Austrian DPA finds Microsoft 365 Education in breach of GDPR

The Austrian Data Protection Authority (DPA) has found Microsoft 365 Education in violation of several EU General Data Protection Regulation (GDPR) provisions following a complaint concerning a student's data subject access request (SAR). The DPA found that Microsoft 365 Education illegally used tracking cookies without user consent and ordered the deletion of the relevant personal data. It also ruled that Microsoft violated the right to access under Article 15 by failing to provide the complainant with a full copy of their data.

The decision mandates that Microsoft must now respond to the SAR and clearly explain its use of student data for "business purposes" such as "business modelling" and whether it transmitted personal data to entities like LinkedIn, OpenAI or Xandr. The DPA also stressed that Microsoft has not provided the Ministry of Education with enough information on data processing, making it almost impossible for local schools to comply with their own transparency obligations under Articles 13 and 14 of the GDPR.

Crucially, the DPA rejected Microsoft's argument that its Irish subsidiary was the responsible entity, holding that the ultimate decisions rest with Microsoft US. NOYB claims this decision has potentially far-reaching implications, as millions of students and corporate users across Europe rely on Microsoft 365. NOYB argues that the lack of clarity and control provided by Microsoft may render commercial use non-compliant with EU law.

(Translate to English: Google Chrome, Mozilla Firefox, Microsoft Edge, or Apple Safari) 

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.