- Cloud Privacy Service for Microsoft 365
- Encryption of all content data saved with Microsoft 365 in the background
- Effective data protection in the public cloud in accordance with the Schrems II judgment
More data protection in the public cloud: T-Systems encrypts all content data and content meta data saved in Microsoft 365 and pseudonymizes the user’s information on its way to the cloud. This allows Microsoft public cloud users to take advantage of the benefits offered by a cloud infrastructure while at the same time fulfilling the highest requirements stated in the General Data Protection Regulation (GDPR), including for personal data. Once it’s been set up, the Cloud Privacy Service will run unnoticed in the background. Thanks to encrypted storage, it is not possible for unauthorized third-parties to gain access to the data.
The Cloud Privacy Service encrypts and decrypts all data between the user and Microsoft’s servers. Only encrypted data is saved there. Despite this, Microsoft 365 can still function fully – this includes the full-text search and collaboration on documents. The user doesn’t notice the encryption at all. All they need is internet access. The solution employs highly-secure cryptographic keys with a key length of 256-bit (AES 256) in accordance with the Advanced Encryption Standard. T-Systems operates the Cloud Privacy Service from its own data center in Germany. The solution was developed in cooperation with Germany-based eperi GmbH, who specialize in data security, and builds on their gateway technology.
The Cloud Privacy Service offer is aimed at companies with 250 or more employees. The costs comprise a one-time set-up charge in the amount of 4,999 euros (net) and a monthly charge per employee. The rates for this start at 1.99 euros (net).
Data protection authorities audit companies
With the Schrems II judgement, the European Court of Justice (ECJ) determined that U.S. cloud services could no longer be operated in compliance with the General Data Protection Regulation (GDPR) based on the “Privacy Shield”, even if the servers were located in Europe. The standard contractual clauses are still generally permissible, although they alone are often not sufficient for protecting personal data. Data protection authorities in Germany have been spot-checking the implementation of the ECJ’s Schrems II judgment in companies by means of a questionnaire since June 2021.