Microsoft Forms is GDPR compliant

This post has been republished via RSS; it originally appeared at: Microsoft Forms Blog articles.

Microsoft is committed to helping business customers comply with the General Data Protection Regulation (GDPR), which has been in effect since May 25, 2018. Microsoft Forms, part of the Office 365 Family, is GDPR-compliant. Our goal is to help global business customers manage compliance and avoid risk.


Microsoft Forms allows users to quickly and easily create custom quizzes, surveys, questionnaires, registration forms, and more. The content in these forms, as well as end user information, remains in the direct control of administrators and end users. Microsoft processes data on behalf of customers to provide the requested service as set forth in our Online Services Terms. Administrators can set policies that control this information independently of the user account lifecycle for which Microsoft Forms is associated.




Where data is stored for Microsoft Forms?

Microsoft Forms data is stored on servers in the United States, with the exception of data for European-based tenants. The data for European-based tenants is stored on servers in Europe.


Turn on/off Microsoft Forms

Office 365 IT Administrators can turn off Microsoft Forms in the Office 365 Admin Center, under the User Management tab. See set up Microsoft Forms and turn off or turn on Microsoft Forms for more details. Product and service usage data can be managed in the Admin Center, as it follows a controlled lifecycle designed to comply with GDPR data subject requests.


The original owner of a form is no longer with my organization and/or their Microsoft Forms license has been removed. What happens to the data that is associated with the form they created?

Currently, there is no limit for the number of users for which data is retained, as long as the provisioning of their accounts is within your organization's online service agreement. There is also no limit for the amount of data stored for user accounts. All Forms customer content data, as well as account-related data, however, will be deleted 30 days after a user account is closed.


How do I use the in-app functionality in Microsoft Forms to find, access, export, and delete personal data?

Currently, Content Search doesn’t have the ability to find data authored in Forms. To find data generated by these applications, you or the data owner must use in-product functionality or features to find data that may be relevant to a DSR. Product and service usage data follows a controlled lifecycle designed to comply with GDPR data subject requests. Learn more.


For more information about GDPR and how Office 365 is helping to protect your date, please visit the following site:


Organizational Privacy Statement Now Can Be Surfaced with Microsoft Forms

EU GDPR law and polices

GDPR Compliance Center

Data protection impact assessments

Data Subject Request


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.