[jchb]

Under the GDPR, that Microsoft Data Protection Officer will have 30 days to respond to you. If they don't respond, you can complain to the supervisory authority (in the case of UK that is https://ico.org.uk/make-a-complaint/).

Now, Microsoft does not necessarily have to tell you exactly what of your data was leaked. They probably do not know! In this case, they may just respond to your request with all of the personal data they hold.

The law just says that they have to notify you of the "nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects".

[pbhjpbhj]

Do you think the ICO will do anything? Usually their answer seems to be "well we told the company about your case, and they said they wouldn't do it again, so everything is fine now; you're welcome!".