Reply
SAS
Level 1 Contributor
‎08-18-2021 01:12 PM
Level 1 Contributor
‎08-18-2021 01:12 PM

Data Residency

As a CSP in the Caribbean and Latam (https://docs.microsoft.com/en-us/partner-center/regional-authorization-overview) , we have a customer with GDPR concerns and does not want their data residing in the USA.

 

The customer is using Exchange online plan 1. We have specified the location of the customer, however we would like to understand if it is possible to change the data at rest location from the US to Canada?

 

Or is it that once we sold within our specified region, we are unable to change the data location (at rest) from the USA?

 

Thanks

 

 

Labels:
1 ACCEPTED SOLUTION
JanoschUlmer
Microsoft
‎09-07-2021 12:41 AM
Microsoft
‎09-07-2021 12:41 AM

@SAS When you set up the customer tenant, the country entered for the customer location will determine where data of the various services used in this tenant will be stored. It does not depend on the Partner location, only the end customer location is important. However, when you are Partner in LATAM you can only act as CSP Partner for customers in the same region, and so none of your customer tenants can have a location in the EU to ensure data residency of data-at-rest in the EU, unless you register as CSP also in the Europe region and serve those customer from there.

 

See here for info where data is located depending on the customer country: Microsoft Privacy - Where is Your Data Located

 

Note that once the tenant of the customer has been set up the country can not be changed. Also there is a configuration option for each user to set a country - but this should not be confused with data location settings.

E.g. a customer tenant created in France could have users with location set to Australia - but still the user data of this tenant would be in France/Europe, the user setting is just for regional settings for this user.

 

Finally, even if you would set up a customer tenant in an European country, this does not resolve any concerns reg. data transfer to the US automatically, this requires some further discussion. Microsoft adheres to GDPR principles and offers contractual commitment to GDPR to all customers worldwide (see licensing terms/Online Services DPA - http://www.aka.ms/DPA ). But also when tenant is set up in Europe and data-at-rest is stored in Europe, some data might still flow across borders (Again, detailed in Online Services DPA at http://www.aka.ms/DPA ) - e.g. telemetry, metadata about the accounts, support contact information and not all services are hosted in Europe. This happens in accordance with GDPR rules of course, since GDPR does not prohibit data transfers generally, but this also means that there needs to be a discussion with the customer how "their data" is exactly defined, what their exact concerns are etc...

 

Note also that there are plans to make it possible to restrict data transfers for EU customers even more: Answering Europe’s Call: Storing and Processing EU Data in the EU - EU Policy Blog (microsoft.com) This is not needed for GDPR compliance per se, but may ease some discussions about this topic in the future.

 

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
4 REPLIES 4
PerWerngren
Influencer
‎09-07-2021 06:24 AM
Influencer
‎09-07-2021 06:24 AM

Hi @SAS ! Great reply from @JanoschUlmer that knows this topic well!

 

I just want to add that switching to Canada from the USA will not make any difference from a GDPR perspective. The European Union see both these countries as a 'Third Country' and that's where the problems occur. Anything outside EU (European Union) or EEA (European Economic Area) or the United Kingdom is a 'Third Country'.

 

Regards, Per

 

 

0 Kudos
JanoschUlmer
Microsoft
‎09-07-2021 12:41 AM
Microsoft
‎09-07-2021 12:41 AM

@SAS When you set up the customer tenant, the country entered for the customer location will determine where data of the various services used in this tenant will be stored. It does not depend on the Partner location, only the end customer location is important. However, when you are Partner in LATAM you can only act as CSP Partner for customers in the same region, and so none of your customer tenants can have a location in the EU to ensure data residency of data-at-rest in the EU, unless you register as CSP also in the Europe region and serve those customer from there.

 

See here for info where data is located depending on the customer country: Microsoft Privacy - Where is Your Data Located

 

Note that once the tenant of the customer has been set up the country can not be changed. Also there is a configuration option for each user to set a country - but this should not be confused with data location settings.

E.g. a customer tenant created in France could have users with location set to Australia - but still the user data of this tenant would be in France/Europe, the user setting is just for regional settings for this user.

 

Finally, even if you would set up a customer tenant in an European country, this does not resolve any concerns reg. data transfer to the US automatically, this requires some further discussion. Microsoft adheres to GDPR principles and offers contractual commitment to GDPR to all customers worldwide (see licensing terms/Online Services DPA - http://www.aka.ms/DPA ). But also when tenant is set up in Europe and data-at-rest is stored in Europe, some data might still flow across borders (Again, detailed in Online Services DPA at http://www.aka.ms/DPA ) - e.g. telemetry, metadata about the accounts, support contact information and not all services are hosted in Europe. This happens in accordance with GDPR rules of course, since GDPR does not prohibit data transfers generally, but this also means that there needs to be a discussion with the customer how "their data" is exactly defined, what their exact concerns are etc...

 

Note also that there are plans to make it possible to restrict data transfers for EU customers even more: Answering Europe’s Call: Storing and Processing EU Data in the EU - EU Policy Blog (microsoft.com) This is not needed for GDPR compliance per se, but may ease some discussions about this topic in the future.

 

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
SAS
Level 1 Contributor
‎09-07-2021 04:53 AM
Level 1 Contributor
In response to JanoschUlmer
‎09-07-2021 04:53 AM

Thank you @JanoschUlmer this was very helpful. 

Netronics_Dre
‎08-24-2021 10:14 AM
Visitor 3
‎08-24-2021 10:14 AM

I am not 100% sure! But the region used for storage is base on the region selected for the account the subscription is applied on.

 

Update:

This article might provide some insight https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-multi-geo?view=o365-worldwide

Follow Us
    Share