“Why is Microsoft the data controller with respect to Bing Ads?

Microsoft determines the purposes and means of processing personal information collected directly from Bing users.  For example, Microsoft determines the means by which we collect search queries from users (e.g., user search queries entered on the Bing homepage) and the purpose behind collecting that data (e.g., to provide a search result and, if applicable, relevant ad). As such, Microsoft is the controller of user personal data used to target Bing Ads, including through its Universal Event Tracking (UET) feature.

UET enables Microsoft to collect user information directly from users visiting advertiser webpages. Microsoft provides advertisers with a UET tag which is then placed on the advertiser’s site. This tag collects information from Bing users so that Bing can retarget and track conversions.  Microsoft also uses that data more broadly to improve Bing Ads and related services.  Advertisers do not have access to the data Bing collects via the tag unless Microsoft provides it, although advertisers may collect the same data independently of UET. Although the advertiser places the UET tag on its website, Microsoft is not processing the data collected through the tag on the advertiser’s behalf.

For general information about Microsoft’s privacy practices, please see our Privacy Statement. User controls for interest-based ads are available on Microsoft’s privacy dashboard.

What data does Bing UET collect?

For the specific data elements collected by UET, see FAQ: Universal Event Tracking. Bing Ads retains this data for 180 days. UET will also collect the user’s IP address, which is encrypted by Bing Ads, and will set the Microsoft cookie, which has an expiration date of 13 months. This cookie contains a GUID assigned to the user’s browser and/or an ID assigned to a user who has been authenticated through their Microsoft account. In general, the cookie in the relevant domain and IP address are always passed with every http request and not just via UET.

Bing Ads does not sell this data to third parties or share it with other advertisers.

How does Microsoft secure user data?

Microsoft uses a variety of security technologies and procedures to help protect personal data from unauthorized access, use or disclosure. Bing Ads follows industry standards as an MRC (Media Ratings Council)-accredited platform and through its annual participation in a Payment Card Industry Data Security Standards (PCI DSS) audit.

Microsoft does not disclose details about its internal data practices.

Where does Microsoft store Bing Ads data? Is it transferred out of the EU?

Although GDPR does not prohibit the transfer of personal data outside of the EU, it does require that organizations that move data outside of Europe have a lawful basis and use “appropriate safeguards” to do so. Microsoft uses Model Clauses (standard contract terms) and has signed on to the EU-US Privacy Shield, which are both recognized as “appropriate safeguards.” Customers can find Microsoft’s certification to the Privacy Shield here.

Microsoft maintains major data centers in the Australia, Austria, Brazil, Canada, Finland, France, Germany, Hong Kong, India, Ireland, Japan, Korea, Malaysia, the Netherlands, Singapore, the United Kingdom, and the United States. Typically, the primary storage location is in the customer’s region or in the United States, often with a backup to a data center in another region. The storage location(s) are chosen to operate efficiently, to improve performance, and to create redundancies to protect the data in the event of an outage or other problem. Microsoft takes steps to ensure that the data collected under its Privacy Statement is processed according to the provisions of the statement and the requirements of applicable law wherever the data is located.

Please note that these responses should not be construed as an admission that Microsoft is a processor of UET or other Bing Ads data, nor is this an amendment to existing contractual commitments in place.  This information should not be construed as legal advice.  If you have questions on GDPR generally, including on how to comply with GDPR, please consult a legal professional.”