Supplier Privacy & Assurance Standards (SSPA)

Microsoft’s DPR sets out the following requirements in ten domains.

Management:

• Each applicable agreement between Microsoft and the supplier contains privacy and security data protection language with respect to Microsoft Confidential and Personal Data.
• Assign responsibility and accountability for compliance with the DPR to a designated person or group within the company.
• Establish, maintain, and perform annual privacy and security training for employees that will have access to Personal Data processed by supplier in connection with Performance or Microsoft Confidential Data.
• Process Microsoft Personal Data only in accordance with Microsoft's documented instructions.

Notice:

• The supplier must use the Microsoft Privacy Statement when collecting Personal Data on Microsoft’s behalf, and the privacy notice must be obvious and available to Data Subjects to help them decide whether to submit their Personal Data to the supplier.
• When collecting Microsoft Personal Data via a live or recorded voice call, supplier must be prepared to discuss the applicable data collection, handling, use, and retention practices with Data Subjects

Choice and Consent:

• Where supplier relies upon consent as its legal basis for Processing data, the supplier must obtain and record a Data Subject’s consent for all of its Processing activities prior to collecting that Data Subject’s Personal Data
• Provide Data Subjects with transparent notice and choice regarding the use of cookies

Collection:

• Monitor the collection of Microsoft Personal and/or Confidential Data to ensure that the only data collected is that required to Perform.
• If the supplier collects Personal Data from third parties on behalf of Microsoft, the supplier must validate that the third-party data protection policies and practices are consistent with the supplier’s contract with Microsoft and the DPR.
• Document the necessity of collecting Microsoft Personal Data in a contract BEFORE collecting Microsoft Personal Data through the installation or utilization of executable software on a Data Subject’s device.
• Document the necessity of collecting Sensitive Microsoft Personal Data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation) in a contract BEFORE collecting that data

Retention:

• Ensure that Microsoft Personal and Confidential Data is retained for no longer than necessary to Perform unless continued retention of the Microsoft Personal and/or Confidential Data is required by Law.
• Ensure that, at Microsoft’s sole discretion, Microsoft Personal and Confidential Data in the supplier’s possession or under its control is returned to Microsoft or destroyed upon completion of Performance or upon Microsoft’s request.

Data Subjects:

• Microsoft dictates a set of requirements each supplier must fulfill when a Data Subject seeks to exercise their rights under the Law in respect of their Microsoft Personal Data.

Disclosure to Third Parties:

• This section outlines a set of requirements suppliers must fulfill if the supplier intends to use a subcontractor to Process Microsoft Personal Data or Confidential Data.

Quality:

• The supplier must maintain the integrity of all Microsoft Personal Data, ensuring it remains accurate, complete and relevant for the stated purposes for which it was Processed.

Monitoring and Enforcement:

• Microsoft requires each supplier to have an incident response plan that requires Supplier to notify Microsoft without undue delay upon becoming aware of a Data Breach or security vulnerability related to the supplier’s handling of Microsoft’s Personal or Confidential Data.
• Not issue any press release or any other public notice that relates to a Data Breach involving Microsoft Personal or Confidential Data without getting Microsoft approval, unless expressed by Law.
• Implement a remediation plan and monitor the resolution of Data Breaches and vulnerabilities related to Microsoft Personal or Confidential Data to ensure that appropriate corrective action is taken on a timely basis.

Security:

• The supplier must establish, implement, and maintain an information security program that includes policies and procedures, to protect and keep secure Microsoft Personal and Confidential Data in accordance with good industry practice and as required by Law.
• The supplier’s security program must meet a certain standard set by Microsoft.

For more details on the requirements, download the DPR from Microsoft’s site.