Respond to personal data requests (Microsoft Entra ID)
The European Union (EU) General Data Protection Regulation (GDPR) gives significant rights to individuals regarding their data. Refer to the Microsoft Learn General Data Protection Regulation Summary for an overview of GDPR, including terminology, an action plan, and readiness checklists to help you meet your obligations under GDPR when using Microsoft products and services.
You can learn more about GDPR and how Microsoft helps support it and our customers who are affected by it.
- The Microsoft Trust Center provides general information, compliance best practices, and documentation helpful to GDPR accountability, such as Data Protection Impact Assessments, Data Subject Requests, and data breach notification.
- The Service Trust portal provides information about how Microsoft services help support compliance with GDPR.
Power Automate provides tools and resources to help you respond to requests to correct, export, or delete personal data that resides in the Microsoft cloud. This article helps you respond to requests from users who authenticate using Microsoft Entra ID. Respond to requests from users who authenticate using a Microsoft account.
Prerequisites
- A paid or trial license for Power Apps Plan 2
- The Microsoft 365 Global Administrator or Microsoft Entra Global Administrator role
If you're a member of an unmanaged tenant and don't have a global administrator, you can export and remove your own personal data. You must have an Microsoft Entra account with a Power Automate license.
Respond to requests for Power Automate customer data
Requests from data subjects require one or more of the following actions, depending on the request:
Discover: Use search and discovery tools to find the user's personal data, including accounts and system-generated logs. Determine whether the request meets your organization's guidelines for responding to personal data requests.
Access: Retrieve personal data that resides in the Microsoft cloud.
Correct: Make changes to personal data as requested, if appropriate.
As a data processor, Microsoft doesn't offer the ability to edit system-generated logs. These logs reflect factual activities and constitute a history of all events within a service. Learn more about system-generated logs in Power Automate.
Restrict: Restrict the processing of personal data, either by removing licenses for various services or turning off the services where possible. You can also remove data from the Microsoft cloud and retain it on-premises or at another location.
Delete: Permanently remove personal data that resides in Microsoft's cloud.
Export: Provide an electronic copy of personal data in a machine-readable format to the data subject.