Last updated: February 2020
Your privacy is important to us. We respect the privacy rights of all individuals and we are committed to handling personal data responsibly and in accordance with applicable law. This privacy notice, together with the Addenda and other notices provided at the time of data collection, explain what personal data Microsoft collects about you, how we use this data, and your rights to this data.
Please note that this notice applies to the handling of your personal data as an employee, candidate or as external staff (workers who are not employed by Microsoft that have access to Microsoft facilities and/or Microsoft corporate network access. This could include agency temporary workers, outsourced staff, contractors, and business guests). Microsoft has additional governance and privacy requirements concerning the collection and uses of employee data.
This notice does not cover your use of Microsoft consumer products as a consumer, outside of your regular employment or assignment with Microsoft. Microsoft consumer products may include services, websites, apps, software, servers, and devices. To learn more about Microsoft’s data collection practices that cover your use of Microsoft products as a consumer, please read our Microsoft Privacy Statement.
This notice is not intended and shall not be read to create any express or implied promise or contract for employment, for any benefit, or for specific treatment in specific situations. Nothing in this notice should be construed to interfere with Microsoft’s ability to process employee data for purposes of complying with its legal obligations, or for investigating alleged misconduct or violations of company policy or law, subject to compliance with local legal requirements.
Microsoft's processing of personal data is in all cases subject to the requirements of local law, internal policy, and any consultation requirements with worker representatives (where appropriate). To the extent this notice conflicts with local law in your jurisdictions, local law controls.
We collect, use, and maintain (collectively “process”) different types of personal data about you in in the operation of our business. If you are an employee, we process personal data about you (and your dependents, beneficiaries and other individuals associated with your employment) primarily for managing our employment relationship with you and your workplace facilities/information systems interactions. If you are External Staff, the type of personal data we process is limited to what is needed to manage your engagement with Microsoft and access to Microsoft facilities and information systems. If you are a candidate, the type of personal data we process is limited to what is needed to engage with you about Microsoft career opportunities, consideration of your application for employment to specific roles at Microsoft, including candidate screening, interview scheduling and management, lawful background checks, and to on board you at Microsoft if you receive and accept an offer of employment with us.
The data we process can include the following, but is not limited to:
Name and contact data. Your first and last name, employee identification number, email address, postal address, phone number, photo, beneficiary and emergency contact details, and other similar contact data. Additionally, you may opt to provide Microsoft with additional contact information such as personal email address(es) and/or cell phone number(s).
Demographic data. Your date of birth and gender. We may also collect and process "Sensitive Personal Information" about you in accordance with local requirements and applicable law. This may include any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, trade union membership, or information about your health, disabilities, or sexual orientation. We will use this information to comply with anti-discrimination laws and government reporting obligations and to help insure equal employment opportunities. We may also request information about your physical or mental condition to provide work-related accommodations, to provide health and insurance benefits to you and your dependents, or to manage absences from work. We may further request, where permitted by law and on a voluntary and consensual disclosure basis, sensitive personal information such as information about your racial/ethnic origin, sexual orientation, veteran status, and disability status. We will use this information on a de-identified and aggregated basis to help provide a more diverse and inclusive workplace through our Diversity, Inclusion and Accessibility programs.
National identifiers. Your national ID/passport, citizenship status, residency and work permit status, social security number, or other taxpayer/government identification number.
Employment details. Your job title/position, office location, employment contract, offer letter, hire date, termination date, performance history and disciplinary records, leave of absence, sick time, and vacation/holiday records.
Spouse/partner and dependents’ information. Your spouse and dependents’ first and last names, dates of birth, and contact details.
Background information. Academic and professional qualifications, education, CV/Resume, credit history and criminal records data (utilized for background check and vetting purposes where permissible and in accordance with applicable law and consultation requirements).
Video, voice and image. We may collect and use video, voice and image data, subject to the requirements of local law, internal policy, and any consultation requirements with worker representatives (where appropriate).
Financial information. Bank account details, tax information, salary, retirement account information, company allowances and other information necessary to administer payroll, taxes and benefits.
Workplace, Device, Usage, and Content data. Emails sent and received, building and information system access, Microsoft device, system and application usage (including telemetry) when accessing and using Microsoft corporate buildings and assets.
We may also collect personal data about you from third parties or public sources as needed to support the employment relationship or to engage with you concerning job opportunities at Microsoft. For example, before and during the course of your employment or assignment with Microsoft, we may collect information from public social media sources, such as your LinkedIn profile, for recruitment purposes. We also may conduct lawful background screenings, to the extent permitted by law, through a third-party vendor for information about your past education, employment, credit and/or criminal history. In the event of a natural disaster or other life/safety emergency, we may rely on public social media posts or other public sources to account for employees if otherwise unable to contact them. Additionally, if there is an investigation of an employee matter, we may obtain information relevant to the incident from external sources including private parties, law enforcement or public sources like news sources and public social media posts.
In some limited circumstances, we may collect personal data for research purposes or other non-employment related purpose, with your consent.
We collect your personal data for the purposes set out below. Failure to provide your personal data when requested may prevent us from being able to carry out these tasks and/or comply with our legal obligations.
To administer your employment contract, offer letter or other commitments we’ve made to you
We collect and use your personal data primarily for the purpose of managing our employment or working relationship with you, and to fulfill our obligations under your employment contract, or applicable Microsoft policies, including payroll, benefits administration, pension and retirement administration, tax reporting, and the like. A few examples: your employment contract, your offer letter (e.g. so we can on-board you), promotion history and performance reviews (e.g. so we can manage our employment relationship with you), and your bank account and salary details (e.g. so we can pay you or providing HR benefits).
Other overriding and legitimate business purposes
We also may collect and use your personal data when it is necessary for other legitimate purposes, such as general HR administration, our global directory of employees and external staff, general business management and operations, disclosures for auditing and reporting purposes, internal investigations, management of network and information systems security and business operations, provision and improvement of employee services, physical security and to protect the life and safety of employees and others. We may also use special applications and systems that record employee performance metrics, such as sales related or code databases for business operations purposes as well as for the purposes of reviewing, rewarding and coaching employees on their performance and for administration and assessment of training. We may also process your personal data to investigate potential violations of law or breaches of our internal policies.
Legally required purposes
We also may use your personal data when we consider it necessary for complying with laws and regulations, including collecting and disclosing personal data as required by law (e.g., for minimum wage, working time, tax, health and safety, anti-discrimination laws, global migration), under judicial authorization, or to exercise or defend the legal rights of Microsoft.
Other uses of your data (where permissible and in accordance with applicable law and consultation requirements)
We also may collect your internal usage of Microsoft products, services and internal applications and tools including business data created by employees and external staff, to measure and improve these products; use of your data for product improvement may include human and machine review of such data to train AI models and improve machine learning for Microsoft products and services. Where required by law, we will seek your consent to such uses; and where your consent is sought, we will ensure your consent is knowing, truly voluntary, and that you suffer no adverse consequence from any decision to withhold or revoke your consent.
We will only use your personal data for the purposes for which it was collected, unless we reasonably consider that we need it for another purpose that is compatible with the original purpose and there is legal basis for the further processing. For example, you may provide personal information to Microsoft while researching job openings, but once you apply for a specific role, Microsoft may need process your personal information based on other legal basis for processing.
Microsoft will only share your personal data with those who have a legitimate need for it. Whenever we permit a third party to access personal data, we will make sure the data is used in a manner consistent with this notice (and any applicable internal data handling guidelines consistent with the sensitivity and classification of the data). Your personal data may be shared with our subsidiaries and affiliates and other third parties, including service providers, for legitimate purposes as follows:
In order to carry out the uses of personal data described above (See section titled: Why We Process Personal Data);
To enable third parties to provide services to us. Categories of recipients of data would include financial investment service providers, insurance providers, pension administrators and other benefits providers, payroll support services, relocation, tax and travel management services, health and safety experts, and child care providers;
To comply with our legal obligations, regulations or contracts, or to respond to a court order, administrative or judicial process, such as a subpoena, government audit or search warrant. Categories of recipients would include counter-parties to contracts, judicial and governmental bodies;
In response to lawful requests by public authorities (such as national security or law enforcement);
To seek legal advice from external lawyers and advice from other professional advisers such as accountants, management consultants, etc.;
As necessary to establish, exercise or defend against potential, threatened or actual litigation (such as adverse parties in litigation);
Where necessary to protect Microsoft, your vital interests, such as safety and security, or those of another person;
In connection with the sale, assignment or other transfer of all or part of our business (such as a potential purchaser and its legal / professional advisers); or
Otherwise in accordance with your consent.
Please note that where legal requirements limit the sharing of your data, Microsoft will respect such requirements.
In some regions, you may have certain rights under applicable data protection laws (such as the European General Data Protection Regulation). Please see the Addendum to this notice for specific additional information by region / country.
Site pages may use cookies (small text files placed on your device). Cookies allow us, among other things, to store your preferences and settings; enable you to sign-in; combat fraud; and analyze how our websites and online services are performing.
We also use web beacons to help deliver cookies and gather usage and performance data. Our websites may include web beacons and cookies from third-party service providers.
You have a variety of tools to control cookies, web beacons and similar technologies, including browser controls to block and delete cookies and controls from some third-party analytics service providers to opt out of data collection through web beacons. Your browser and other choices may impact your experiences with our websites and systems.
Microsoft monitors its IT and communications systems through automated tools such as network authentication and wireless connectivity hardware and software, anti-malware software, website filtering and spam filtering software, security software for cloud-based applications, and mobile device management solutions. The primary purpose of this monitoring is to protect Microsoft, its employees, customers and business partners, for example:
We also monitor our offices, and other workplace facilities, through video monitoring like closed-circuit television (“CCTV”) and badge scans for security purposes. CCTV is primarily used at office entrance and exit points, elevator lobbies, rooms where there may be valuable equipment, such as server rooms, and in other select areas with a high risk for theft or with highly sensitive assets. CCTV is not used in private spaces such as restrooms, new mothers’ rooms or locker rooms nor is it used to monitor employee workstations for performance reasons.
You should be aware that any message, files, data, document, facsimile, audio/video, social media post or instant message communications, or any other types of information transmitted to, through or from, received or printed from, or created, stored or recorded on our IT and communications systems and assets (included via the use of personal devices accessing corporate IT systems) are presumed to be business-related and may be monitored or accessed by us in accordance with applicable law and workplace agreements (such as works council agreements), and subject to Microsoft’s own policies concerning access to and uses of such data.
Microsoft is committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorized access, use, or disclosure. For example, we store the personal data you provide on computer servers with limited access that are located in controlled facilities, and, when we transmit certain highly confidential or sensitive personal information, we protect it through the use of encryption.
Microsoft operates at the global level and therefore personal data may need to be transferred to countries outside of where it was originally collected. For example, because we are headquartered in the United States, information collected in other countries is routinely transferred to the United States for processing. When we transfer your personal data to a different country, we will ensure that this transfer complies with applicable laws and legislation. Microsoft has Model Clauses in place for the collection, use, and retention of personal data transferred from the European Union to other countries, and also complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S Privacy Shield Framework.
Microsoft Corporation complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Economic Area, the United Kingdom, and Switzerland to the United States. Microsoft Corporation has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If third-party agents process personal data on our behalf in a manner inconsistent with the principles of either Privacy Shield framework, we remain liable unless we prove we are not responsible for the event giving rise to the damage. The controlled U.S. subsidiaries of Microsoft Corporation, as identified in our self-certification submission and listed here, also adhere to the Privacy Shield Principles.
If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov.
If you have a question or complaint related to participation by Microsoft in the EU-U.S. or Swiss-U.S. Privacy Shield, we encourage you to contact us via our web form. For any complaints related to the Privacy Shield frameworks that Microsoft cannot resolve directly, we have chosen to cooperate with the relevant EU Data Protection Authority, or a panel established by the European data protection authorities, for resolving disputes with EU individuals, and with the Swiss Federal Data Protection and Information Commissioner (FDPIC) for resolving disputes with Swiss individuals. Please contact us if you’d like us to direct you to your data protection authority contacts. As further explained in the Privacy Shield Principles, binding arbitration is available to address residual complaints not resolved by other means. Microsoft is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Personal data will be stored according to applicable laws or regulatory requirements and kept as long as is necessary to fulfill the purposes for which the personal data was collected. Generally, this means that your personal data will be retained as documented in our corporate data retention schedule and applicable riders and supplements.
We may occasionally update this privacy notice. When we do, we will revise the "last updated" date at the top of the privacy notice. If there are material changes to this notice or in how Microsoft will use your personal data, we will use reasonable efforts to notify you either by prominently posting a notice of such changes before they take effect or by directly sending you a notification. We encourage you to periodically review this privacy statement to learn how Microsoft is protecting your personal data.
For copies of additional privacy documents mentioned in this notice, or if you have a privacy concern or question related to this notice, please contact AskHR@microsoft.com.
Our address is:
HR Privacy
Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052 USA
Telephone: (+1) 425-882-8080.
Last updated: April 2018
European Union and United Kingdom: Your Data Subject Rights
In addition to the information shared above, EU and UK employees, external staff and candidates (including individuals working in the EU and UK, or in some circumstances individuals who normally reside in the EU and UK who are working abroad) may have certain rights under applicable data protection laws (including the EU General Data Protection Regulation and local legal implementation of that Regulation), which include the rights to:
Application of the above rights may vary depending on the type of data involved, and Microsoft’s particular basis for processing the personal data.
To make a request to exercise one of the above rights, please contact AskHR@microsoft.com. We will consider and act upon any requests in accordance with applicable data protection laws. Please note that we may request specific information from you to enable us to confirm your identity and right to access, as well as to search for and provide you with the personal data that we hold about you. We may, in limited circumstances, charge you a reasonable fee to access your personal data; however, we will advise you of any fee in advance.
If we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal.
EU and UK employees, external staff and candidates (including individuals working in the EU and UK, or individuals who normally reside in the EU and UK who are working abroad) may also direct questions about how we handle personal information to the Data Protection Officer at https://aka.ms/privacyresponse.
While Microsoft hopes it can answer any questions that you may have, if you have unresolved concerns you also have the right to complain to a relevant data protection supervisory authority in the EU and UK.
Last updated: February 2020
Employees in Turkey: Privacy Notice
As for the data processing activities concerning employees, candidates and external staff in Turkey, Microsoft Bilgisayar Yazılım Hizmetleri Limited Şirketi (the “Company”) acts as the data controller, within the purposes of the Law on the Protection of Personal Data numbered 6698 (the “Law”).
In addition to the information shared above, we process personal data relating to you for the purposes of conducting contract management, audit and ethics processes. Such data may also be obtained by means of e-mail, telephone, web services, courier/post, physical and online forms, as well as photographs and video recordings during events and organizations, in both physical and electronic environments.
Personal data are processed on the following legal grounds: being envisaged under the laws, compliance with legal obligations, being necessary for the establishment, exercise and protection of a right, conclusion and performance of an agreement, legitimate interests of the Company, and if provided, your explicit consent, as specified within the scope of the Law.
As data subjects, you are entitled to the rights, set forth under Article 11 of the Law. In accordance with the Communiqué on Principles and Procedures for Applications to Data Controllers, and to be concluded within 30 days, you may convey your requests concerning your rights under Article 11 of the Law, by the following means:
Last updated: February 2020
This addendum applies to Learning and Skills Data that Microsoft processes about Employees and External Staff for various purposes, subject to compliance with local law, its own internal policies, compliance with third-party terms of use (e.g., where skills data or training is provided by third parties), and applicable third-party contractual requirements.
Learning and Skills Data is information about your professional development activities, such as training and achievements, skills, and related interests. Sources of Learning and Training Data include information about your:
Interactions with Microsoft Learning websites, such as Microsoft Learn or LinkedIn Learning, when you authenticate with your Microsoft employee account.
Internal Microsoft trainings, courses or other offerings delivered by Microsoft, that you may take to develop job, work, role or career-related skills. These offerings may be optional, encouraged, expected or even required; may be provided live, online or via audio and video recordings; and may be targeted broadly or scoped to your business, role or function. Examples include: Microsoft’s Standards of Business Conduct Training, offerings for Microsoft employees only on LinkedIn Learning, and trainings offered via company-wide, divisional or team learning portals.
Third-party trainings or courses offered by Microsoft, or linked to your Microsoft employee account, or that you choose to share with Microsoft. Unlike the internal trainings above, these trainings are delivered by third parties, not Microsoft, or are offered through services such as LinkedIn or LinkedIn Learning. These trainings may be provided via external websites, off-site courses, or delivered (even internally) by third-party resources. Like internal trainings, these trainings may be targeted broadly or scoped to your business, role or function. These offerings may be available via commercial or consumer-facing websites. Examples include: offerings on LinkedIn Learning, or courses offered by third parties like Dale Carnegie or others.
Certifications and achievements, such as Microsoft and third-party certifications you earn and choose to share. Some jobs, roles or functions may require specific certifications. Where that is the case, you will receive prior notice of such requirements. If certifications are required you may be required to share information about your successful completion of these certifications.
Skills you identify or that can otherwise be inferred from your learning or professional activities.
Participation in Microsoft events, such as Ready, Build, and hackathons.
Growth interests, such as the experiences or skills you indicate that you’d like to build for your growth and development in Connects or other contexts, or the content or material you explore related to professional development, career planning, skill building, and other learning opportunities.
Role-based development, such as hands-on or experiential activities your do gain competence in your role.
Microsoft may process various kinds of data from the above sources including (but not limited to):
Contact Information and Demographic Data, including, for example, your name, contact information, job title, job level, profession, etc.;
Attendance, performance, and completion data;
Feedback about the particular event, course, training or offering;
Analytics about your interactions with a training or learning website or service;
Data about your skills that you provide or is observed;
Photos, videos or recordings (video and audio) of the training activity or event.
Microsoft also collects Learning and Skills Data in various contexts. For example, Microsoft collects Learning and Skills Data when you:
Provide it, for example by sharing your professional development goals with your manager in your Connect, joining a Microsoft internal distribution list or group affiliated with a certification or professional skill, or updating your profile by adding badges designating professional achievements;
Authorize a third party to provide it, such as when you direct an educational or professional organization to share your professional achievements with Microsoft;
Register and participate in Microsoft learning activities, such as attending Ready, Build or a hackathon.
Use learning services available only to Microsoft employees and/or external staff, such as when you view professional development content or interact with learning modules; and
Use learning services authenticated with your Microsoft employee account, such as Microsoft Learn or LinkedIn Learning (subject to applicable terms of use for the hosting website and any contractual obligations Microsoft has undertaken for access to such data).
Microsoft uses Learning and Skills Data for the varied purposes set out below, which may involve automatic processing of the Learning and Skills Data using machine learning and artificial intelligence applications, such as natural language processing.
To manage our employment or working relationship with you – including your career development opportunities
We process Learning and Skills Data for the purpose of managing our employment or working relationship with you, including fulfilling our obligations and commitments to you. Failure to provide your Learning and Skills Data when requested may prevent us from being able to carry out these tasks and/or comply with our legal obligations. For example, Microsoft uses Learning and Skills Data to:
verify you have completed training activities required in your role or by applicable law;
facilitate, at your direction, professional development and career planning;
review, reward, and enhance employee performance and career development;
identify career and growth opportunities for employees;
determine appropriate resources for a particular customer opportunity or support scenario;
assess employee potential for growth;
validate you have attended training paid for or reimbursed by Microsoft; and
assist you in identifying content or materials that may aligned with your growth interests.
To provide and improve our products and services
We process Learning and Skills Data to provide our products and services. For example, when you register for Microsoft training or certification exams, we use your Learning and Skills Data to determine if you’ve completed the training and, if appropriate, meet certification benchmarks.
We process Learning and Skills Data for the purpose of improving our products and services. For example, we may:
Analyze pseudonymized Learning and Skills Data to determine which learning activities are most popular among new employees or employees with certain titles;
Combine Learning and Skills Data with other business intelligence data to identify and evaluate, on an aggregated basis, the effectiveness of learning products and services. For example, we may query whether certain learning activities increase customer satisfaction levels, improve employee safety, reduce security incidents, or have impact on career development opportunities or employee performance; or
Use feedback from learning activities to improve our products and services. For example, we may receive insights about ways to improve Azure when analyzing aggregated results of Azure certification exams or reviewing feedback received after a training event.
Other lawful purposes
We process Learning Data for other lawful purposes, such as when:
Necessary for other legitimate purposes, such as running our business, conducting business intelligence, disclosing for auditing and reporting purposes, managing our network and information systems security, and the providing and improving employee services.
We suspect or discover violations of law or breaches of our internal policies.
Permissible, with your lawfully obtained consent.
We consider it necessary for complying with laws and regulations, including collecting and disclosing personal data as required by law (e.g., for minimum wage, working time, tax, health and safety, anti-discrimination laws, global migration), under judicial authorization, or to exercise or defend the legal rights of Microsoft.
Last updated: February 2020
This addendum applies to the Microsoft Data Program (MDP) and the business-related data processed by MDP for purposes of debugging, testing, developing, and improving new and existing products and services (“MDP Data”). MDP data may be used to train AI and machine learning models. MDP and the terms of this addendum apply to Microsoft employees only. Data for external staff and candidates is specifically excluded from the scope of MDP. More information about the specific terms and scope of MDP can be found at the Learn More page. Employees may opt-out to limit their participation in the program at any time, without adverse consequence by clicking here http://aka.ms/MDPOptOut.
In particular, MDP is aimed primarily at the processing of data or information that is transmitted, created, exchanged or stored by Microsoft employees using Microsoft internal systems, software, services, and assets within the scope of their employment. While controls have been developed to limit the scope of MDP to processing Microsoft business-related data (as described further at the Learn More page), MDP may incidentally process certain personal content for employees that is created, stored or transmitted in Microsoft owned or provided systems and resources. At all times, MDP’s processing of data will comply with the stated requirements for MDP, as well Microsoft’s internal policies (including the Responsible Use of Technology Policy), as well as local law.
Example sources of MDP data may include, but are not limited to, emails and calendar information in Exchange, files stored in OneDrive for Business, content of meeting recordings, voice collected on work devices, messages in Yammer and Teams, content on SharePoint sites, diagnostic data from work devices, search data, product and services feedback data, and internal line of business applications such as those applications developed to support sales processes (e.g., MSX). These are representative and non-exhaustive examples of the types of Microsoft business-related data from which MDP may process data. Up-to-data information concerning MDP can be found at the Learn More page.
In addition to content-related data from the above sources, Microsoft may also process various additional kinds of data from the above sources in support of MDP including (but not limited to):
Basic Demographic Data, including, for example, your name and alias, IP address, etc.;
Meta-data associated with the applicable content, such as time and date information, signals related to authorship and modification of data, document and meeting titles, etc.; and
Telemetry data, such as data related to product and feature usage, associated with the above content types and services, or machine-related data such as software version history, machine type, operating system version, etc.
Microsoft’s use of MDP data is premised on Microsoft’s legitimate interest in using its own business data for business-related purposes, as that use strongly exceeds our employee’s individual interest in the privacy of such business-related data. Microsoft may process certain MDP data based on employee consent, to the extent: (1) an individual’s privacy interest would exceed Microsoft’s interest in the processing; and (2) local law requires Microsoft to obtain consent prior to such processing. Where consent constitutes the primary basis for processing data under MDP, Microsoft will in all cases ensure consent is voluntary and fully informed, and will also ensure employees suffer no adverse consequence as a result of their refusal to give or later revoke such consent.