The Dutch government has commissioned a general data protection impact assessment on the processing of data about the use of the Microsoft Office software. The purpose of this DPIA is to help the individual government organisations map and assess the data protection risks for data subjects caused by this data processing, and to ensure adequate safeguards to prevent or at least mitigate these risks. This report provides a snapshot of the current risks. As Microsoft will provide more information, and more research can be done to inspect the diagnostic data, new versions of this DPIA will be drafted.

https://regmedia.co.uk/2018/11/16/microsoft-office-gdpr-fail.pdf