governed by a contract
the processing, assistsorthe
other legal act
controller byunder Union or
appropriate Member
technical andState law, that is measure
organisational binding
subject-matter and duration of the processing, the nature and purpose of the processing,
to respond to requests for exercising the data subject's rights laid down in Chapter III; the type of personal data and catego
theshall be of
other legal act
appropriate Member
subject-matter and duration
to respond to requests of the processing,
for exercising the nature
the data subject's andlaid
rights purpose
downof inthe processing,
Chapter III; the type of personal data and catego
theshall be of
other legal act
appropriate Member
theshall be of
other legal act
appropriate Member
rights purpose
theshall be of
other legal act
appropriate Member
The contract
(f) assists the or the other
controller inlegal act referred
ensuring to inwith
compliance paragraphs 3 and 4 pursuant
the obligations shall be intowriting,
Articlesincluding
32 to 36 in electronic
taking form. the natur
into account
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpo
freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisag
assessment may address a set of similar processing operations that present similar high risks.
Processing bythe
(a) processes a processor
personalshall
data be governed
only by a contract
on documented or otherfrom
instructions legalthe
actcontroller,
under Union or Member
including State law,
with regard that is binding
to transfers of per
subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal
required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall data and catego
inform th
contract
prohibitsor other
such legal act
information shall
on stipulate,
important in particular,
grounds of that
public the processor:
interest;
Processing bythe
personalshall
data be governed
only by a contract
actcontroller,
to transfers of per
subject-matter and
required to do so byduration
Union orofMember
the processing,
State lawthe
tonature
which and purpose ofisthe
the processor processing,
subject; in suchthe typethe
a case, of personal
processordata and
shall catego
inform th
contract
prohibitsor other
such legal act shall
information on stipulate,grounds
of thatinterest;
Processing bythe
personalshall
data be governed
only by a contract
actcontroller,
to transfers of per
inform th
contract
prohibitsor other
such legal act
information shall
on stipulate,
grounds of that
interest;
Processing bythe
personalshall
data be governed
only by a contract
actcontroller,
to transfers of per
subject-matter and
Union orofMember
the processing,
State lawthe
tonature
a case, of personal
processordata and
shall catego
inform th
contract
prohibitsor other
information stipulate,grounds
on important in particular, thatinterest;
of public the processor:
(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of per
required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform th
prohibits such information on important grounds of public interest;
The processor and any person acting under the authority of the controller or of the processor, who has access to personal dat
unless required to do so by Union or Member State law.
The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or
except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or
except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with th
interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be consider
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with th
interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be consider
Processing by a processor
(h) makes available to the shall be governed
controller by a contract
all information or other
necessary legal act under
to demonstrate Union orwith
compliance Member State law, laid
the obligations thatdown
is binding
in th
subject-matter and duration of the processing, the nature and purpose
conducted by the controller or another auditor mandated by the controller. of the processing, the type of personal data and catego
Processing
(h) makes by a processor
available to(h)
the shall be governed by a contract or other legal act under Union orwith
Member State law, laidthatdown
is binding
With regard
subject-matterto point ofcontroller
andcontroller
duration the
offirst
all information
subparagraph,
the processing, thethenecessary
nature and
to shall
processor demonstrate
purpose
compliance
immediately inform the
of the processing,
the obligations
the type
controller if, in itsdata
of personal opinion, in th
an
and catego in
conducted
protection by the
provisions. or another auditor mandated by the controller.
Processing
available to(h)
is binding
With regard
subject-matterto point
and ofcontroller
duration the
of first
the
all information
subparagraph,
processing, thethenecessary
nature and
to shall
purpose of the
compliance
processing,
the obligations
the type
controller
of if, in itsdata
personal opinion,
and
in th
an
categoin
conducted
protection by the controller
Processing
available to(h)
is binding
With regard
andcontroller
duration the
offirst
all information
subparagraph,
nature and
to shall
purpose
compliance
of the processing,
the obligations
the type
an
and catego in
conducted
protection by the
Processing
available to(h)
is binding
With regard
and ofcontroller
duration the
of first
the
all information
subparagraph,
nature and
to shall
purpose of the
compliance
processing,
the obligations
the type
controller
of if, in itsdata
personal opinion,
and
in th
an
categoin
conducted
Processing
available to(h)
is binding
With regard
andcontroller
duration the
offirst
all information
subparagraph,
nature and
to shall
purpose
compliance
of the processing,
the obligations
the type
an
and catego in
conducted
protection by the
Processing
available to(h)
is binding
With regard
and ofcontroller
duration the
of first
the
all information
subparagraph,
nature and
to shall
purpose of the
compliance
processing,
the obligations
the type
controller
of if, in itsdata
personal opinion,
and
in th
an
categoin
conducted
Processing
available to(h)
is binding
With regard
andcontroller
duration the
offirst
all information
subparagraph,
nature and
to shall
purpose
compliance
of the processing,
the obligations
the type
an
and catego in
conducted
protection by the
Each
(h) processor
makes and,to
available where
the applicable,
controller allthe processor's
information representative
necessary to shall shall maintain
demonstrate a record
compliance of the
with all categories
obligations oflaid
processing
downan in ac
th
With
(a) theregard
name to point
and (h)
contact ofdetails
the first
of subparagraph,
the processor the
or processor
processors and of immediately
each inform
controller on the controller
behalf of which if,the
in its opinion,
processor is in
acti
conducted
representative, and the data protection officer;
With
(a) theregard
nameto point
and (h) ofdetails
contact the first
of subparagraph,
the processor orthe processorand
processors shallofimmediately inform
each controller the controller
on behalf of whichif,thein its opinion,isan
processor in
acti
protection provisions.
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acti
(b) the categories of processing carried out on behalf of each controller;
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
theshall be of
other legal act
appropriate Member
rights purpose
theshall be of
other legal act
appropriate Member
Personal
(e) takingdata
into shall be: the nature of the processing, assists the controller by appropriate technical and organisational measure
account
(c) adequate,
to respond to relevant
requestsand limited to what
for exercising is necessary
the data subject's in relation
rights to thein
laid down purposes
Chapterfor
III; which they are processed ('data minimis
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimis
(g) at the choice shall be deletes
of the controller, governed or by a contract
returns all theorpersonal
other legal
dataact
tounder Union orafter
the controller Member State
the end of law, that is binding
the provision of ser
subject-matter and duration of the processing, the
Member State law requires storage of the personal data; nature and purpose of the processing, the type of personal data and catego
other legal
dataact
subject-matter
Member State lawandrequires
durationstorage
of the processing, the nature
of the personal data; and purpose of the processing, the type of personal data and catego
other legal
dataact
subject-matter and duration of the processing, the
Member State law requires storage of the personal data; nature and purpose of the processing, the type of personal data and catego
other legal
dataact
subject-matter
Member State lawandrequires
durationstorage
of the processing, the nature
of the personal data; and purpose of the processing, the type of personal data and catego
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of ser
Member State law requires storage of the personal data;
Each
(g) at controller
the choiceand, where
of the applicable,
controller, theor
deletes controller's
returns allrepresentative, shall
the personal data tomaintain a record
the controller ofthe
after processing activities
end of the under
provision its
of ser
(f) whereState
Member possible,
law the envisaged
requires time
storage limits
of the for erasure
personal data;of the different categories of data;
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its
(f) where possible, the envisaged time limits for erasure of the different categories of data;
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country
other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor
an international organisation to another third country or to another international organisation. All provisions in this Chapter sh
Any transfer
persons of personal
guaranteed data
by this which areisundergoing
Regulation processing or are intended for processing after transfer to a third country
not undermined.
Any transfer
persons of personal
guaranteed data
not undermined.
Any transfer
persons of personal
guaranteed data
not undermined.
In the absence
persons of a decision
guaranteed pursuant toisArticle
by this Regulation 45(3), a controller or processor may transfer personal data to a third country o
not undermined.
provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data s
The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from
(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the exa
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller
including as regards data subjects' rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the con
safeguards, including as regards data subjects' rights.
Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1
(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or
enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between
prejudice to other grounds for transfer pursuant to this Chapter.
In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, includin
to a third country or an international organisation shall take place only on one of the following conditions:
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such
In
andthe absence ofsafeguards;
appropriate an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, includin
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementa
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject betw
(d) the transfer is necessary for important reasons of public interest;
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subje
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to t
A
ortransfer pursuant
by any person whotocan
point (g) of paragraph
demonstrate 1 shall not
a legitimate involve
interest, butthe entirety
only to the of the personal
extent that the data or entire
conditions laidcategories of theorpeM
down in Union
consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they
Where a transfer
In the absence of could not be based
an adequacy on aUnion
decision, provision in Articles
or Member 45law
State or 46, including
may, the provisions
for important reasonsonof binding corporate
public interest, rules, an
expressly s
(g) of this paragraph is applicable, a transfer to a third country or an international organisation
country or an international organisation. Member States shall notify such provisions to the Commission. may take place only if the trans
necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the intere
assessed
The all theorcircumstances
controller processor shall surrounding data transferasand
document the assessment wellhas
as on
thethe basis of
suitable that assessment
safeguards referredprovided
to in the suitable safegu
second subpar
inform
30. the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Ar
compelling legitimate interests pursued.
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification
transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countrie
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countrie
Processing bythe
personalshall
data be governed
only by a contract
actcontroller,
to transfers of per
inform th
contract
prohibitsor other
such legal act
information shall
on stipulate,
grounds of that
interest;
Processing bythe
personalshall
data be governed
only by a contract
actcontroller,
to transfers of per
subject-matter and
Union orofMember
the processing,
State lawthe
tonature
a case, of personal
processordata and
shall catego
inform th
contract
prohibitsor other
information stipulate,grounds
on important in particular, thatinterest;
of public the processor:
(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of per
required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform th
prohibits such information on important grounds of public interest;
Any judgmentthe
(a) processes of apersonal
court ordata
tribunal
onlyand any decision instructions
on documented of an administrative
from theauthority ofincluding
controller, a third country requiring
with regard a controller
to transfers or
of per
enforceable in any
required to do so bymanner if based
Union or on an
Member international
State law to which agreement, such is
the processor assubject;
a mutual
inlegal
such assistance
a case, thetreaty, in force
processor shallbetween
inform th
prejudice
prohibits to other
such grounds on
information for transfer pursuant
groundsto this Chapter.
The processor shall not engageimportant
another processor ofwithout
public interest;
prior specific or general written authorisation of the controller. In t
controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller t
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In t
Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the sam
between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a c
providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the pro
Where a processor
processor engages
fails to fulfil another
its data processor
protection for carrying
obligations, out specific
the initial processing
processor activities
shall remain on behalf
fully liable of controller
to the the controller, theperf
for the sam
between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a c
providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the pro
The processor
processor fails shall notits
to fulfil engage another processor
data protection without
obligations, priorprocessor
the initial specific orshall
general written
remain fullyauthorisation of the controller.
liable to the controller In t
for the perf
Processing
(d) respectsby a processor
the conditionsshall be governed
referred by a contract
to in paragraphs 2 andor4 other legal act
for engaging under Union
another or Member State law, that is binding
processor;
Processing
processor;
Processing
processor;
(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
Processing
processor;
Processing
processor;
The processor
(d) respects theshall not engage
conditions another
referred to inprocessor
paragraphswithout
2 and prior
4 for specific
engagingoranother
generalprocessor;
written authorisation of the controller. In t
xyz abc
Updated

Azure GDPR Control Mapping 5.24.18

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Azure GDPR Control Mapping 5.24.18

Uploaded by

Copyright:

Available Formats

The controls in this spreadsheet will be updated from time to time as Microsoft incorporates new controls and tests

Description of Headings in file (tab 3)

Description of information in the column

7001, ISO 27002, ISO 27018,

Azure 5.2.2 Understanding the needs and expec

Azure 5.2.3 Determining the scope of the inf 1130

Azure 5.2.3 Determining the scope of the inf 1250

Azure 5.2.3 Determining the scope of the inf 1255

Azure 5.2.4 Information security management1130

Azure 5.2.4 Information security management1250

Azure 5.2.4 Information security management1255

Azure 5.2.4 Information security management410

Azure 5.3 Planning 1250

Azure 5.3 Planning 1130

Azure 6.10.1 Information transfer policies and 1140

Azure 6.10.2 Confidentiality or non-disclosure 1195

Azure 6.10.2 Confidentiality or non-disclosure 1545

Azure 6.10.2 Confidentiality or non-disclosure 1142

Azure 6.10.2 Confidentiality or non-disclosure 1545

Azure 6.11.1 Securing application services on p1140

Azure 6.11.1 Securing application services on p1155

Azure 6.11.1 Securing application services on p1365

Azure 6.11.1 Securing application services on p1140

Azure 6.11.1 Securing application services on p1141

Azure 6.11.1 Securing application services on p1155

Azure 6.11.1 Securing application services on p1365

Azure 6.11.2 Secure systems engineering princi1140

Azure 6.11.2 Secure systems engineering princi1155

Azure 6.11.2 Secure systems engineering princi1260

Azure 6.12 Supplier relationships 1545

Azure 6.12 Supplier relationships 1573

Azure 6.12 Supplier relationships 1740

Azure 6.12 Supplier relationships 390

Azure 6.12 Supplier relationships 1573

Azure 6.12 Supplier relationships 1570

Azure 6.13.1 Management of information secur1140

Azure 6.13.1 Management of information secur1155

Azure 6.13.1 Management of information secur870

Azure 6.13.2 Responsibilities and procedures 1140

Azure 6.13.2 Responsibilities and procedures 1155

Azure 6.13.2 Responsibilities and procedures 870

Azure 6.13.2 Responsibilities and procedures 1140

Azure 6.13.2 Responsibilities and procedures 1155

Azure 6.13.2 Responsibilities and procedures 275

Azure 6.13.2 Responsibilities and procedures 285

Azure 6.13.2 Responsibilities and procedures 315

Azure 6.13.2 Responsibilities and procedures 835

Azure 6.13.2 Responsibilities and procedures 1140

Azure 6.13.2 Responsibilities and procedures 1155

Azure 6.13.2 Responsibilities and procedures 1470

Azure 6.13.2 Responsibilities and procedures 275

Azure 6.13.2 Responsibilities and procedures 285

Azure 6.13.2 Responsibilities and procedures 315

Azure 6.13.2 Responsibilities and procedures 835

Azure 6.13.2 Responsibilities and procedures 1140

Azure 6.13.2 Responsibilities and procedures 1155

Azure 6.13.2 Responsibilities and procedures 1470

Azure 6.13.2 Responsibilities and procedures 275

Azure 6.13.2 Responsibilities and procedures 285

Azure 6.13.2 Responsibilities and procedures 315

Azure 6.13.2 Responsibilities and procedures 835

Azure 6.13.2 Responsibilities and procedures 1140

Azure 6.13.2 Responsibilities and procedures 1155