DPC Finds Microsoft Ireland Operations Limited Infringed GDPR Articles 12(4) and 5(1)(a)
Summary
On 1 September 2025, the DPC adopted a decision finding Microsoft Ireland Operations Limited infringed Article 12(4) of the GDPR by failing to inform a complainant of their right to lodge a complaint with a supervisory authority and seek judicial remedy following an access request. The DPC also found Microsoft infringed Article 5(1)(a) (lawfulness, fairness and transparency) in its handling of the access request and decision to delete the complainant's data. The DPC issued a reprimand pursuant to Article 58(2)(b) and ordered Microsoft to revise its policies and procedures regarding data retention for terminated accounts, permanent deletion circumstances, and appeals processes.
“The DPC finds that Microsoft infringed Article 12(4) of the GDPR in respect of the access request when it failed to inform the complainant of the possibility to lodge a complaint with a supervisory authority and to seek a judicial remedy following the complainant's access request.”
Data controllers handling access requests should ensure they inform data subjects of their right to lodge complaints with supervisory authorities and seek judicial remedies, as required by Article 12(4). Controllers terminating user accounts should review their data retention and deletion policies to ensure compliance with the lawfulness and transparency principles under Article 5(1)(a).
About this source
GovPing monitors Ireland DPC Decisions for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 3 changes logged to date.
What changed
The DPC found Microsoft Ireland Operations Limited infringed Article 12(4) of the GDPR by failing to inform a complainant of their right to lodge a complaint with a supervisory authority and seek judicial remedy following an access request made on 17 August 2020. The DPC also found Microsoft infringed Article 5(1)(a) (lawfulness, fairness and transparency principle) in its handling of the access request and in its decision to delete the complainant's personal data from their OneDrive account.
The DPC issued a reprimand pursuant to Article 58(2)(b) and ordered Microsoft to revise its policies and procedures so that data retention policies for terminated accounts are clarified, circumstances for permanent deletion are outlined, and appeals processes are made available to account holders. Data controllers handling access requests should ensure responses include information about complaint rights and judicial remedies, and review policies around account termination and data deletion to ensure compliance with GDPR transparency and lawfulness principles.
What to do next
- A reprimand to Microsoft Ireland Operations Limited pursuant to Article 58(2)(b) of the GDPR in light of the infringements found.
- An order for Microsoft to revise its policies and procedures so that the data retention policies for data associated with accounts terminated by Microsoft for violations of the Microsoft Services Agreement are clarified in its user-facing policies, the circumstances when Microsoft permanently deletes such data are clarified and the appeals processes available to the account holder where Microsoft has terminated the service for an alleged infringement of the Terms of Service are outlined.
Archived snapshot
Apr 23, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Inquiry into Microsoft Ireland Operations Limited – September 2025
Date of decision: 1 September 2025
On 1 September 2025, following an inquiry concerning a complaint received against Microsoft Ireland Operations Limited (Microsoft), the Data Protection Commission (DPC) adopted a decision.
The DPC commenced this inquiry on 16 May 2023, on foot of a complaint that Microsoft failed to comply with an access request submitted by the complainant in August 2020.
The scope of the inquiry concerned an examination and assessment of the following:
Whether the Controller complied with Article 12(4) of the GDPR after the Complainant made an access request on 17 August 2020;
Whether the Controller’s reliance on Article 15(4) to withhold all of the Complainant’s data was justified; and
Whether the Controller was in compliance with Article 5(1)(a) in deleting the Complainant’s personal data (i.e. any personal data contained in the relevant OneDrive account).
As the processing under examination constituted 'cross border' processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion.
The DPC received one relevant and reasoned objection to the draft decision from the supervisory authorities concerned within the statutory period and therefore issued a revised draft decision. As the DPC did not receive any relevant and reasoned objections to the revised draft decision, the supervisory authorities concerned were deemed to be in agreement with the revised draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR.
The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. The decision, which was adopted on 1 September 2025, records findings of infringement as follows:
Article 12(4) of the GDPR
The DPC finds that Microsoft infringed Article 12(4) of the GDPR in respect of the access request when it failed to inform the complainant of the possibility to lodge a complaint with a supervisory authority and to seek a judicial remedy following the complainant’s access request.Article 5(1)(a) of the GDPR
The DPC finds that, the specific circumstances of the complaint, Microsoft infringed the lawfulness, fairness and transparency principle under Article 5(1)(a) of the GDPR in its handling of the access request and in its decision to delete the complainant’s data.
Corrective Powers Exercised:
- A reprimand to Microsoft Ireland Operations Limited pursuant to Article 58(2)(b) of the GDPR in light of the infringements found.
- In light of the infringement of Article 5(1)(a) of the GDPR, and in accordance with Article 58(2)(d) of the GDPR, an order for Microsoft to revise its policies and procedures so that
- the data retention policies for data associated with accounts terminated by Microsoft for violations of the Microsoft Services Agreement are clarified in its user-facing policies;
- the circumstances when Microsoft permanently deletes such data are clarified and;
- the appeals processes available to the account holder where Microsoft has terminated the service for an alleged infringement of the Terms of Service are outlined. The full decision can be downloaded at this link: Inquiry into Microsoft Ireland Operations Limited – September 2025 (10MB, PDF)
Named provisions
Related changes
Get daily alerts for Ireland DPC Decisions
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from DPC.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when Ireland DPC Decisions publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.