TL;DR
Skype, a Microsoft-owned communication tool, offers a range of features from video calls to instant messaging. While Microsoft implements robust security and compliance measures, Skype’s GDPR compliance depends on how it's used, especially by businesses.
GDPR Status
Skype, under Microsoft’s cloud services umbrella, can be GDPR compliant, provided it’s used within the appropriate legal and technical frameworks. Microsoft offers GDPR-compliant terms, including a Data Protection Addendum (DPA), and adheres to the EU–U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) for international data transfers.
Key GDPR Compliance Features in Skype
Data Processing Agreements (DPAs) Microsoft provides a comprehensive DPA covering Skype, which outlines how customer data is handled, processed, and protected. This DPA supports organizations needing to fulfill Article 28 GDPR obligations when using Skype for business purposes.
International Data Transfers Microsoft uses Standard Contractual Clauses (SCCs) and participates in the EU–U.S. Data Privacy Framework to legitimize international transfers of personal data. These frameworks help ensure Skype users in the EU have their data protected even when stored or processed outside the EEA.
Security & Encryption Skype uses industry-standard encryption for data in transit and at rest. However:
Only Private Conversations in Skype are end-to-end encrypted, using the Signal Protocol.
Regular calls and messages are encrypted but can technically be accessed by Microsoft if required (e.g., for legal requests).
Organizations needing strong encryption for all communications should evaluate whether Skype meets their risk and compliance thresholds.
- Data Subject Rights Support Microsoft enables Data Subject Access Requests (DSARs) through its compliance tools, allowing businesses to respond to user rights under GDPR, such as:
Access and correction of personal data
Deletion and portability requests
Subprocessor Transparency Microsoft maintains a detailed list of subprocessors, including those supporting Skype services. They notify users of changes, aligning with GDPR’s transparency principles.
Audit Logs and Compliance Center For enterprise users, Microsoft provides tools through the Microsoft 365 Compliance Center to track usage, data access, and potential compliance issues. While not Skype-specific, these tools assist businesses using Skype within the Microsoft ecosystem.
Who Should Care About Skype’s GDPR Compliance?
EU/EEA Businesses If your company uses Skype to communicate with EU residents or employees, you are responsible for ensuring GDPR compliance. Microsoft provides the tools, but you must implement them correctly.
IT & Legal Teams Responsible for:
Reviewing Microsoft’s DPA and SCCs
Managing user consent where required
Enabling features like Private Conversations for sensitive communications
Healthcare, Education & Customer Support If using Skype for processing sensitive or special category data (e.g., health or education records), extra caution is required. Skype may not meet GDPR standards for high-risk processing unless configured properly.
Potential Limitations for GDPR-Conscious Users
Lack of Default End-to-End Encryption: Not all communications are fully secure by GDPR’s “state-of-the-art” encryption standards.
Data Retention Policies: Users must understand how long Skype stores messages and call data and configure deletion settings where possible.
Data Access: Microsoft retains the ability to access Skype data under lawful orders, which may be a concern for highly sensitive environments.
Summary
Yes, Skype can be GDPR compliant, but only when implemented and configured properly. Microsoft, as the data processor, provides necessary safeguards, including:
A signed Data Processing Agreement
Participation in EU–U.S. Data Privacy Framework
Use of Standard Contractual Clauses
Tools for encryption and DSAR compliance
However, the data controller (you) must ensure that:
Sensitive communications use Private Conversations
Users are informed about data processing practices
Proper consent mechanisms and access controls are in place
Final Thoughts
Skype remains a reliable and widely-used communication platform. For individuals, GDPR compliance concerns are minimal, but businesses and regulated industries must take additional steps. Microsoft supports compliance, but the responsibility is shared: