Azure data protection: Notes on meeting GDPR Requirements

  • ISO 27001/27701: Covers information security and privacy management, including GDPR requirements.

  • Azure GDPR Blueprint: Offers preconfigured policies and architectures for GDPR alignment (e.g., data subject request workflows).

Data residency & control

  • EU Data Boundaries: Services like Azure SQL Database and Blob Storage allow EU-only data residency.

  • Encryption: Azure Key Vault for customer-managed keys; Azure Disk Encryption for VMs.

  • Access Controls: Azure AD Conditional Access enforces MFA and adaptive policies based on user risk.

Subprocessor transparency

  • Lists subprocessors by service and region, including Microsoft subsidiaries and third parties.

  • DPAs include SCCs for non-EEA transfers.

Breach notification & tools

  • Azure Security Center: Monitors threats and triggers alerts for potential breaches.

  • Microsoft Compliance Manager: Tracks GDPR compliance progress with actionable insights.

Data location

  • Regional Services: Most services (e.g., Azure VMs, Blob Storage) allow customers to select a Region (e.g., Germany West Central). Data remains within the chosen Geo (group of Regions) unless replicated for resilience.

  • Exceptions: Some services (e.g., Azure CDN, Microsoft Entra ID) operate globally and may store metadata outside selected Geos.

Jurisdiction

  • GDPR Compliance: Azure’s Data Processing Terms align with GDPR. Subprocessors are listed publicly and bound by SCCs.

  • Sovereign Clouds: Azure offers isolated environments for regulated sectors (e.g., Azure China operated by 21Vianet, Azure Government for U.S. public sector).

How to verify

  • Azure Portal: Check resource deployment locations under “Properties.”

  • Microsoft Compliance Manager: Track data residency compliance and subprocessor details.

Detailed documentation


Last update: 2025-06-07 06:04