German data protection expert states that (translation is mine and donr freely):

"I haven't seen a single case where MS365 was used in a way that fulfilled data protection requirements. Not a single one. Whoever claims they do should prove it. Not by legal boilerplate texts, but by measurable technical implementation detail. Measurable and accountable, not based on legal semantics."

Based on questions I regularly ask of our IT department, which are answered by legal quotes from MS marketing materials, I'd be interested if anybody had such proof (or proof to the opposite).

@kuketzblog, I hope you don't mind me taking this and translating it for wider reach in my bubble...